timswiki - User contributions [en-gb]

Raspberry Pi IPv6 firewall tester installation

2012-12-31T15:59:17Z

2001:470:1F08:185C:0:0:0:2:

=== Suggested Reading ===

Before you begin please read the excellent [https://wiki.archlinux.org/index.php/Beginners%27_Guide Arch Linux Beginners' Guide].

=== Arch Linux Download and CF card creation ===

Fetch the Arch Linux download from [http://www.raspberrypi.org/downloads RaspberryPi Downloads]

If using [http://www.softpedia.com/get/CD-DVD-Tools/Data-CD-DVD-Burning/Win32-Disk-Imager.shtml win32 disk imager] then please be aware that the image file needs to be extracted onto a local physical drive (e.g. C: ) rather than a network/remote drive.

=== Login, Change the root password and Create a plain user ===

Having logged in as root, then make sure you change the default password:

# passwd

Then add a user, using a non-obvious username, e.g. '''PlnUsr456''' : (follow the prompts)

# adduser

=== Update your System and Install the Required Packages ===

Then update your system:

# pacman -Syu

Which is likely to update pacman itself – just follow the prompts and once this is complete then re-attempt the complete upgrade:

# pacman -Syu
:: Synchronizing package databases...
core is up to date
extra is up to date
community is up to date
alarm is up to date
aur is up to date
:: Starting full system upgrade...
resolving dependencies...
looking for inter-conflicts...

Proceed with installation? [Y/n]
:: Retrieving packages from core...

=== Simplistic IPv6 Firewall ===

As a general starting point please read the [https://wiki.archlinux.org/index.php/Iptables ArchLinux IPtables documentation].

You will need to install the iptables modules and scripts using the following command:

# pacman -S iptables

The following IPv6 firewall is a very simplistic example, where SLAAC IPv6 address allocation is in place. '''You will want to add additional source address and/or packet arrival rate checking on an internet-facing Raspberry Pi.'''

