freebsd ipv6 labs

A Barebones pf IPv6 Firewall Ruleset

“My ISP is deploying IPv6, and I want to use it, but I don’t know what my firewall rulesets should look like.”

In this blog post, we discuss a basic set of IPv6 rules which will allow the firewall to route IPv6 traffic from internal machines while protecting those same machines from hostile probes. Although this blog post focuses on the *BSD pf (packet filter) firewall, the points can be generalized to other firewall rulesets (e.g. Linux’s iptables).

These rulesets are used by a firewall on the Comcast network, which has native IPv6 (i.e. not tunneling; these rules have not been tested on an IPv6 tunnel).

Here’s a barebones pf.conf (packet filter) ruleset for IPv6 (note: these rules are in addition to the IPv4 rules):

ext_comcast_if="em3"

icmp6_types="{ 2, 128 }" # packet too big, echo request (ping6)
# Neighbor Discovery Protocol (NDP) (types 133-137):
#   Router Solicitation (RS), Router Advertisement (RA)
#   Neighbor Solicitation (NS), Neighbor Advertisement (NA)
#   Route Redirection
icmp6_types_ext_if="{ 128, 133, 134, 135, 136, 137 }"
tcp46_services="{ 22 }" # ssh; we allow this in for ALL machines for TCP[46]
tcp46_services_ext_if="{ 53 }" # DNS zone transfer
udp6_services_ext_if="{ 53, 123, 1194, 546}" # 546 == dhcpv6-client

# IPv6
pass in quick on $ext_comcast_if inet6 proto ipv6-icmp icmp6-type
$icmp6_types keep state
pass in quick on $ext_comcast_if inet6 proto ipv6-icmp from any to
{ ($ext_comcast_if ), ff02::1/16 } icmp6-type $icmp6_types_ext_if keep state
pass in quick on $ext_comcast_if inet6 proto tcp from any to any port
$tcp46_services flags S/SA keep state
pass in quick on $ext_comcast_if inet6 proto tcp from any to
( $ext_comcast_if ) port $tcp46_services_ext_if flags S/SA
keep state
pass in quick on $ext_comcast_if inet6 proto udp from any to
( $ext_comcast_if ) port $udp6_services_ext_if keep state

If you want to see the complete pf.conf, including IPv4 rules, check github.

Notes

  • The firewall NATs outbound IPv4 traffic (e.g. it converts the RFC 1918 address of my mac mini (10.9.9.70) to my single “real” Comcast-assigned (via DHCP) address (24.23.190.188).
  • The firewall routes outbound IPv6 traffic (e.g. it does not convert the IPv6 address of my printer (2601:9:7980:1C2:121F:74FF:FE47:DAEE)). Each IPv6-capable machine on my network has a unique, routable IPv6 address.
  • The IPv6 firewall ruleset can not depend on the security that NAT offers to my IPv4 machines. Every one of my IPv6-capable machines (Mac Mini, MacBook Air, Windows 8, HP1536 printer) has a routable (public) IPv6 address. In other words, you cannot reach my printer’s IPv4 address (10.9.9.50) from the Internet, but you can reach its IPv6 address (2601:9:7980:1C2:121F:74FF:FE47:DAEE).
  • As a side note, none of the devices (except the firewall itself) needed special configuration in order to acquire an IPv6 address and to operate in an IPv6 environment.
  • The default rule is to deny inbound traffic. Inbound protocols/ports must be specifically enabled
  • The firewall does not filter outbound traffic, only inbound (i.e. the firewall will not drop any packet originating from a machine on the inside network, e.g. my mac mini).

Why These Rules?

Let’s discuss which services have been allowed through the firewall, the reasons for allowing them, and whether they’re reasonable to disable. We’ll break the services down by protocol (i.e. ICMP, TCP, and UDP), and whether a particular service has been enabled solely for the firewall or for the entire IPv6 home network.

Inbound ICMP6 Services for All Machines, including Firewall

  • 2, 128 (Packet Too Big, Echo Request, ping6). You shouldn’t disable packet-too-big, but you can safely disable echo-request (ping6). Ping is wonderfully convenient when troubleshooting, and the security implications are minimal

Inbound ICMP6 for the Firewall

  • 133, 134, 135, 136, 137 (router solicit, router advertisement, neighbor solicit, neighbor advertisement, route redirection). These should not be disabled. This is a good basic set of rules that allow the firewall to communicate with other IPv6 machines on its outside interface’s local subnet.
  • Note that I’ve allowed both unicast traffic and multicast (ff02::1/16, i.e. “All nodes on the local network segment”) to my external interface. ICMP6 Neighbor Solicitation sends packets to the local network segment multicast address. If you don’t accept those multicast packets, your neighbors (including your upstream router) won’t be able to discover you, and your external interface’s IPv6 address will be unreachable from other machines.

Inbound TCP Services for All Machines, including Firewall

  • port 22 (ssh). Safe to disable. I like to ssh in to my machines. All my machines. Security implications: I need to make sure that every account that can ssh-in has a hard-to-guess password.

Inbound TCP Services for the Firewall

  • Port 53 (DNS zone transfer). Unless your firewall is hosting a DNS zone (unlikely), then you can safely turn this off. Although the firewall allows this traffic, the nameserver has ACLs that only allow zone transfers from 2 IP addresses (my two external nameservers). Don’t depend on pf to be your only layer of security; restrict access when you can.

Inbound UDP Services for the Firewall

  • Port 53 (DNS). Unless your firewall is hosting a DNS zone (unlikely), then you can safely turn this off. I have used ACLs to further restrict access to my firewall’s nameserver daemon (not via packet filtering, but via named.conf): it only answers queries for domains for which it is authoritative; it won’t honor recursive queries originating from the Internet.
  • 123 (NTP). Unless your firewall is part of the NTP Pool Project, you can safely turn this off. Note that if you decide to join the NTP Pool, you should lock down your ntp configuration. If you’re not sure how to do it, this is a good place to start. Pay special attention to the restrict directives.
  • 1194 (OpenVPN). Unless you’re running an OpenVPN server, it’s safe to turn this off.
  • 546 (DHCPv6 client). Not safe to turn off if you’re using DHCPv6 to acquire an IP address from your ISP.

Bibliography

  • There are richer rulesets (using queues, custom timeouts, maximums). Benzedrine.cx’s pf.conf is an excellent example.
  • Chris Hills has a Linux iptables variant.
  • Earl Carter has an in-depth blog post that discusses IPv6 ICMP types, well worth reading.