Community discussions

MikroTik App
 
User avatar
nsayer
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Thu Jun 02, 2011 5:32 pm
Location: Santa Clara, CA, US

Help with ipv6 firewall ?

Tue Jun 07, 2011 8:20 pm

I've attempted to basically copy the default IPv4 firewall configuration, making changes where it makes sense. Here's what I came up with:


# jun/07/2011 10:09:24 by RouterOS 5.4
# software id = XDDH-ZK31
#
/ipv6 firewall filter
add action=accept chain=input disabled=no protocol=icmpv6
add action=accept chain=input connection-state=established disabled=no \
in-interface=sit1
add action=accept chain=input connection-state=related disabled=no \
in-interface=sit1
add action=accept chain=input comment="SSH inbound" disabled=no dst-port=22 \
in-interface=sit1 protocol=tcp
add action=reject chain=input disabled=no in-interface=sit1 reject-with=\
icmp-address-unreachable

The problem is that the reject rule never sees any traffic. In fact, the SSH inbound rule never does either. The only stats counters that increment are for ICMPv6 and 'established'.

Interface 'sit1' is the "6to4" (it's actually 6in4, btw. - 6to4 is the 2002:: net) tunnel to tunnelbroker.

oh, by the way, I also wonder how the tunneled IPv6 traffic is actually getting in in the first place. The ipv4 firewall has no rules to pass proto 41.


# jun/07/2011 10:16:17 by RouterOS 5.4
# software id = XDDH-ZK31
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no \
protocol=icmp
add action=accept chain=input comment="default configuration" \
connection-state=established disabled=no in-interface=ether1-gateway
add action=accept chain=input comment="default configuration" \
connection-state=related disabled=no in-interface=ether1-gateway
add action=accept chain=input comment=L2TP disabled=no dst-port=500 \
in-interface=ether1-gateway protocol=udp
add action=accept chain=input disabled=no dst-port=4500 in-interface=\
ether1-gateway protocol=udp
add action=accept chain=input disabled=no dst-port=1701 in-interface=\
ether1-gateway protocol=udp
add action=accept chain=input disabled=no in-interface=ether1-gateway \
protocol=ipsec-esp
add action=accept chain=input comment="SSH to routerboard" disabled=no \
dst-address=[routerboard] dst-port=22 protocol=tcp
add action=reject chain=input comment="default configuration" disabled=no \
in-interface=ether1-gateway reject-with=icmp-port-unreachable
/ip firewall mangle
add action=mark-packet chain=forward disabled=no new-packet-mark=voip \
passthrough=no src-mac-address=[voip box 1 mac]
add action=mark-packet chain=forward disabled=no new-packet-mark=voip \
passthrough=no src-mac-address=[voip box 2 mac]
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=\
no out-interface=ether1-gateway
add action=dst-nat chain=dstnat disabled=no dst-port=[super secret] protocol=tcp \
to-addresses=[server host] to-ports=22
add action=dst-nat chain=dstnat disabled=no dst-port=[super secret] protocol=tcp \
to-addresses=[routerboard] to-ports=22
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
 
User avatar
nsayer
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Thu Jun 02, 2011 5:32 pm
Location: Santa Clara, CA, US

Re: Help with ipv6 firewall ?

Tue Jun 07, 2011 8:52 pm

I think I figured it out.

Because there's no NAT on IPv6, I need to use the forward chain for all the hosts on the inside, and then duplicate the rules for the input chain to protect the routerbox itself.

I assume that the reason proto 41 traffic is being received is that the default ipv4 firewall has no forward ruleset at all and that that traffic is being "forwarded" to the sit1 interface rather than being received and passed through the input chain. Either that or it's being received and de-encapsulated prior to any firewall processing at all, and thus "arrives" on sit1 having made no appearance at all on ether1-gateway as far as the firewall is concerned.
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Help with ipv6 firewall ?

Tue Jun 07, 2011 10:10 pm

Because there's no NAT on IPv6, I need to use the forward chain for all the hosts on the inside, and then duplicate the rules for the input chain to protect the routerbox itself.
That has always been the case, even with IPv4. There is absolutely no protection for hosts behind the router in your IPv4 rule set. The 'input' chain has always been only for packets that have a router IP address as their destination address AFTER destination NAT, which also means AFTER source NAT has been undone.
I assume that the reason proto 41 traffic is being received is that the default ipv4 firewall has no forward ruleset at all and that that traffic is being "forwarded" to the sit1 interface rather than being received and passed through the input chain. Either that or it's being received and de-encapsulated prior to any firewall processing at all, and thus "arrives" on sit1 having made no appearance at all on ether1-gateway as far as the firewall is concerned.
The packets for the tunnel are being grabbed via raw sockets before any firewalling can be applied. They circumvent the firewall, basically. Just like DHCP when RouterOS is acting as a DHCP server.
 
User avatar
nsayer
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Thu Jun 02, 2011 5:32 pm
Location: Santa Clara, CA, US

Re: Help with ipv6 firewall ?

Tue Jun 07, 2011 10:45 pm

Because there's no NAT on IPv6, I need to use the forward chain for all the hosts on the inside, and then duplicate the rules for the input chain to protect the routerbox itself.
That has always been the case, even with IPv4. There is absolutely no protection for hosts behind the router in your IPv4 rule set. The 'input' chain has always been only for packets that have a router IP address as their destination address AFTER destination NAT, which also means AFTER source NAT has been undone.
Well, there's no protection for IPv4 hosts behind the router, but they're not reachable from in front of it because of the private networking, no?

And that rule set is, in fact, the default ruleset, with just a couple of items added to pass allowed stuff in from outside.

If something's not right with that ruleset, then IMHO the defaults should have similar adjustments made.
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Help with ipv6 firewall ?

Tue Jun 07, 2011 10:58 pm

NAT is an insufficient security model - there are ways to get around and through NAT. You should always have a stateful firewall rule set to protect hosts.

You could argue the default rule set should protect hosts and not just the router itself (which is all it is designed to do). I'm rather of the opinion that there shouldn't be a default rule set at all.
 
User avatar
nsayer
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Thu Jun 02, 2011 5:32 pm
Location: Santa Clara, CA, US

Re: Help with ipv6 firewall ?

Tue Jun 07, 2011 11:55 pm

Fair enough.

I have added, more or less, a duplication of the 'forward' ruleset from the IPv6 firewall to the IPv4 one: pass icmp, pass established and related when the in interface is the gateway, pass tcp 22 when the in interface is the gateway and reject everything else when the in interface is the gateway.

Who is online

Users browsing this forum: hatred, mrbroadband, mtkvvv and 37 guests