Ip6fw
Introduction
If you have IPv6 running on your computer you will most definitely want to configure an IPv6 firewall. If your operating system does not provide a GUI for configuring you firewall, or you wish to have more control than it provides, then you will need to get down to the shell and configure it yourself. For the BSD (FreeBSD, NetBSD, Darwin, MacOS X) family of operating systems the tool you will want to use is 'ipfw'. You can check the man page for ip6fw, though some additional information is provided on this page.
Below is a sample sequence of calls to establish an IPv6 firewall:
ip6fw -f flush ip6fw add 1000 allow tcp from any to 2001:4978:18d::/64 ssh,http setup ip6fw add 2100 allow ipv6 from 2001:4978:18d::/64 to any ip6fw add 2200 allow ipv6-icmp from any to any ip6fw add 2300 allow tcp from any to any established ip6fw add 3000 deny log ipv6 from any to 2001:4978:18d::/64
These rules allow any computer to connect to this host for ssh and http, allows pinging of machines beyond the subnet and denies everything else. Additionally logging is defined for any traffic that gets to rule 3000. The ability to log denied traffic is useful when trying to fine tune your firewall and eventually as a security measure, though it can provide a lot of log entries. Note that the above rules are for a subnet with a prefix of '2001:4978:18d::', which you will need to replace with appropriate value for your subnet.
To display the current rules you use the following:
ip6fw show
If you wish to enable logging, then it is enabled by:
sysctl -w net.inet6.ip6.fw.verbose=2
and disabled by:
sysctl -w net.inet6.ip6.fw.verbose=0
Samples Rules
To do. [40/100%]
some drops
- 6BONE, doubtful *
${fwcmd6} add deny log ipv6 from 3ffe::/16 to any
- 6to4, doubtful *
${fwcmd6} add deny log ipv6 from 2002::/16 to any
- ORCHID (RFC4843) *
${fwcmd6} add deny log ipv6 from 2001:10::/28 to any
- IPv6 Documentation Prefix *
${fwcmd6} add deny log ipv6 from 2001:db8::/32 to any
- IPv6 Unique Link local *
${fwcmd6} add deny log ipv6 from fc00::/7 to any
a sample ftp allow rule
- ftp.freenet.de *
for j in 3 4 5 ; do ${fwcmd6} add pass all from any to 2001:748:100:50::$j && ${fwcmd6} add pass all from 2001:748:100:50::$j to any done