"default" filtering IPv6

RouterOS Beginner Basics
1

I have a IPv6 tunnel with a tunnel broker (Hurricane Electric) and the computer behind the mikrotik can browse with IPv6.

But now I have to create a filter for the firewall. The question is for default what for filtering must I configure? (I have no service behind the mikrotik.) If I search on the forum I see a lot different and not once is the same.

2

If you are looking for basic firewall functionality in the IPV6 firewall then you need to protect the routerboard itself by setting input filters and protect devices beyond the router by setting filters in the forwarding chain.

In the forwarding chain you want to allow new connections from the LAN to the WAN and allow established and related connections from the WAN to the LAN - and drop everything else. Then add any additional accept rules to meet your specific needs.

3

That’s what I’m looking for.

I have configured the following filter.

/ipv6 firewall filter
add action=accept chain=input comment="Router - Accept established connections" connection-state=established disabled=no
add action=accept chain=input comment="Router - Accept related connections" connection-state=related disabled=no
add action=drop chain=input comment="Router - Drop invalid connections" connection-state=invalid disabled=no
add action=accept chain=input comment="Router - From our LAN" disabled=no in-interface=ether2-local
add action=drop chain=input comment="Router - Drop everything else" disabled=no
add action=drop chain=forward comment="Lan - Drop invalid Connections" connection-state=invalid disabled=no
add action=accept chain=forward comment="Lan - Accept UDP" disabled=no protocol=udp
add action=accept chain=forward comment="LAN - Accept ICMPv6 " disabled=no protocol=icmpv6
add action=accept chain=forward comment="Lan - Accept established Connections" connection-state=established disabled=no
add action=accept chain=forward comment="Lan - Accept related connections" connection-state=related disabled=no
add action=accept chain=forward comment="Lan - From our Lan" disabled=no in-interface=ether2-local src-address=2001:xxx:xxxx:xxxx::/64
add action=reject chain=forward comment="Lan - Drop everything else" connection-state=new disabled=no in-interface=sit1 reject-with=icmp-no-route

But when I test the connection with nmap from vikingscan.org I get the following result. As you can see nothing is blocked. So I probable doing something wrong.

Output from process (stdout):
Starting Nmap 6.01 ( http://nmap.org ) at 2013-02-21 09:15 CET
Initiating System DNS resolution of 1 host. at 09:15
Completed System DNS resolution of 1 host. at 09:15, 0.00s elapsed
Initiating Connect Scan at 09:15
Scanning 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx [655 ports]
Discovered open port 135/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 607/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 293/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 317/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 534/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 261/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 184/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 97/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 6/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 620/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 253/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 581/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 105/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 483/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 43/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 203/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 409/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 283/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 541/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 218/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 32/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 178/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 633/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 50/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 361/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 358/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 182/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Discovered open port 153/tcp on 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Completed Connect Scan at 09:15, 6.20s elapsed (655 total ports)
Nmap scan report for 2001:xxx:xxxx:x:xxxx:xxxx:xxxx:xxxx
Host is up (0.0088s latency).
Not shown: 627 filtered ports
PORT    STATE SERVICE
6/tcp   open  unknown
32/tcp  open  unknown
43/tcp  open  whois
50/tcp  open  re-mail-ck
97/tcp  open  swift-rvf
105/tcp open  unknown
135/tcp open  msrpc
153/tcp open  unknown
178/tcp open  unknown
182/tcp open  audit
184/tcp open  ocserver
203/tcp open  unknown
218/tcp open  unknown
253/tcp open  unknown
261/tcp open  nsiiops
283/tcp open  unknown
293/tcp open  unknown
317/tcp open  unknown
358/tcp open  shrinkwrap
361/tcp open  semantix
409/tcp open  unknown
483/tcp open  unknown
534/tcp open  unknown
541/tcp open  uucp-rlogin
581/tcp open  unknown
607/tcp open  nqs
620/tcp open  sco-websrvrmgr
633/tcp open  servstat

Read data files from: /usr/local/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.26 seconds

So who can help me with a good filter for IPv6