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:ICMP6FLTR - [0:0]
:LOGIDROP - [0:0]
-A LOGIDROP -m limit --limit 20/m --limit-burst 10 -j LOG --log-prefix "IPV6_INPUT_DROP " --log-ip-options --log-tcp-options --log-tcp-sequence
-A LOGIDROP -j DROP
#
# ICMPv6 filter chain
#
# Allow ping of this host to aid debug - comment out if not required
-A ICMP6FLTR -p ipv6-icmp --icmpv6-type echo-request -j ACCEPT
-A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type echo-reply -j ACCEPT
-A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type destination-unreachable -j ACCEPT
-A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type packet-too-big -j ACCEPT
-A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type unknown-header-type -j ACCEPT
-A ICMP6FLTR -m state -p ipv6-icmp --state ESTABLISHED,RELATED --icmpv6-type unknown-option -j ACCEPT
-A ICMP6FLTR -p ipv6-icmp --icmpv6-type ttl-zero-during-reassembly -j ACCEPT
-A ICMP6FLTR -p ipv6-icmp --icmpv6-type bad-header -j ACCEPT
#
# Allow router advertisements to support SLAAC address allocation
# ensure hop-limit (hl) is 255
-A ICMP6FLTR -p ipv6-icmp --icmpv6-type router-advertisement --source fe80::/10 --match hl --hl-eq 255 -j ACCEPT
-A ICMP6FLTR -p ipv6-icmp --icmpv6-type router-solicitation --match hl --hl-eq 255 -j ACCEPT
#
# Allow neighbour adv/sol so we can talk to our neighbouts (IPv6 ARP equivalent)
# ensure hop-limit (hl) is 255
-A ICMP6FLTR -p ipv6-icmp --icmpv6-type neighbour-advertisement --match hl --hl-eq 255 -j ACCEPT
-A ICMP6FLTR -p ipv6-icmp --icmpv6-type neighbour-solicitation --match hl --hl-eq 255 -j ACCEPT
#
# Allow inverse neighbour discovery solicitation (141) / advertisement (142)
# ensure hop-limit (hl) is 255
-A ICMP6FLTR -p ipv6-icmp --icmpv6-type 141 --match hl --hl-eq 255 -j ACCEPT
-A ICMP6FLTR -p ipv6-icmp --icmpv6-type 142 --match hl --hl-eq 255 -j ACCEPT
#
# Allow certificate path solicitation (148) / advertisement (149)
# ensure hop-limit (hl) is 255
-A ICMP6FLTR -p ipv6-icmp --icmpv6-type 148 --match hl --hl-eq 255 -j ACCEPT
-A ICMP6FLTR -p ipv6-icmp --icmpv6-type 149 --match hl --hl-eq 255 -j ACCEPT
##
## Allow ICMPv6 with link local addresses for multicast listener query (130), report (131), done (132) and report v2 (143)
## Likely unused, but uncomment if required
#-A ICMP6FLTR -p ipv6-icmp --icmpv6-type 130 --source fe80::/10 -j ACCEPT
#-A ICMP6FLTR -p ipv6-icmp --icmpv6-type 131 --source fe80::/10 -j ACCEPT
#-A ICMP6FLTR -p ipv6-icmp --icmpv6-type 132 --source fe80::/10 -j ACCEPT
#-A ICMP6FLTR -p ipv6-icmp --icmpv6-type 143 --source fe80::/10 -j ACCEPT
## Allow ICMPv6 with link local addresses and hop limit == 1 for multicast router advertisement (151), solicitation (152) and termination (153)
#-A ICMP6FLTR -p ipv6-icmp --icmpv6-type 151 --source fe80::/10 --match hl --hl-eq 1 -j ACCEPT
#-A ICMP6FLTR -p ipv6-icmp --icmpv6-type 152 --source fe80::/10 --match hl --hl-eq 1 -j ACCEPT
#-A ICMP6FLTR -p ipv6-icmp --icmpv6-type 153 --source fe80::/10 --match hl --hl-eq 1 -j ACCEPT
#
# Drop everything else
-A ICMP6FLTR -j LOGIDROP
#
# Main INPUT chain
#
# Allow all loopback traffic
-A INPUT -i lo -j ACCEPT
# Drop all routing header traffic (change if supporting mobile IPv6)
-A INPUT -m rt --rt-type 0 -j LOGIDROP
-A INPUT -m rt --rt-type 1 -j LOGIDROP
-A INPUT -m rt --rt-type 2 -j LOGIDROP
# Call ICMPv6 filter
-A INPUT -p ipv6-icmp -j ICMP6FLTR
# Allow all traffic related to, or part of an established stream
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow SSH and HTTP traffic
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
# Drop, but log, everything else
-A INPUT -j LOGIDROP
COMMIT

Assuming your desired ruleset is stored in a file called simple_firewall6.rules then you can import the firewall rules using:

# '''ip6tables-restore < simple_firewall6.rules'''

You can view the active firewall rules, and determine the number of packets being processed by each rule using:

# '''ip6tables -v -n -L'''

Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all lo any anywhere anywhere
6 480 LOGIDROP all any any anywhere anywhere rt type:0 segsleft:0
0 0 LOGIDROP all any any anywhere anywhere rt type:1 segsleft:0
0 0 LOGIDROP all any any anywhere anywhere rt type:2 segsleft:0
94 14928 ICMP6FLTR ipv6-icmp any any anywhere anywhere
687 64315 ACCEPT all any any anywhere anywhere state RELATED,ESTABLISHED
24 1892 ACCEPT tcp any any anywhere anywhere tcp dpt:ssh
3 192 ACCEPT tcp any any anywhere anywhere tcp dpt:http
2002 130K LOGIDROP all any any anywhere anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 680 packets, 336K bytes)
pkts bytes target prot opt in out source destination

