|
opening ipv6 icmp for windows XP (and server 2003?)
![[nl]](/s/countries/nl.gif) Carmen Sandiego on Monday, 25 August 2003 15:13:08
As I had trouble finding how to make the following work, I wanted to share my findings with you all.
The situation is that I am using my Windows XP machine as the tunnel endpoint to connect my home network to the IPv6 POP of IPng.nl. This information is also important if you have a subnet for your home network with IPv6 enabled Windows XP machines behind the (IPv6) router, because your machine is probably (depending on the firewall settings) accessible directly from the outside.
When you have Windows XP SP1 installed without the advanced networking kit (or even Windows XP without SP1), there is no firewall at all at IPv6, so the great Internet Connection Firewall will work for IPv4, but all ports (like your RPC port) is wide open on the IPv6 interface, making you vulnerable for virusses and stuff.
As soon as you install the advanced networking kit, a nice IPv6 firewall is active, but disables you to have the tunnel at for instance SixXs, because it will block the ICMPv6 messages which SixXs needs to verify the tunnel to be alive. when you have used the Windows XP commands from SixXs (the netsh commands which create a 'SixXs' adapter, use this command on the command prompt to open your IPv6 interface to reply to ICMPv6 echo requests again:
netsh firewall set adapter sixxs icmp all=enable
In this case you won't be having problems with the alive status of SixXS anymore. I have not been able to test it fully, so additional comments on this post are welcome.
opening ipv6 icmp for windows XP (and server 2003?)
This will indeed work for both XP and Windows 2003. Note that icmp responses are a requirement for all public POP's. If it doesn't ping it ain't up and it gets disabled.
I've added this to the Windows Setup FAQ and to the Tunnel Script creation function.
opening ipv6 icmp for windows XP (and server 2003?)
Shadow Hawkins on Tuesday, 26 August 2003 11:57:03
I seems not to be working for me
I installed the firewall
and used that line to enable ICMP on both my LAN and SixXS interface
but it seems that pining is not possible from the outside
internaly pinging works
Some firewall info I got (every thing seems to be OK)
netsh firewall show adapter SixXS
Beschrijving ICMP-type Aan/uit
-------------------------------------------------------------
Uitgaande bestemming onbereikbaar toestaan 1 Ja
Uitgaand pakket te groot toestaan 2 Ja
Tijd voor uitgaan verstreken toestaan 3 Ja
Probleem met uitgaande parameter toestaan 4 Ja
Binnenkomend verzoek voor echo toestaan 128 Ja
Omleiden toestaan 137 Ja
opening ipv6 icmp for windows XP (and server 2003?)
Check your logging:
netsh firewall>show logging
Logging Configuration for IPv6 Internet Connection Firewall
Successful Connections: Disabled
Dropped Packets: Enabled
File location: C:\WINDOWS\pfirewall-v6.log
File size: 4096 Kb
That file should be empty ;)
If it filters it will contain lines like:
2003-08-26 12:08:09 DROP ICMP 3ffe:8114:1000::26 3ffe:8114:2000:240:2d0:b7ff:fe8f:5d42 - - 144 - - - - 128 0 -
2003-08-26 12:08:10 DROP ICMP 3ffe:8114:1000::26 3ffe:8114:2000:240:2d0:b7ff:fe8f:5d42 - - 144 - - - - 128 0 -
2003-08-26 12:08:11 DROP ICMP 3ffe:8114:1000::26 3ffe:8114:2000:240:2d0:b7ff:fe8f:5d42 - - 144 - - - - 128 0 -
If that file is empty, check your routing tables and otherwise, start using tcpdump/Ethereal/NetworkMonitor to find out what happens ;)
"netsh firewall>set adapter Cable icmp all=enable"
Means: Enable icmp
Description ICMPTypeNo Enabled
-------------------------------------------------------------
Allow Outbound Destination Unreachable 1 Yes
Allow Outbound Packet Too Big 2 Yes
Allow Outbound Time Exceeded 3 Yes
Allow Outbound Parameter Problem 4 Yes
Allow Inbound Echo Request 128 Yes
Allow Redirect 137 Yes
"netsh firewall>set adapter Cable icmp all=disable"
Means: Disable icmpDescription ICMPTypeNo Enabled
-------------------------------------------------------------
Allow Outbound Destination Unreachable 1 No
Allow Outbound Packet Too Big 2 No
Allow Outbound Time Exceeded 3 No
Allow Outbound Parameter Problem 4 No
Allow Inbound Echo Request 128 No
Allow Redirect 137 No
Btw one can change it to:
"netsh firewall>set adapter Cable icmp 128=enable"
To only allow ICMP echo requests.
