|
Firewall for IPv6 traffic
![[no]](/s/countries/no.gif) Shadow Hawkins on Wednesday, 18 April 2007 19:09:50
Greetigs my fellow SixXS-users!
Does anyone know of a firewall designed for - or able to support IPv6 yet ?
For Windows I cant find any other then the MS netsh tool, which really isn't that easy to use.
For linux you have the ip6tables tool, and some simple old scripts based on stateless filtering. Does anyone know of a firewall like Shoreline Firewall (shorewall) or such, with IPv6 support ? Any scripts for stateful filtering ?
-SB
Firewall for IPv6 traffic
![[nl]](/s/countries/nl.gif) Shadow Hawkins on Saturday, 04 April 2009 11:54:57
Another IPv6 enabled hardware firewall is a FortiGate.
I've got this device running as my perimiter firewall. It's capable of rudimentary IPv6 firewalling and thusfar runs my Sixxs-tunnel without any problems. Has been for three months now without downtime.
Firewall for IPv6 traffic
Shadow Hawkins on Saturday, 26 September 2009 04:47:20
Heisann Stig
The new firewall from Microsoft are IPv6 enabled. It is still inn beta 3, but already it's being used by many in production.
Google for "TMG Forefront beta 3", and you can get a trial for 180 days. As soon as it's out of beta, it will be available on Technet.
Ha en god dag
Ketil
Firewall for IPv6 traffic
![[au]](/s/countries/au.gif) Carmen Sandiego on Monday, 11 January 2010 21:52:58
One of the main reasons I wanted to try out IPv6 was to test my firewall. I have been writing different scripts using bash/perl to set up the linux iptables firewall. Once you learn how it works you will never use pre-made script again. Making and refining your own iptables firewall is too much fun!
Firewall for IPv6 traffic
Shadow Hawkins on Wednesday, 02 June 2010 11:41:42
Hi folks,
there is a UTM (firewall) free to home users with a 50 IP licences from Astaro that supports IPv6. For those that want to try it out you can build your own with regularly updated software or buy a complete hardware/software solution.
www.astaro.com
Their forum is at www.astaro.org
Ian M
Firewall for IPv6 traffic
Shadow Hawkins on Sunday, 25 July 2010 21:53:45
I am running a Cisco ASA 5505 with software version 8.3.
ASDM and CLI are working. But I am missing a lot of IPv6 features. Like IPV6 routing protocols. The only thing that I have tested so far are IPv6 ACLs. Other 'advanced' VPN functions only work with IPv4.
Next project is to setup CBAC in my C871 (my tunnel end point).
Firewall for IPv6 traffic
![[de]](/s/countries/de.gif) Shadow Hawkins on Monday, 30 April 2007 13:54:57
Hi Stig,
I found a shorewall-like project called 6wall: http://leaf-project.org/doc/bk10pt01ar01.html
But it doesn't look ready to use, especially stateful filtering seems not to be supported due to the current lack of connection tracking ...
Regards,
TK
Firewall for IPv6 traffic
![[ie]](/s/countries/ie.gif) Shadow Hawkins on Thursday, 10 May 2007 18:01:03
On Windows, the lastest release of McAfee Personal Firewall Plus has IPv6 support.
Regards,
H.
Firewall for IPv6 traffic
Shadow Hawkins on Monday, 20 April 2009 09:57:58
De default firewall van XP/ISA en Windows 7 support IPv6, but that is only nice for the endpoint security. If your are looking for something like that the default firewall will do. If you are looking for perimeter firewall than you have to look for simthing else. I know Cisco, Juniper etc have IPv6 firewalls.
Martijn B
Firewall for IPv6 traffic
![[pl]](/s/countries/pl.gif) Shadow Hawkins on Saturday, 01 December 2007 20:52:27
And it is working correctly?
I had have a McAfee Virus Scan in past and it's block IPv6 at all, until restart McAfee services.
Firewall for IPv6 traffic
![[gb]](/s/countries/gb.gif) Shadow Hawkins on Friday, 30 November 2007 21:02:28
The PF firewall, which is available on the BSDs, includes full stateful IPv6 support and treats IPv6 as just another protocol. The IPFW firewall in FreeBSD also supports stateful filtering.
Firewall for IPv6 traffic
![[dk]](/s/countries/dk.gif) Carmen Sandiego on Thursday, 20 March 2008 23:25:28
Ferm supports IPv4 as well as IPv6:
· http://ferm.foo-projects.org/
Cheers,
Klaus
Firewall for IPv6 traffic
Shadow Hawkins on Monday, 24 March 2008 12:21:46
I'm currently using cisco's ASA series (5505 and 5520, PIX successors) as IPv6 routers and firewalls. This is possible with sw versie 7.something or higher, although I've only used 8.0(2) and 8.0(3) myself with IPv6.
What doesn't work: no static tunnels (so you need something outside your firewall to terminate the tunnel and provider a native IPv6 subnet on the ASA's outside Ethernet interface. ASDM gracefully ignores all IPv6 commands, so you have to configure it from the command line.
Paul.