Chain ICMP6FLTR (1 references)
pkts bytes target prot opt in out source destination
1 176 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmp echo-request
0 0 ACCEPT ipv6-icmp any any anywhere anywhere state RELATED,ESTABLISHED ipv6-icmp echo-reply
0 0 ACCEPT ipv6-icmp any any anywhere anywhere state RELATED,ESTABLISHED ipv6-icmp destination-unreachable
0 0 ACCEPT ipv6-icmp any any anywhere anywhere state RELATED,ESTABLISHED ipv6-icmp packet-too-big
0 0 ACCEPT ipv6-icmp any any anywhere anywhere state RELATED,ESTABLISHED ipv6-icmp unknown-header-type
0 0 ACCEPT ipv6-icmp any any anywhere anywhere state RELATED,ESTABLISHED ipv6-icmp unknown-option
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmp ttl-zero-during-reassembly
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmp bad-header
85 14280 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmp router-advertisement HL match HL == 255
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmp router-solicitation HL match HL == 255
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmp neighbour-advertisement HL match HL == 255
2 136 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmp neighbour-solicitation HL match HL == 255
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmptype 141 HL match HL == 255
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmptype 142 HL match HL == 255
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmptype 148 HL match HL == 255
0 0 ACCEPT ipv6-icmp any any anywhere anywhere ipv6-icmptype 149 HL match HL == 255
6 336 LOGIDROP all any any anywhere anywhere

Chain LOGIDROP (5 references)
pkts bytes target prot opt in out source destination
12 784 LOG all any any anywhere anywhere limit: avg 20/min burst 10 LOG level warning tcp-sequence tcp-options ip-options prefix "IPV6_INPUT_DROP "
2014 131K DROP all any any anywhere anywhere

Once you're satisfied that the IPv6 firewall rules are performing correctly then they can be saved using the following command:

# rc.d save ip6tables

Note that if you're also using IPv4 then don't forget to setup a similar IPv4 firewall ruleset. Again this example is only suitable for use in a trusted environment and needs further consideration for an internet facing machine.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOGI4DROP - [0:0]
-A LOGI4DROP -m limit --limit 10/m --limit-burst 5 -j LOG --log-prefix "IPV4_INPUT_DROP " --log-ip-options --log-tcp-options --log-tcp-sequence
-A LOGI4DROP -j DROP
# Allow all loopback traffic
-A INPUT -i lo -j ACCEPT
# Allow all traffic related to, or part of an established session
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow ping of this host to aid debug - comment out if not required
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Allow SSH and HTTP traffic
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
# Allow DHCP related traffic
-A INPUT -p udp --dport 67:68 -j ACCEPT
# Drop everything else
-A INPUT -j LOGI4DROP
COMMIT

This time import can be performed using:

# iptables-restore < simple_firewall.rules

Once you're happy with your IPv4 firewall then you can save the active rules using the following command:

# rc.d save iptables

Note that it is import to check full functionality still exists with your firewall in place - this particularly applies to address allocation (e.g. DHCP and SLAAC) procedures which may mean that a misconfigured firewall makes your Raspberry Pi unreachable. This is one reason why it is useful to develop the two rulesets (IPv4 and IPv6) separately, since if you misconfigure one firewall and lose connectivity then you can fall back to the working protocol version to correct your mistake. Once you're happy that both firewall sets are correct then you can insert ''both'' sets into '''/etc/rc.conf''' DAEMONS statement before the network module is called:

DAEMONS=(!hwclock syslog-ng '''iptables''' '''ip6tables''' network openntpd @netfs @crond @sshd @mysqld @httpd)

You can check for dropped/logged packets (in the examples above logging is included for the IPv6 packet filter) using the following command:

# tailf /var/log/iptables.log

=== Installing LAMP ===

Install LAMP by following the excellent [https://wiki.archlinux.org/index.php/LAMP Arch Linux LAMP guide].

# pacman -S apache php php-apache mysql

# rc.d start mysqld

Don't forget to add a MySQL password:

# mysqladmin -u root password ‘password’
# mysql -u root -p

Then Edit /etc/rc.conf (to start MySQL at boot):

DAEMONS=(... mysqld ...)

Read and follow the Apache section - I suggest that you adjust the default DocumentRoot directory by inserting an additional directory level (e.g. htdocs) under /srv/http so that you can place other directories at this same level without them all being under the Document root:

/srv/http/
htdocs/ - DocumentRoot directory for storage of your served web pages (e.g. index.php discussed below)
cgi-bin6/ - directory for the ipscan cgi executables

If you follow this suggestion then don't forget to modify the DocumentRoot setting in the apache configuration file! Having followed the php installation guide then you'll also need to update php's base directory to match Apache inside '''/etc/php/php.ini''':

open_basedir = /srv/http/htdocs:/home/:/tmp/:/usr/share/pear/

And also define the timezone appropriately for your system:

<nowiki>
[Date]
; Defines the default timezone used by the date functions
; http://php.net/date.timezone
date.timezone = "Europe/London"
</nowiki>

Once Apache and PHP start successfully:

# rc.d start httpd

then edit /etc/rc.conf (to start Apache at boot):

DAEMONS=(... httpd ...)

