New default-IPv6 firewall from v6.40rc15
/system default-configuration print:
/ipv6 firewall {
address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
address-list add list=bad_ipv6 address=::224.0.0.0/100 comment="defconf: other"
address-list add list=bad_ipv6 address=::127.0.0.0/104 comment="defconf: other"
address-list add list=bad_ipv6 address=::/104 comment="defconf: other"
address-list add list=bad_ipv6 address=::255.0.0.0/104 comment="defconf: other"
raw add chain=prerouting action=accept disabled=yes comment="defconf: enable for transparent firewall"
raw add chain=prerouting action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
raw add chain=prerouting action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
raw add chain=prerouting action=jump jump-target=icmp6 protocol=icmpv6 comment="defconf: jump to ICMPv6 chain"
raw add chain=prerouting action=drop src-address=ff00::/8 comment="defconf: drop if src is multicast"
raw add chain=prerouting action=accept dst-address=ff02::/16 comment="defconf: accept local multicast scope"
raw add chain=prerouting action=drop dst-address=ff00::/8 comment="defconf: drop other multicast destinations"
raw add chain=prerouting action=accept in-interface-list=WAN comment="defconf: accept everything else from WAN"
raw add chain=prerouting action=accept in-interface-list=LAN comment="defconf: accept everything else from LAN"
raw add chain=prerouting action=drop comment="defconf: drop the rest"
"defconf: rfc4890 drop ll if hop-limit!=255"
'action=accept'? If I understand RFC 4890 correctly, should be
'action=drop' here.
Perhaps a native English-speaking one understands this better:
Davies & Mohacsi Informational [Page 12]
RFC 4890 ICMPv6 Filtering Recommendations May 2007
4.2. Interaction of Link-Local Messages with Firewall/Routers and
Firewall/Bridges
Firewalls can be implemented both as IP routers (firewall/routers)
and as link layer bridges (e.g., Ethernet bridges) that are
transparent to the IP layer although they will actually be inspecting
the IP packets as they pass through (firewall/bridges).
Many of the messages used for establishment and maintenance of
communications on the local link will be sent with link-local
addresses for at least one of their source and destination. Routers
conforming to the IPv6 standards will not forward these packets;
there is no need to configure additional rules to prevent these
packets traversing a firewall/router, although administrators may
wish to configure rules that would drop these packets for insurance
and as a means of monitoring for attacks. Also, the specifications
of ICMPv6 messages intended for use only on the local link specify
various measures that would allow receivers to detect if the message
had passed through a router, including:
o Requiring that the hop limit in the IPv6 header is set to 255 on
transmission. Receivers verify that the hop limit is still 255,
to ensure that the packet has not passed through a router.
o Checking that the source address is a link-local unicast address.
raw add chain=icmp6 action=accept protocol=icmpv6 hop-limit=not-equal:255 dst-address=fe80::/10 comment="defconf: rfc4890 drop ll if hop-limit!=255"
raw add chain=icmp6 action=accept protocol=icmpv6 icmp-options=1:0-255 comment="defconf: dst unreachable"
raw add chain=icmp6 action=accept protocol=icmpv6 icmp-options=2:0-255 comment="defconf: packet too big"
raw add chain=icmp6 action=accept protocol=icmpv6 icmp-options=3:0-1 comment="defconf: limit exceeded"
raw add chain=icmp6 action=accept protocol=icmpv6 icmp-options=4:0-2 comment="defconf: bad header"
raw add chain=icmp6 action=accept protocol=icmpv6 icmp-options=144:0-255 comment="defconf: Mobile home agent address discovery"
raw add chain=icmp6 action=accept protocol=icmpv6 icmp-options=145:0-255 comment="defconf: Mobile home agent address discovery"
raw add chain=icmp6 action=accept protocol=icmpv6 icmp-options=146:0-255 comment="defconf: Mobile prefix solic"
raw add chain=icmp6 action=accept protocol=icmpv6 icmp-options=147:0-255 comment="defconf: Mobile prefix advert"
raw add chain=icmp6 action=accept protocol=icmpv6 icmp-options=128:0-255 limit=5,10:packet comment="defconf: echo request limit 5,10"
raw add chain=icmp6 action=accept protocol=icmpv6 icmp-options=129:0-255 limit=5,10:packet comment="defconf: echo reply limit 5,10"
raw add chain=icmp6 action=accept in-interface-list=LAN protocol=icmpv6 icmp-options=133:0-255 limit=5,10:packet hop-limit=equal:255 comment="defconf: rfc4890 router solic limit 5,10 only LAN"
raw add chain=icmp6 action=accept in-interface-list=LAN protocol=icmpv6 icmp-options=134:0-255 limit=5,10:packet hop-limit=equal:255 comment="defconf: rfc4890 router advert limit 5,10 only LAN"
Uncertain whether this is necessary? I accept Router Advertisements from my ISP here:
raw add chain=icmp6 action=accept in-interface=pppoe-out1 protocol=icmpv6 icmp-options=134:0-255 limit=5,10:packet hop-limit=equal:255 dst-address=ff02::/16 src-address=fe80::/16 comment="ISP Gateway: Router advert limit 5,10"
raw add chain=icmp6 action=accept in-interface-list=LAN protocol=icmpv6 icmp-options=135:0-255 limit=5,10:packet hop-limit=equal:255 comment="defconf: rfc4890 neighbor solic limit 5,10 only LAN"
raw add chain=icmp6 action=accept in-interface-list=LAN protocol=icmpv6 icmp-options=136:0-255 limit=5,10:packet hop-limit=equal:255 comment="defconf: rfc4890 neighbor advert limit 5,10 only LAN"
Must not the drop rule be the last in the raw icmp6 chain?
raw add chain=icmp6 action=drop protocol=icmpv6 comment="defconf: drop other icmp"
raw add chain=icmp6 action=accept in-interface-list=LAN protocol=icmpv6 icmp-options=141:0-255 limit=5,10:packet hop-limit=equal:255 comment="defconf: rfc4890 inverse ND solic limit 5,10 only LAN"
raw add chain=icmp6 action=accept in-interface-list=LAN protocol=icmpv6 icmp-options=142:0-255 limit=5,10:packet hop-limit=equal:255 comment="defconf: rfc4890 inverse ND advert limit 5,10 only LAN"
filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6 after RAW"
filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/16 comment="defconf: accept DHCPv6-Client prefix delegation."
filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6 after RAW"
filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
}