Block IPv6 Portscans - Rule works for IPv4 but not IPv6

ajgnet · March 2, 2023, 1:10am

I’m trying to block IPv6 portscans coming to my router. The below filter rules work for IPv4 but get ignored for IPv6 (no traffic matches). What am I doing wrong?

add action=drop chain=input comment="BLOCK PORT SCAN - Drop Port scanners" src-address-list=port_scanners
add action=drop chain=forward comment="BLOCK PORT SCAN - Drop Port scanners" src-address-list=port_scanners
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=input comment="-- BLOCK PORT SCAN - NMAP FIN Stealth scan" \
    protocol=tcp src-address-list=!do_not_blacklist tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=forward comment="-- BLOCK PORT SCAN - NMAP FIN Stealth scan" \
    protocol=tcp src-address-list=!do_not_blacklist tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=input comment="-- BLOCK PORT SCAN - SYN/FIN scan" protocol=tcp \
    src-address-list=!do_not_blacklist tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=forward comment="-- BLOCK PORT SCAN - SYN/FIN scan" protocol=\
    tcp src-address-list=!do_not_blacklist tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=input comment="-- BLOCK PORT SCAN - SYN/RST scan" protocol=tcp \
    src-address-list=!do_not_blacklist tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=forward comment="-- BLOCK PORT SCAN - SYN/RST scan" protocol=\
    tcp src-address-list=!do_not_blacklist tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=input comment="-- BLOCK PORT SCAN - FIN/PSH/URG scan" \
    protocol=tcp src-address-list=!do_not_blacklist tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=forward comment="-- BLOCK PORT SCAN - FIN/PSH/URG scan" \
    protocol=tcp src-address-list=!do_not_blacklist tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=input comment="-- BLOCK PORT SCAN - ALL/ALL scan" protocol=tcp \
    src-address-list=!do_not_blacklist tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=forward comment="-- BLOCK PORT SCAN - ALL/ALL scan" protocol=\
    tcp src-address-list=!do_not_blacklist tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=input comment="-- BLOCK PORT SCAN - NMAP NULL scan" protocol=\
    tcp src-address-list=!do_not_blacklist tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=forward comment="-- BLOCK PORT SCAN - NMAP NULL scan" \
    protocol=tcp src-address-list=!do_not_blacklist tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg

R1CH · March 2, 2023, 5:35pm

Why do you have open ports to the internet to begin with? Just drop all inbound traffic rather than slowing down your router with these junk rules.

mkx · March 2, 2023, 5:44pm

The idea is this: if some remote host tries to connect to IP/port combination which is not allowed (either it’s not DST NATed in IPv4 or is blocked in IPv6), then such remote host is added to black list. Hence forth the same host can not connect to otherwise allowed/open IP/port combination (e.g. HTTP server).

I’m not entirely sure that this idea is feasible, so my firewalls don’t do this kind of crap.

andriys · March 2, 2023, 6:11pm

For IPv6 you have to define a separate set of firewall rules in /ipv6 firewall filter. It’s not clear from your original post if you have those in place. The rules that work for IPv4 won’t match the IPv6 packets.

baragoon · March 2, 2023, 6:32pm

you missed an importaint part “psd”, this option exists in the ipv4 firewall, but not implemented in the ipv6 firewall…

ajgnet · March 3, 2023, 1:13pm

Thank you - I understand what you mean and this explains it. So it sounds like there is currently no way to do this in IPv6 until that feature is implemented.

sysf · March 23, 2023, 10:34pm

Are there any plans to implement this feature for IPv6?

Along with this feature, it’d be useful to be have an action that adds the prefix to an address list, e.g. the /64 prefix instead of the host address.

R1CH · March 24, 2023, 12:54pm

This is a terrible idea. Without a complete handshake you have no guarantee that the remote IP isn’t spoofed. So I can easily send you some packets with the IPs of Google, your DNS servers, ISP’s DHCP server, etc. and now your firewall has become a DoS vector.

rextended · March 24, 2023, 4:30pm

You’re right, but I find it unlikely that an attack will send all (assigned) IPv6 addresses anything…
How many days and bandwidth would it take?..
Also port scans on IPv6…must already know the address…

In IPv4 now everything is simpler, they are a handful of addresses in comparison…

sysf · March 25, 2023, 11:36pm

There's still methods for active IPv6 hosts to be discovered externally, see e.g. https://arxiv.org/abs/2210.02522.

I observe occasional scanning of IPv6 hosts (even those using temporary privacy addresses), which is why I think such a feature would be useful.

rextended · March 26, 2023, 3:45pm

Yes, just use DNS, Tor, torrents… and obviously…