IPv6 security

[RMerlin]

I'll need a volunteer or two who has an IPv6 native connection (preferably DHCP or 6rd) to test something for me:

 

[Ka Hooli]

I'll need a volunteer or two who has an IPv6 native connection (preferably DHCP or 6rd) to test something for me:

I know my ISP provides IPv6 and IPv4 IP addressing, but I only have IPv4 set up as I don't understand IPv6 as much as I'd like to.

If I'd understood it more, I'd be willing to help. Do you know any good websites that could teach me what I'd need to know?

Unfortunately I don't know the difference between DHCP-PD (educated guess, IPv6 address assigned by DHCP server), Tunnel 6to4, Tunnel 6in4 & Tunnel 6rd.

 

[TeHashX]

Build from latest sources and open 3389 & 43962 ports but not accessible from wan, I have Native with DHCP-PD IPV6 connection.

 

[ryzhov_al]

Is router rebooted after applying new f\w rules? I found it's different before and after reboot.

Build from latest sources and open 3389 & 43962 ports but not accessible from wan, I have Native with DHCP-PD IPV6 connection.

Please, do reboot and publish ip6tables-save output.

 

[TeHashX]

Here you go

admin@RT-AC66U:/tmp/home/root# ip6tables-save
# Generated by ip6tables-save v1.3.8 on Tue Aug 6 15:36:06 2013
*mangle
REROUTING ACCEPT [55301:28672476]
:INPUT ACCEPT [1646:196036]
:FORWARD ACCEPT [50515:28002748]
:OUTPUT ACCEPT [1796:209294]
OSTROUTING ACCEPT [53359:28364718]
COMMIT
# Completed on Tue Aug 6 15:36:06 2013
# Generated by ip6tables-save v1.3.8 on Tue Aug 6 15:36:06 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1790:208818]
Controls - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m rt --rt-type 0 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -p ipv6-nonxt -m length --length 40 -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 546 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 141 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 142 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 148 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 149 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 151 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 152 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 153 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m rt --rt-type 0 -j DROP
-A FORWARD -i br0 -o ppp0 -j ACCEPT
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -p ipv6-nonxt -m length --length 40 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A FORWARD -d 2a02:2f09:3220:b700:ed7f:e45c:3aab:558/128 -p tcp -m state --state NEW -m tcp --dport 3389 -j ACCEPT
-A FORWARD -d 2a02:2f09:3220:b700:ed7f:e45c:3aab:558/128 -p tcp -m state --state NEW -m tcp --dport 43962 -j ACCEPT
-A FORWARD -d 2a02:2f09:3220:b700:ed7f:e45c:3aab:558/128 -p udp -m state --state NEW -m udp --dport 43962 -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -m rt --rt-type 0 -j DROP
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP" --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Tue Aug 6 15:36:06 2013
admin@RT-AC66U:/tmp/home/root#

 

[FLA NL]

I'll need a volunteer or two who has an IPv6 native connection (preferably DHCP or 6rd) to test something for me:

That looks promising

I'm now testing how stable the rt-ac66u is with the .374_130 release. Maybe later this week I can help. I've no experience in compiling the firmware so if you can do that and give me the firmware so I can test it (maybe dropbox?) .

My setup is Internet<-->Modem<-->rt-ac66u<-->subnet.

The modem is also acting as ipv6 dhcp server and has its own ipv6 firewall. I think I should be able to hook in on my modem and see if ports are forwarded to the subnet of the router.

I don't have much experience with Ipv6. I managed to configure it in this setup. I wanted to use static ipv6 configuration but couldn't get that working.

 

[RMerlin]

Here you go

Did you use the temporary IPv6 address or the regular one from your computer?

Also make sure it's not your computer firewalling the IPv6 interface. Just to be sure, temporarily disable any firewall on the target computer. Another way to test that theory is to disable the IPv6 firewall on the router, and test again. If you still can't reach the port, then it's something else blocking it.

This is the website I use here for testing rules:

http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-port-scanner.php

 

[RMerlin]

I'll try to post test builds either tonight or tomorrow night so you guys can test it as well.

 

[TeHashX]

Did you use the temporary IPv6 address or the regular one from your computer?

It's temporary from dhcp, win7, every pc reboot is changing
Would be nice if we have dhcp reservation like for ipv4.
What do you mean regular one?

Also make sure it's not your computer firewalling the IPv6 interface. Just to be sure, temporarily disable any firewall on the target computer.

Only windows firewall, disabled and the same.

Another way to test that theory is to disable the IPv6 firewall on the router, and test again. If you still can't reach the port, then it's something else blocking it.

Disabled, the same, I don't have upnp enabled on router.

This is the website I use here for testing rules:
http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-port-scanner.php

Tested with http://www.canyouseeme.org/ too.

I wait feedback from other users.

 

[RMerlin]

It's temporary from dhcp, win7, every pc reboot is changing
Would be nice if we have dhcp reservation like for ipv4.
What do you mean regular one?

LAN devices don't get their IPv6 through DHCP but they get it through Router Advertisement, provided by radvd on your router.