Firewall for IPv6 traffic
Shadow Hawkins on Thursday, 23 October 2008 19:13:39
I use some little basic script to set up my ipv6 gateway (a NSLU2) and to filter all from outside:
# cat setup_ipv6gate.sh
/etc/init.d/aiccu start
/etc/init.d/radvd start
ip -6 addr add 2001:a60:f062:0001::/48 dev eth0
ip6tables -A FORWARD -i sixxs -p tcp --syn -j REJECT
ip6tables -A INPUT -i sixxs -p tcp --syn -j REJECT
Of course, this doesn't help you to prevent programs connecting to the IPv6 internet, but it's at least a basic protection against portscans and hax0ring attempts.
Marco
Firewall for IPv6 traffic
You are forgetting the tunnel address, which is much more easy to guess (as it is ::2). Next to that, one can actually use '-m state ...' to use state on all connections just like IPv4.
As for port scanning, then they will need to scan your whole /48 for IPs first, that takes too long and thus infeasible.
Technically one actually doesn't need firewalling anymore on the router in IPv6.
Doing host-based firewalling is the way to go.
(and actually something that Microsoft is pushing for :)
Firewall for IPv6 traffic
![[ar]](/s/countries/ar.gif) Shadow Hawkins on Monday, 22 March 2010 21:55:20
Jeroen
What you say its ok if you only have hosts.
But remember that now you havent got a nat and all your internal ips are public and accesible from the outside.
if you have an internal mail server it will be known by dns resolv and you may have a directed port scaning to that host.
if you dont have nat like ipv4 you realy need a good perimeter firewall
Firewall for IPv6 traffic
if you have an internal mail server it will be known by dns resolv and you may have a directed port scaning to that host.
The moment you send a packet outside of your network, anybody who can see that packet along the path that it is traversing to the destination and the one at the destination knows that that IP address is 'live' in one way or another. Easiest way to thus find hosts is to just look at an access.log of a webserver and presto (then again, if you can have a host contact your webserver most likely there are other more nasty things that you can do already as you can feed it javascript and/or fool the user into doing something they didn't want to do at your host)
if you dont have nat like ipv4 you realy need a good perimeter firewall
The "Firewall" in your NAT is because of STATE.
Indeed, if you want to protect a network/address from being able to communicate to anything and you think that firewalling is the only appropriate way, then do so.
But remember that if you have STATE in your firewall, that any outbound connection will punch a hole right through that firewall rules you so preciously set up; unless you do the ordering correctly, but most very likely you'll run into issues where the blocked port is being used in a connection that you wanted to create state for, though you don't know why in the first place....
As you took the excellent example of mail, the firewall is really not your worry, as someone with evil intent will just send you a proper email and it will nicely arrive at that host.
Remember: Firewalls are not the final answer in security.
Best thing you can do: don't have any services running that you don't want running, verify this once in a while and the other extreme route: don't connect it to the internet in any form.
Firewall for IPv6 traffic
![[ch]](/s/countries/ch.gif) Shadow Hawkins on Monday, 29 March 2010 21:56:27Indeed, if you want to protect a network/address from being able to communicate to anything and you think that firewalling is the only appropriate way, then do so. ...
Remember: Firewalls are not the final answer in security.
It's just one layer more like a onion. But sometimes a system lacks the inner layer (personal firewall), as mentioned.
Shorewall is now IPv6 ready with Shorewall6, a config file based front end for ip6tables. It came with additional traffic shaping capabilities, so it gave me added value.
I found it rather easy to configure. Off course some network knowledge is mandatory, but the configuration is structured in a logical way.
Firewall for IPv6 traffic
Shadow Hawkins on Friday, 31 October 2008 02:22:59
I think that having firewalling for IPv6 enabled on the border routers, although not necessary, is good in order to protect those hosts that don't have an IPv6-enabled firewall and also those hosts that might be misconfigured or that have a deficient firewall (for example, the Mac OS X firewall is particularly bad at filtering some traffic).
Firewall for IPv6 traffic
Shadow Hawkins on Saturday, 29 November 2008 14:28:55
Our IPv6 lab is supported by a Check Point firewall. For a few years they support IPv6 but it is not a full IPv6 firewall in my book.
All of the management stuff is done with IPv4 traffic only. There is limited support for writing rules in a mixed environment. Part of which is just an odd parser issue that makes no sense to me. But all in all it actualy works.
Firewall for IPv6 traffic
![[us]](/s/countries/us.gif) Shadow Hawkins on Monday, 06 April 2009 22:19:38
I'm currently running IPSO 4.2 b 96 and Check Point R65.4 with no issues at all. The firewall protects an small personal network mixed v4 and v6.
Hugo is correct that Check Point management traffic is v4-only, but I think we can expect that within the corporate island, v4 will be supported much longer than for general-purpose transit. For traffic filtering it seems to work very well.
Firewall for IPv6 traffic
Carmen Sandiego on Wednesday, 10 December 2008 00:38:12
Windows Vista Firewall has a minimal ipv6 support. so you can block ipv6 for a application or port. But i also dont fine a ipv6 only windows firewall.
|
on Friday, 24 October 2008 12:46:46
Posting is only allowed when you are