I've tried to merge my IPv4 firewall settings with the IPv6 default settings and I seem to be coming across packets that potentially shouldn't be dropped?
I tweaked the final "drop everything !LAN" at the end of the input chain and substituted it with a drop for all remaining traffic after manually allowing TCP/UDP 53 and UDP ff00::/8 (as I noticed multicast packets were getting blocked). I did this originally with IPv4 to restrict VLANs other than my trusted LAN from accessing any administrative areas of the router etc.
Specifically I changed:
Code: Select all
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" disabled=yes in-interface-list=!LAN
Code: Select all
add action=accept chain=input comment="Allow LAN multicast (UDP)" dst-address=ff00::/8 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries (UDP)" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries (TCP)" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop remaining traffic on the input chain" log=yes
I seem to be getting the following kinds of packets getting dropped (out unknown?!):
Code: Select all
input: in:wg1 out:(unknown 0), connection-state:new proto TCP (ACK), [2a04:4e42:65::760]:443->WGIPv6INTERFACEADDRESS:38450, len 1380 (Facebook)
input: in:wg1 out:(unknown 0), connection-state:new proto TCP (ACK,PSH), [2a00:1450:400e:800::200a]:443->WGIPv6INTERFACEADDRESS:48694, len 105 (Google)
I'm a little confused as to what these are, but is there a way that I could or should adjust the firewall rules to allow these through if necessary? If the "IN" interface is WG1, it's also not part of my "LAN" interface list so I imagine it would have had the same result with the default rule.
Firewall Rules
Code: Select all
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=input comment="Allow full access to the LAN input chain from trusted LANs" in-interface-list=LAN_TRUSTED
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=input comment="Allow LAN multicast (UDP)" dst-address=ff00::/8 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries (UDP)" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries (TCP)" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop remaining traffic on the input chain" log=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="VPN Safety Net" in-interface-list=WG_VPN_Provider_Clients out-interface-list=WAN
add action=accept chain=forward comment="Allow trusted LAN to forward to all interface lists" in-interface-list=LAN_TRUSTED out-interface-list=all
add action=accept chain=forward comment="Allow untrusted LAN to forward only to WAN" in-interface-list=LAN_UNTRUSTED out-interface-list=WAN
add action=accept chain=forward comment="Allow specific clients through the WG provider tunnels" in-interface-list=WG_VPN_Provider_Clients \
out-interface-list=WG_WAN
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" disabled=yes in-interface-list=!LAN
add action=drop chain=forward comment="Drop remaining traffic on the forward chain"
/ipv6 firewall nat
add action=masquerade chain=srcnat out-interface-list=WG_WAN