Then install the basic development tools (provides gcc, etc.)

# pacman -S base-devel

And perl and the associated MySQL interface modules:

# pacman -S perl-dbi perl-dbd-mysql

You may also wish to include spoken sound support:

# pacman -S festival festival-english alsa-utils

And update your festivalrc file:

# cat /root/.festivalrc

(Parameter.set 'Audio_Command "/usr/bin/aplay -R1000 -q -c 1 -t raw -f s16 -r $SR $FILE")
(Parameter.set 'Audio_Method 'Audio_Command)

And add a sound.conf file under /etc/modules-load.d to ensure the Broadcom sound module is loaded at boot.
The file needs to contain a single statement shown below:

# cat /etc/modules-load.d/sound.conf

snd_bcm2835

=== Install git, download and build ipscan ===

Then install git and download the ipscan source:

# pacman -S git

Then clone the ipscan source into a directory under your root user account:

[root@alarmpi ~]# git clone https://github.com/timsgit/ipscan ipscan
Cloning into 'ipscan'...
remote: Counting objects: 221, done.
remote: Compressing objects: 100% (200/200), done.
remote: Total 221 (delta 156), reused 85 (delta 20)
Receiving objects: 100% (221/221), 102.97 KiB, done.
Resolving deltas: 100% (156/156), done.
[root@alarmpi ~]# ls ipscan
COPYING ipscan.c ipscan_checks.c ipscan_db.c ipscan.h ipscan_portlist.h ipscan_web.c Makefile README sqltidy.pl
[root@alarmpi ~]#

Now follow the instructions in the [https://github.com/timsgit/ipscan/blob/master/README README file] within ipscan's github repository.

It's necessary to change the Makefile to reflect your Apache server's cgi-bin directory mapping:

Assuming your Apache configuration file (/etc/httpd/conf/httpd.conf) contains:

DocumentRoot "/srv/http/htdocs"

and ...

ScriptAlias /cgi-bin6/ "/srv/http/cgi-bin6/"

and ...

<Directory "/srv/http/cgi-bin6">
AllowOverride None
Options +ExecCGI -Includes
Order allow,deny
Allow from all
</Directory>

then modify your ipscan Makefile to reflect this:

# Install location for the CGI files
TARGETDIR=/srv/http/cgi-bin6

# HTTP URI PATH by which external hosts will access the CGI files.
# This may well be unrelated to the installation path if Apache is configured
# to provide CGI access via an alias.
# NB : the path should begin with a / but must NOT end with one ....
URIPATH=/cgi-bin6

Make sure you have created the /srv/http/cgi-bin6 directory (or whatever you have chosen) before attempting to build ipscan. Also make sure that your MySQL database is created following the instructions in the github repository. You will need to login to mysql using the root password you previously defined (above):

# mysql -u root -p

mysql> create database ipscan;
Query OK, 1 row affected (0.00 sec)

mysql> create user 'ipscan-user'@'localhost' identified by 'ipscan-passwd';
Query OK, 0 rows affected (0.01 sec)

mysql> grant all privileges on ipscan.* to 'ipscan-user'@'localhost' identified by 'ipscan-passwd';
Query OK, 0 rows affected (0.01 sec)

mysql> exit

Modify the ipscan-user and ipscan-passwd entries to use your preferences (different to the ones that you chose for root!) and enter the same credentials into the ipscan.h include file:

// MySQL database-related globals

#define MYSQL_HOST "localhost"
#define MYSQL_USER "ipscan-user"
#define MYSQL_PASSWD "ipscan-passwd"
#define MYSQL_DBNAME "ipscan"
#define MYSQL_TBLNAME "results"

Then you should be able to make ipscan as '''root''' user and perform the install to transfer the necessary cgi files into your preferred cgi-bin directory:

# make && make install

Prior to running the ipscan tester it is advisable to add a cron job which will execute the sqltidy.pl script to remove the completed scan results to protect your users' security and minimise the size of your database:

