Firewalling ICMPv6 with ip6tables
Shadow Hawkins on Sunday, 04 January 2004 01:52:55
Hi,
I just created the tunnel on my debian box, but till now I'm only firewalling on IPv4 - meaning all native IPv6 traffic and 6in4-packets (ip proto 41) is accepted.
May sound a bit paranoid, but just for sure, I'd like to block some ICMPv6 traffic. tcpdump'ing my tunnel shows up "echo request" and "neighbor solicitation" incoming as well as "echo reply" and "neighbor advertisement" outgoing. 'Heartbeat' for the dynamic IPv4 endpoint only needs port 3740 outgoing in IPv4. The IPv6 pings are OK, but I don't want to become someone's neighbor without getting notice... so I want to block these ans other icmp types.
btw: Here's the list of icmp types just in case...: http://www.networksorcery.com/enp/protocol/icmpv6.htm
The problem might be sixxs cannot verify my tunnel properly when firewalled?!
My question is if it is OK to block neighbor advertising outgoing (to clients/adresses different from the sixxs tunnel endpoint) as well as redirecting (type 137) incoming and the various 'reply' types outgoing as well as unwanted 'request' types incoming?
Has anybody of you set up an ip6tables firewall regarding icmpv6 and can tell me some hints? What mustn't be firewalled in order to _not_ lose any sixxs credits?
Regards,
Wolfgang
Firewalling ICMPv6 with ip6tables
Shadow Hawkins on Sunday, 04 January 2004 17:24:46
I use ip6tables. I accept every icmpv6 packet coming from my tunnel server. In addition, I accept every icmpv6 packet coming from my internal network. And I do accept every icmpv6 packet coming from internet too. :)
So I accept every icmpv6 packet. Nevertheless, I accept them at other places so that I can apply some restriction without big changes, if needed in the future ( }) persons will one day discover ipv6)
As far as I know accepting icmpv6 type 128 (ping6) from your tunnel server will be enough to get points. Dropping other pings will not have effect on your point. In addition, you can do this en check if some services or something else begins to act rear.
PS. I have only one restriction to ping6 packets, coming from internet, which is burst limit.
PS2. I have my tunnel now for 28 weeks, and I did not get even one ping6 packet but I get daily about 2000 ping4 average (no, I do not have public services like ftp).
Firewalling ICMPv6 with ip6tables
Shadow Hawkins on Sunday, 04 January 2004 20:48:17
Might be the "neighbor" packets are from the heartbeat-client? No matter, I will allow them only to the sixxs pop.
Perhaps you also know a solution for a problem I currently have with my bash script. I use a config file which is sourced at the beginning of the script. In this file there are variables defined and exported like 'export SMTP_IP6="..."' and so on.
This works perfectly with IPv4 addresses, but bash seems to have a problem when I try to define IPv6 addresses in that way. Obviously the colons are misinterpreted - I assume converted to spaces because I'm getting errors like "invalid arguments" etc. when calling the script - these problems vanish when I hardcode the IPv6 into the script.
I already tried to escape the ':' with '\:' which didn't help. Next idea would be some sed/awk/grep trick, but it should work somewhat easier, shouldn't it?
Any ideas?
Thx,
Wolfgang
Firewalling ICMPv6 with ip6tables
Jeroen Massar on Sunday, 04 January 2004 21:12:07
Heartbeat uses port 3740 and nothing else.
Neighbour discovery is ARP for IPv6.
Use '#!/usr/bin/bash -x' at the top of your script to see what it exactly executes.
Firewalling ICMPv6 with ip6tables
Shadow Hawkins on Sunday, 04 January 2004 22:08:18
Thx for the hint:) I was a bit stupid when creating the script for IPv6 using the one from IPv4 as template...
Within the IPv4 script the public IP is supplied via config file, but the script overwrites this variable with the address getting from 'ifconfig' in case you have a dynamic IPv4 and have to adjust your firewall rules after an ip change.
I simply forgot to kill that paragraph from the script since is isn't needed with IPv6. The grep/awk/sed sequence just returned "", so I had something like '-d -j RETURN' which produced the error.
Thx again,
Wolfgang
Posting is only allowed when you are logged in. |