# General question about IPV6 protocol.



## Alain De Vos (Feb 26, 2021)

Does someone understands the IPV6 protocol ?
When I ask how do I configure an IPV6 protocol firewall I never get any answer.
So the general notion about IPV6 protocol is trust your provider fully.
This let me to believe their is something inherently wrong with the IPV6 protocol or the way it is implemented and understood.


----------



## Jose (Feb 26, 2021)

This is a somewhat religious topic, so this is going to be my sole contribution:


			https://cr.yp.to/djbdns/ipv6mess.html


----------



## zirias@ (Feb 26, 2021)

It seems to be religious indeed, to say the least. Given many consumers don't get public IPv4 addresses from their ISPs any more (reality for years in mobile networks, more and more common with cable and DSL), what do you think now?

At the OP: What exactly is the question? Cause, in a nutshell, you write rules for IPv6 in the same way as you did for IPv4.


----------



## Alain De Vos (Feb 26, 2021)

Question was, is IPV6 protocol understandable for a normal human being like me.
If so, it should be easy to give me a good, performant, working, and safe,  ipv6 firewall ruleset.


----------



## zirias@ (Feb 26, 2021)

Alain De Vos said:


> Question was, is IPV6 protocol understandable for a normal human being like me.


Although IPv6 is indeed a bit more than just IPv4 with 128 bits, the basic principles are still (roughly) the same, so I don't see why not.


Alain De Vos said:


> If so, it should be easy to give me a good, performant, working, and safe, ipv6 firewall ruleset.


This isn't possible with IPv4 and won't be possible with IPv6 either. What will always be possible is show some examples for specific usecases. For example with pf, you can often use the very same rules, and rules written against interfaces or their attached subnets will automatically apply to both IPv4 and IPv6 unless explicitly using addresses of the one or the other family.


----------



## obsigna (Feb 26, 2021)

Jose said:


> This is a somewhat religious topic, so this is going to be my sole contribution:
> 
> 
> https://cr.yp.to/djbdns/ipv6mess.html


IMHO, a very good writeup from D. J. Bernstein which hits the nail in the center of its head with a deviation of max. a few nanometers. However, he got it a little bit wrong with this statement:


> “The IPv6 designers made a fundamental conceptual mistake: they designed the IPv6 address space as an _alternative_ to the IPv4 address space, rather than an _extension_ to the IPv4 address space.“


This was not a casual mistake, this was by purpose. Who reads some boring texts sometimes and got a good memory, remembers that one of the main principles of the inventors of IPv6 was the *Internet Transparency and End to End* principle -- https://tools.ietf.org/html/rfc4924. Basically this means that there are no opaque barriers like NAT in the middle of the IP traffic, and this let to absurd discussions on how to prevent/subvert/sabotage any kind of NAT64 -- https://tools.ietf.org/html/rfc5902. Bottom line:


> “_As such, we strongly encourage the community to consider end-to-end
> transparency as a requirement when proposing any solution, whether it
> be based on tunneling or translation or some other technique.
> Solutions can then be compared based on other aspects such as
> scalability and ease of deployment._“


See also: Reasons to Move the Network Address Translator - Protocol Translator (NAT-PT) to Historic Status -- https://tools.ietf.org/html/rfc4966

The NAT-PT would have been a quite easy to implement interoperability solution, but no, the IPv6 work group wanted to force everybody to run either dual stack or IPv6 only on any single device.

This end-to-end-transparancy dogma hindered interoperability of IPv4 and IPv6 for a very very long time. For example, only with FreeBSD 12 NAT64 (a quite simple interoperability solution) has landed in ipfw(8), more than 20 years after IPv6 became standard.

Now the question still remains, for what would YOU want End-to-End Transparency? For what all the trackers want it, is absolutely clear, though. No need to place this complicated, now less and less tolerated cookies on the users machine. They got this nice unique IPv6 address, the wet dream of Google, Facebook, Twitter, ..., isn’t it. But then, oh no, NAT64 :-D


----------



## Alain De Vos (Feb 27, 2021)

On this forum i have found zero ipv6 firewall rulesets.
Maybe an ipv6 firewall is not needed ?
Maybe nobody uses an ipv6 firewall ?


----------



## ralphbsz (Feb 27, 2021)

No, you still need a firewall. With IPv4, most households or small organizations are NATed, meaning inside hosts are not reachable from the outside. With IPv6, if you get a large enough address range, by default all your inside hosts are suddenly reachable. So you still need a firewall to close that off.