(Oh I use 'cable' here as my XP box is behind a linux box ;) )
opening ipv6 icmp for windows XP (and server 2003?)
Carmen Sandiego on Tuesday, 26 August 2003 14:10:18
<off-topic>
Hmm why not using your linux box as the IPv6 end-point then :) ?
Works nicer with a sub-net so you have the whole network using IPv6 ? (or perhaps you have your reasons for it (no root for the linux machine..))
</off-topic>
opening ipv6 icmp for windows XP (and server 2003?)
Guess what it has been doing for the last three years, spanning 2 residences and because of that 2 ISP though and it was a FreeBSD box first, it became debian after the move, see Network Layout for a network layout.
Btw, even if I would use the XP box as a tunnelendpoint I could RA a network through that, the only difference would be the default gateway for the subnet.
opening ipv6 icmp for windows XP (and server 2003?)
Shadow Hawkins on Tuesday, 26 August 2003 18:00:56
I guess this is what Robert means:
If the Linux box becomes your tunnel-endpoint you won't need ipv6 firewall on your XP box since you can use ip6tables on the Linux box which will handle icmpv6 request too. That's how I do.
opening ipv6 icmp for windows XP (and server 2003?)
Ehmmm let me repeat: I am and always have been doing that.
The complete thread is useful for people using XP as an endpoint, not for me ;)
And as for the XP box, firewall=disabled:
---------------------------------------------------------------
AdapterFriendlyName IPV6FilteringEnabled
---------------------------------------------------------------
Teredo Tunneling Pseudo-Interface No
Cable No
6to4 Pseudo-Interface No
Automatic Tunneling Pseudo-Interface No
---------------------------------------------------------------
opening ipv6 icmp for windows XP (and server 2003?)
Shadow Hawkins on Tuesday, 26 August 2003 22:13:12
I don't get it I get the folowing in my log:
2003-08-26 21:52:45 DROP UDP 3ffe:8114:1000::65a 3ffe:8114:1000::65b 1934 33434 104 - - - - - - -
2003-08-26 21:52:49 DROP UDP 3ffe:8114:1000::65a 3ffe:8114:1000::65b 1933 33434 104 - - - - - - -
2003-08-26 21:52:50 DROP UDP 3ffe:8114:1000::65a 3ffe:8114:1000::65b 1934 33434 104 - - - - - - -
2003-08-26 21:52:54 DROP UDP 3ffe:8114:1000::65a 3ffe:8114:1000::65b 1933 33434 104 - - - - - - -
2003-08-26 21:52:55 DROP UDP 3ffe:8114:1000::65a 3ffe:8114:1000::65b 1934 33434 104 - - - - - - -
2003-08-26 21:52:59 DROP UDP 3ffe:8114:1000::65a 3ffe:8114:1000::65b 1933 33434 104 - - - - - - -
UDP traffic
ICMP traffic doesn't show up
Could there be a problem at IPng?
2 frinds of mine who have an IPv6 tunnel elsewere arn't able to traceroute to my computer :-S
opening ipv6 icmp for windows XP (and server 2003?)
What about your routing ? As I am very very sure that 3ffe:8114:1000::65a, which should be the POP doesn't send any UDP traffic...
It does seem to ping at this moment:
PING 3ffe:8114:1000::65b(cl-814.ams-02.nl.sixxs.net) 56 data bytes
64 bytes from cl-814.ams-02.nl.sixxs.net: icmp_seq=0 time=25.2 ms
Oh and don't worry IPng.nl runs perfectly fine, even after that lame ddos.
opening ipv6 icmp for windows XP (and server 2003?)
Shadow Hawkins on Wednesday, 27 August 2003 00:11:40
I haven't changed a thing but it seems to work fine again (if I look at the graphs)
Finally a firewall between the IPv6 traffic
opening ipv6 icmp for windows XP (and server 2003?)
Carmen Sandiego on Wednesday, 27 August 2003 10:05:55
The port 33434 is the traceroute port, so probably that is what your box is blocking.
I don't know the syntax used in the logging of XP, so I cannot explain the 65a address.
But it fits, that if you say that you are being unsuccessfully tracerouted, it is due to these loggings.
If you should open the udp port 33434, your friends will probably be able to traceroute you.
opening ipv6 icmp for windows XP (and server 2003?)
Depending on your traceroute program it either uses tcp (mostly windows) or udp somewhere in the high ports region (33434 indeed looks plausible as such)
And as the IPng POP (and all others) employ ICMPv6 ping's that passes your firewall, but traceroutes indeed won't when you block udp. I usually say: close your apps as they are at fault. But I don't like filtering :)
|
![[ch]](/s/countries/ch.gif)
on Monday, 25 August 2003 18:26:41
Posting is only allowed when you are 