Each device usually gets two IPv6:

- One is a "temporary" IP that will change regularily. This is what's referred to as "Privacy Extensions". It is usually used for outgoing client connections, so that way it makes it difficult for remote servers to track you down by your IP

- One is a more permanent IP, usually derived from your MAC address. This is the IP you will want to use for any server type of service, as it should never change.

Make sure that the IPv6 you provide in the firewall rule is the IPv6 from your PC, not from your router or Internet connection. You can retrieve it under Win7 by using the "ipconfig" command.

 

[TeHashX]

I guess ipv6 address is the permanent one and Link-local is temporary, tried both and not working

Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : 2a02:2f09:3020:6100:ed7f:e45c:3aab:558
Link-local IPv6 Address . . . . . : fe80::ed7f:e45c:3aab:558%12
IPv4 Address. . . . . . . . . . . : 192.168.1.200
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::5246:5dff:fe5e:1b60%12

 

[RMerlin]

I guess ipv6 address is the permanent one and Link-local is temporary, tried both and not working

No, link-local is a LAN-only IP. Kinda similar to the 169.xxx.xxx.xxx autoconfig IPs.

Looks like you don't have Privacy Extension enabled, so you only have one main IP. The temporary IP is clearly labeled as such:

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : lostrealm.lan
   IPv6 Address. . . . . . . . . . . : 2001:444:44:444:4441:444:555:444
   Temporary IPv6 Address. . . . . . : 2001:444:44:4e4:5555:cccc:4444:cccc
   Link-local IPv6 Address . . . . . : fe80::4001:abd4:511b:49c7%17
   IPv4 Address. . . . . . . . . . . : 192.168.10.100
   Subnet Mask . . . . . . . . . . . : 255.255.255.0

Can you access RDP if you disable the IPv6 firewall on the router? If not, then something else is blocking access.

 

[TeHashX]

Can access RDP only if I open port 3389 in virtual server (ipv4)

 

[RMerlin]

Can access RDP only if I open port 3389 in virtual server (ipv4)

Then the problem is unrelated to my IPv6 firewall implementation.

Maybe something to do with either your modem or how your ISP provisions IPv6. I find it odd already that you don't get a temporary IP allocated.

 

[TeHashX]

Then the problem is unrelated to my IPv6 firewall implementation.

Maybe something to do with either your modem or how your ISP provisions IPv6. I find it odd already that you don't get a temporary IP allocated.

Ok, we have to wait other users feedback.

Sent from my HTC One S using Tapatalk 4

 

[RMerlin]

I uploaded test builds to Mediafire (in the Beta directories).

If you have an IPv6 connection then please gives this a try. Make sure you mention your router model, your ISP, and the type of IPv6 connection you are using (6in4, 6rd, DHCP, etc...) when reporting both success or failures in this thread.

 

[RogerSC]

I'm finding that your new firewall is working fine for basic routing and wireless use. I've used the internet IPv6 port scanners (3 different ones, including http://netalyzr.icsi.berkeley.edu/), and the results indicate that there's a firewall for IPv6, plus everything on my home network is working as it should.

So things look good here for me. I'll just keep using the beta firmware until you get to an "official" release.

Oh yes, I have an rt-n66u, and I'm on Comcast, so I use "DHCP-PD" type IPv6 connections.

Thanks very much for doing this. I'd love to see Asus do this for the rt-n56u, too.

 

[fr33z0n3r]

I'll try to post test builds either tonight or tomorrow night so you guys can test it as well.

I have a HE tunnel and I'd need to set it up again. Will this firewall protect that (6to4?) tunnel? Just not sure how the tunnels and firewall interplay....

A lack of firewall is the one reason I've disabled and avoided ipv6 in the past few years.

 

[RMerlin]

I have a HE tunnel and I'd need to set it up again. Will this firewall protect that (6to4?) tunnel? Just not sure how the tunnels and firewall interplay....

A lack of firewall is the one reason I've disabled and avoided ipv6 in the past few years.

HE is 6in4. It will work fine with it, that's how I tested it myself.

 

[RMerlin]

I'm finding that your new firewall is working fine for basic routing and wireless use. I've used the internet IPv6 port scanners (3 different ones, including http://netalyzr.icsi.berkeley.edu/), and the results indicate that there's a firewall for IPv6, plus everything on my home network is working as it should.

So things look good here for me. I'll just keep using the beta firmware until you get to an "official" release.

Oh yes, I have an rt-n66u, and I'm on Comcast, so I use "DHCP-PD" type IPv6 connections.

Thanks very much for doing this. I'd love to see Asus do this for the rt-n56u, too.

Can you test if opening a port also works? If you have any Professional version of Windows for instance, make sure Remote Desktop is enabled, check what the IPv6 is for that PC, and try opening port 3389 for that IPv6. Then, use an online port scanner and see if port 3389 is open.

IPv6 firewalling is (IMHO) a major issue with Asuswrt. Once I know this works well, I will probably try to convince Asus into implementing it in Asuswrt, since right now IPv6 offers zero security in the stock firmware.