Firewall
Shadow Hawkins on Wednesday, 31 December 2008 13:13:26
I thought I posted this yesterday, guess not.
Anyways, what is everyone using as a firewall on their IPv6 routers (if you're using a server/workstation to do your routing)? I know the chances of being scanned are slim with IPv6, but the chance is still there. I'm running FreeBSD 7 and it does have some built in firewall software, but I'd like some input from the community first. Thanks
Firewall
Carmen Sandiego on Friday, 02 January 2009 00:58:22
I just use ip6tables on my Ubuntu server router
It works great for what I'm using it for (a home network and testing server)
Firewall
Shadow Hawkins on Saturday, 03 January 2009 12:32:03
I think, the most simple way will be using operating system capabilities. Why don't use built-in packet filter?
During firewall policy construction pay attention to icmp6. Don't block that if you really don't know what are you doing. IPv6 transfers a lot of informations using that. And sixxs PoPs use that for tunnel life monitoring also.
Firewall
Jeroen Massar on Tuesday, 06 January 2009 12:01:28
In IPv6 the expectancy is to let the end-hosts do the firewalling.
The largest reason for this being the fact that a host in the middle doesn't know anything about the state of the end-host. If you are going to do 'guesses' on the middle host (the 'firewall' in the traditional sense), those guesses might be wrong, especially when one has protocols which pass ip/port information inside the protocol, eg FTP is the classical example. As such, you will still need to do all the NAT-alike work in that firewall to inspect the data completely and most likely you do not know that cool new application that is being used.
Do also remember that if you open port 80 (HTTP), applications will just tunnel over port 80. If you have port 443 (HTTP over SSL) open, apps will just nicely make their protocol look like that (which is easy, just stunnel it). As such per-port filtering is not helping you in anyway. Incoming connections of course can be blocked a bit, but that might break for instance FTP or other protocols as mentioned above.
The problem thus becomes, even though one is giving every host a nice public IP address and is making them globally reachable, that one still can't properly use the whole end-to-end idea as the firewall in the middle is making broken assumptions/guesses and is thus breaking end-to-end.
Letting the end-host do the firewalling allows the user or a tool using that end-host to say 'yes that application is allowed to make that connection / listen on that port for incoming connections. That is much more powerful than you can ever have on your central (distributed) firewall, it also allows you to do actual firewalling upto high speeds.
Remember that IPv6 was designed for simple forwarding in routers, allowing them to become much faster as they don't have to process that much anymore (which is a bit of a false story actually :)
In a corporate environment one will of course not like that as one doesn't have full control over the firewall in the end-host in many cases. But in the case of a Microsoft based network, with Active Directory in place, one can already do most of this today. Microsoft is also pushing for this model. On other platforms though, you are mostly out of luck, as anybody can root them easily and thus circumvent most of the measures you install, that is, if those measures are available at all in the first place.
Firewall
Shadow Hawkins on Tuesday, 06 January 2009 14:53:05
Interesting.
Ideally I'd like all traffic to be passing through my ASA, but until my upstream provider hops on the bandwagon, that's easier said than done. (Yes, I know I can tunnel from the ASA, but ayiya is definitely easier) It seems to me that this would be more efficient and "proper", but maybe that's because I'm used to IPv4
Posting is only allowed when you are logged in. |