Community discussions

MikroTik App
 
User avatar
Kentzo
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Firewall rules for ICMPv6

Wed Jan 12, 2022 3:12 am

Trying to build rules on top of the Building Advanced Firewall

My IPv6 (6.49.2) config uses DHCP-PD to set router's IP and get a delegate prefix for SLAAC clients (settings forward=yes accept-router-advertisements=no accept-redirects=no, dhcp-client add-default-route=yes).

It looks like there is a typo in the guide in one of the ICMPv6 rules:
/ipv6 firewall raw add action=accept chain=icmp6 comment="defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 hop-limit=not-equal:255 protocol=icmpv6
The comment says "drop" but the action is "accept". As a result it will drop ICMPv6 with hop-limit=255 at the end of the icmp6 chain.

Dropping the ::/128 doesn't seem right either:
/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
/ipv6 firewall raw add action=drop chain=prerouting comment="defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
Because during SLAAC a host can send from ::/128 to a solicited-Node multicast (ff02:0:0:0:0:1:ff00::/104, RFC4291). At the very least this use-case must be whitelisted:
/ipv6 firewall raw add action=accept chain=prerouting src-address=::/128 dst-address=ff02:0:0:0:0:1:ff00::/104 icmp-options=135 protocol=icmpv6

---

My current ICMPv6-related firewall looks like this:
/ipv6 firewall address-list
add address=fe80::/10 list=link_local

/ipv6 firewall raw
# ...
# Drop bogon IPs
# ...

# In SOHO we only want MLD from local devices (such as IoT, including Apple Homekit)
add chain=prerouting comment="Jump to ICMPv6 chain" \
    action=jump jump-target=icmpv6 protocol=icmpv6
add chain=icmpv6 comment="Drop MLD Query from WAN" \
    action=drop in-interface-list=WAN protocol=icmpv6 icmp-options=130:0-255
add chain=icmpv6 comment="Drop MLDv1 Report from WAN" \
    action=drop in-interface-list=WAN protocol=icmpv6 icmp-options=131:0-255
add chain=icmpv6 comment="Drop MLDv1 Done from WAN" \
    action=drop in-interface-list=WAN protocol=icmpv6 icmp-options=132:0-255
add chain=icmpv6 comment="Drop MLDv2 Report from WAN" \
    action=drop in-interface-list=WAN protocol=icmpv6 icmp-options=143:0-255

# There is no reason to let internet query local nodes for information
add chain=icmpv6 comment="Drop Node Information Query from WAN" \
    action=drop in-interface-list=WAN protocol=icmpv6 icmp-options=139:0-255

# Extended Echo Request may allow internet to reach link-local interfaces of otherwise protected devices
add chain=icmpv6 comment="Drop Extended Echo Request from WAN" \
    action=drop in-interface-list=WAN protocol=icmpv6 icmp-options=160:0-255
add chain=icmpv6 comment="Back to prerouting" \
    action=return

/ipv6 firewall filter
# chain=forward:
# ...
# - Accept Established, Related, Untracked
# - Drop Invalid
# - Drop bogon IPs
# ...

# Most of the ICMPv6 should never reach the forward chain in the New connection state (Established, Related, Untracked are accepted and Invalid is dropped above)
add chain=forward comment="Jump to ICMPv6 chain" \
    action=jump  jump-target=icmpv6-forward protocol=icmpv6
add chain=icmpv6-forward comment="Accept Echo Request from LAN" \
    action=accept in-interface-list=LAN protocol=icmpv6 icmp-options=128:0-255
add chain=icmpv6-forward comment="Accept Echo Request from All to Pingable" \
    action=accept out-interface-list=LAN-PINGABLE protocol=icmpv6 icmp-options=128:0-255
add chain=icmpv6-forward comment="Reject All ICMPv6 from LAN" \
    action=reject in-interface-list=LAN reject-with=icmp-admin-prohibited
add chain=icmpv6-forward comment="Drop All ICMPv6 from WAN" \
    action=drop in-interface-list=WAN
add chain=icmpv6-forward comment="Back to forward" \
    action=return

# chain=input
# RouterOS is trusted to properly handle ICMPv6 requests thrown at it with respect to its configuration (/ipv6 settings and /ipv6 nd) as wells required authentication (IPsec)
add action=accept chain=input comment="Accept ICMPv6" protocol=icmpv6
Last edited by Kentzo on Wed Jan 19, 2022 7:59 pm, edited 6 times in total.
 
User avatar
Kentzo
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: Firewall rules for ICMPv6

Wed Jan 12, 2022 5:03 am

Guide's suggestion to allow IPv6 Mobility related ICMPv6 messages seems outside of practical reality, as far as I know the technology was dead on arrival. I think the following rules should be disabled (and thus dropped by the last rule):
add action=accept chain=icmp6 comment="defconf: Mobile home agent address discovery" icmp-options=144:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile home agent address discovery" icmp-options=145:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" icmp-options=146:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" icmp-options=147:0-255 protocol=icmpv6
 
User avatar
Kentzo
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: Firewall rules for ICMPv6  [SOLVED]

Tue Jan 18, 2022 11:55 pm

After I did a bit more reading on ICMPv6, I came to an agreement with general opinion that there is little harm in white-listing ICMPv6 broadly for both input and forward chains: most of the messages act within a local scope and are designed to never cross over a router (reflected in packet's hop-limit). Some of these messages will be dropped by the router (hop-limit reaches 0) and some should be dropped by hosts (hop-limit is not 255). Maybe the only ICMPv6 messages that should be considered in router's firewall are MLD, echo and node information queries.

I have updated #1 to reflect this information.
 
User avatar
Kentzo
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: Firewall rules for ICMPv6

Fri Jan 21, 2022 10:43 pm

Just got a message the message from Mikrotik's help that my complain regarding ::/128 -> ff02:0:0:0:0:1:ff00::/104 is fixed.

Who is online

Users browsing this forum: Netstumble and 47 guests