First install the necessary perl mysql data base interface modules:

# pacman -S perl-dbi-mysql perl-mysql

Then modify the MySQL related entries in the sqltidy.pl script to match your chosen user, password, etc. and then ensure that the script runs standalone without any perl errors:

# /root/ipscan/sqltidy.pl

And finally edit the root cron job to insert the line shown below (modified to reflect your ipscan source directory):

# crontab -e

You may wish to move sqltidy.pl to another location, but ensure its permissions prevent ordinary users from reading or executing the file:

*/5 * * * * /root/ipscan/sqltidy.pl 2>&1

=== Check your Services and IPv6 address allocation ===

Now it is suggested that you check your Apache service is running using lsof:

# pacman -S lsof

# lsof -i -n -P |grep http
httpd 712 root 4u IPv6 1457 0t0 TCP *:80 (LISTEN)
httpd 16107 http 4u IPv6 1457 0t0 TCP *:80 (LISTEN)
...

And for MySQL:

# ps -ef |grep -i mysql
root 392 1 0 Aug25 ? 00:00:00 /bin/sh /usr/bin/mysqld_safe --user=mysql
mysql 688 392 0 Aug25 ? 01:47:48 /usr/bin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin
--user=mysql --log-error=/var/lib/mysql/alarmpi.err --pid-file=/var/lib/mysql/alarmpi.pid
--socket=/var/run/mysqld/mysqld.sock --port=3306

It is now worth checking that your Raspberry Pi has been correctly allocated an IPv6 address, using ifconfig:

# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet AA.BB.C.DD netmask 255.255.255.0 broadcast AA.BB.C.255
inet6 '''2001:470:971f:3:ba27:ebff:fecc:dc7c''' prefixlen 64 scopeid 0x0<global>
inet6 fe80::ba27:ebff:fecc:dc7c prefixlen 64 scopeid 0x20<link>
ether b8:27:eb:cc:dc:7c txqueuelen 1000 (Ethernet)
RX packets 721789 bytes 103366589 (98.5 MiB)
RX errors 0 dropped 48 overruns 0 frame 0
TX packets 231210 bytes 130480722 (124.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Assuming that your Raspberry Pi has a valid IPv6 address and that your Apache and MySQL services are correctly running then you should be able to point a web browser to your cgi file:

e.g. towards '''http://[2001:470:971f:3:ba27:ebff:fecc:dc7c]/cgi-bin6/ipscan-txt.cgi'''

=== Restrict SSH Logins ===

In general it is recommended that you apply all the standard SSH hardening approaches. You can also restrict logins to your newly created plain user (above) with the addition of the following line to your ssh configuration file ('''/etc/ssh/sshd_config'''). I'd also recommend that you choose an username which isn't a simple shortening of your own name:

AllowUsers '''PlnUsr456'''

=== Example PHP landing page ===

An example PHP landing page can be found by following the link [[Raspberry_Pi_IPv6_firewall_tester_landingpage]].

This website publishes a [http://ipv6.chappell-family.com/html/privacy_policy.html Privacy Policy.] Continued use of this website implies your consent to the storage of data outlined in the policy.

----

<adsense>1</adsense>

IPv6 Firewalls

2012-12-09T15:52:04Z

2001:470:1F08:185C:0:0:0:2:

==IPv6 Firewalls==

===General Observations===

IPv6 firewalls are separate from, and often control network traffic in different ways, to current IPv4 firewalls. IPv4 has evolved from its original flat architecture to involve multiple layers of hierarchy in order to support the burgeoning number of nodes that make up the internet. Not only can the imposed hierarchy offer some security in itself but clients have often relied on their online visibility and security being provided by another node (e.g. an ADSL router). This assumed protection, and the likelihood that it is missing if you connect your client to a foreign (non-home) network, is behind the frequently reported incidents of "coffee shop" wifi attacks.

IPv6 intends to revert the network hierarchy back towards a flat structure, where any node can talk directly to any other IPv6 node. In line with this approach routers '''may''' or '''may not''' firewall IPv6 traffic for clients that operate behind them. This has several implications for the clients:

* Clients may have globally routable IPv6 addresses
* Clients may be solely responsible for their own security/firewall protection (safest to assume this is the case for both IPv6 and IPv4)
* Clients may have more than one active IPv6 address
* Clients may frequently change their IPv6 address if using privacy addresses, as per [http://tools.ietf.org/html/rfc4941 RFC4941]

In response to this many of the current IPv6-enabled client devices (e.g. iOS and Android devices) include their own IPv6 firewalls, which are usually enabled by default.

