IPv6 firewalling

christopherANSA · November 4, 2017, 4:56pm

Hi All,

I am currently tunneling IPv6 traffic from my office back to my house. I have configured this basic firewall on my router:
/ipv6 firewall filter
add action=accept chain=input comment=“Allow established connections” connection-state=established
add action=accept chain=input comment=“Allow related connections” connection-state=related
add action=accept chain=input comment=“Allow limited ICMP” limit=50/5s,5 protocol=icmpv6
add action=accept chain=input comment=“Allow UDP” protocol=udp
add action=drop chain=input
add action=accept chain=forward comment=“Allow established connections” connection-state=established
add action=accept chain=forward comment=“Allow related connections” connection-state=related
add action=drop chain=forward disabled=yesIs there any way which I could improve on this, or add rules on my Win10 machine to prevent network intrusion?

Thanks in advance,
CH.

idlemind · November 7, 2017, 12:36am

You may want to look at explicitly allowing some ICMPv6 codes like “TOO BIG” in FORWARD just in case established/related doesn’t pick it up to prevent fragmentation issues.

GaryGapinski · November 10, 2017, 9:49am

I’m unsure why any/all UDP is allowed in.

As idlemind mentioned, ICMPv6 could be a bit more discrete. https://tools.ietf.org/html/rfc4890 has details.