----------



## chrbr (Feb 27, 2021)

Alain De Vos said:


> Maybe nobody uses an ipv6 firewall ?


At least the FreeBSD firewall templates implement a few IPv6 rules. Below is the output of the firewall_type="workstation" setting activated in /etc/rc.conf.

```
# ipfw list|grep ipv6
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any icmp6types 1
01000 allow ipv6-icmp from any to any icmp6types 2,135,136
01600 allow ipv6-icmp from me to any keep-state :default
02200 allow ipv6-icmp from any to any icmp6types 128,129
02400 allow ipv6-icmp from any to any icmp6types 3
```


----------



## zirias@ (Feb 27, 2021)

ralphbsz said:


> No, you still need a firewall. With IPv4, most households or small organizations are NATed, meaning inside hosts are not reachable from the outside. With IPv6, if you get a large enough address range, by default all your inside hosts are suddenly reachable. So you still need a firewall to close that off.


Same thing as in the other thread: this is *mostly* true. Still, the purpose of NAT is slightly different in that you try to route as many packets as possible (so e.g. for UDP, it makes sense to let packets from a *different* remote host through when arriving on the same mapped socket), while a typical "connection tracking" firewall (called "keep state" in some configurations) tries to identify individual connections and only allow "answering" packets to pass from the outside.

As for specific firewall rules: The simple "pf" rules you find in the handbook don't even distinguish between IPv4 and IPv6 and will work for both. Of course, the "nat" rule will only apply to IPv4. https://docs.freebsd.org/en_US.ISO8859-1/books/handbook/firewalls-pf.html

There are differences of course, like ICMPv6 has more types and is used for more things, so if you want to filter ICMPv6, you need different rules than with IPv4. Also, there are some concepts IPv4 didn't have, like "link-local" addresses.

The "perfect ruleset" for anyone doesn't exist, as it didn't for IPv4. Simple examples can be a good starting point.


----------



## a6h (Feb 27, 2021)

IPv6 itself is not complicated, but its numerical representation is rather cryptic and scary. Also, it's (rather) new.
Hence less people are willing to deep dive into subject, thus there's less written article/content on the internet.


----------



## obsigna (Feb 27, 2021)

Alain De Vos said:


> On this forum i have found zero ipv6 firewall rulesets.
> Maybe an ipv6 firewall is not needed ?
> Maybe nobody uses an ipv6 firewall ?


How did you search? The following gives 425 relevant results, most of which got rules and even complete ipfw(8) sets for IPv6.



			site:forums.freebsd.org ipfw ipv6 - Google Search
		


Anyway, you won’t need this, because everything is in the manuals ipfw(8) and pf.conf(5).


----------



## Deleted member 30996 (Mar 8, 2021)

> Zirias said:
> The "perfect ruleset" for anyone doesn't exist, as it didn't for IPv4. Simple examples can be a good starting point.


Mine is perfect for me and covers IPv6. I just want to Block and it does that nicely:

/etc/pf.conf
### Macro name for external interface
ext_if = "bge0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### Block all IPv6
block in quick inet6 all
block out quick inet6 all

### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp

### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state


----------



## Mjölnir (Mar 9, 2021)

Trihexagonal said:


> Mine is perfect


It's not.  Read on.


Trihexagonal said:


> for me and covers IPv6. I just want to Block and it does that nicely:
> [...]
> netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
> netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"


Usually, I'm taking great efforts to follow your advice, priest.  Now please be so generous & let's both go reverse:

(minor flaw): rename that list of ports to s/th like _dangerousBeaSDs_ or similar, whatever you like, but not _netbios_xxx_. I would accept _net_bisons_xxx_ 'cause it's funny, but not _netbios_, since it's plain wrong.
more importantly, because X11 uses ports 6000-6063 (reserved), and in rare cases even more:
adjust that `6000, 6010` to be a list `6000-6063` or beyond, e.g. up to 6100.
Thank you in advance, sincerely yours.


----------



## Deleted member 30996 (Mar 9, 2021)

Mjölnir said:


> It's not.  Read on.
> 
> Usually, I'm taking great efforts to follow your advice, priest.  Now please be so generous & let's both go reverse:
> 
> ...


1. I wrote this more than 10 years ago and believe I'll leave the macro named just like it is.
2. Already blocked.

### Default deny everything
block log all


----------