IPv6 brings two other scenarios that mobile clients (i.e. those connecting to more than one network) need to consider:

* Currently shipping operating systems have IPv6 enabled by default
* Even if your home network doesn't have IPv6 enabled, you can't assume other networks won't have

As a consequence of all of the above changes it is imperative that you '''ensure that your IPv6-enabled client devices have their IPv6 firewall enabled''', and it is protecting the services running on your client. It is also advisable to disable any IPv6 services that you do not require (e.g. tunneling protocols that you are not actively using - this is especially applicable to Windows 7 clients).

One other change IPv6 introduces compared to IPv4 is that additional ICMP traffic flows are necessary for normal protocol signalling whereas it was predominantly used for error-case reporting in IPv4 networks. This requires IPv6 firewalls to admit certain [[ICMPv6_Types_Codes]] in order to handle IPv6 address allocation, neighbour discovery (IPv6 replacement for ARP) and several other IPv6 processes. For many client devices this will be handled directly by the firewall itself, but if you are developing your own IPv6 firewall then you need to ensure you follow the recommendations in [http://www.ietf.org/rfc/rfc4890.txt RFC4890] which includes an ip6tables packet filter example.

===IPv6 Addresses===

One other observation relates to the selection of an IPv6 address for your host. There are three main IPv6 address allocation approaches:

* Static unicast address allocation
* Stateless Address Autoconfiguration (SLAAC)
* DHCPv6

A full IPv6 address is composed of a network address part (perhaps 64 bits) and a host address part (often 64 bits).
http://ipv6.chappell-family.com/timswiki/skins/common/images/button_extlink.png
Dependant upon the scheme that your host uses you '''may''' be able to freely select the host address part - e.g. when using static address allocation. Despite what you may find written elsewhere you are only safe from IPv6 port scans if the address of your machine is not easily discoverable within its IPv6 subnet. On this basis I suggest that you fight the urge to allocate easy to type/remember addresses (e.g. <network-address-part>::1 and any that use a mix of frequently used hexadecimal addresses that spell words - i.e. 0xdead, 0xbeef, 0xface). Many machines appear to use such allocations in their host address part and if you were writing an IPv6 port scanner then surely addresses using such choices would be the place that you would start scanning? A DNS with suitable Quad-A entries is your friend in this situation.

Other useful links:

* [http://www.h-online.com/nettools/rfc/drafts/draft-gont-opsec-ipv6-host-scanning-02.shtml draft-gont-opsec-ipv6-host-scanning-02:Network Reconnaissance in IPv6 Networks]
* [http://www.h-online.com/nettools/rfc/drafts/draft-vyncke-opsec-v6-01.shtml draft-vyncke-opsec-v6-01:Operational Security Considerations for IPv6 Networks]

===Testing your IPv6 Firewall===

As well as ensuring that your IPv6 firewall is enabled it is '''''strongly recommended''''' that you actively test that it is correctly protecting your host. I have received feedback from several disgruntled users detailing how their default firewall settings either weren't blocking any IPv6 traffic at all (e.g. some DLINK IPv6 enabled products and certain UK ISP-provided firewalls) or were leaving critical services open for remote access. That is not to say that any of these products are necessarily "broken", or "unfit for purpose", merely that they don't necessarily perform in the same way for IPv6 traffic as they did for IPv4 traffic.

If you wish to verify the operation of your IPv6 firewall then try my [http://ipv6.chappell-family.com/ipv6tcptest/ IPv6 firewall checker] which checks your IPv6 Ping response and scans a set of user-defined TCP ports.

A '''''starting point''''' for an IPv6 iptables-based firewall can be found in my [[Raspberry_Pi_IPv6_firewall_tester_installation]].

This website publishes a [http://ipv6.chappell-family.com/html/privacy_policy.html Privacy Policy.] Continued use of this website implies your consent to the storage of data outlined in the policy.

----

<adsense>1</adsense>