579
edits
Changes
Jump to navigation
Jump to search
Line 1:
Line 1: − − Some general observations on IPv6 firewalls, IPv6 address selection and IPv6 firewall testing. − Line 46:
Line 43: − + − * [http://www.h-online.com/nettools/rfc/drafts/draft-vyncke-opsec-v6-01.shtml draft-vyncke-opsec-v6-01:Operational Security Considerations for IPv6 Networks]+ − Line 55:
Line 51: − + − − A '''''starting point''''' for an IPv6 iptables-based firewall can be found in my [[Raspberry_Pi_IPv6_firewall_tester_installation]]. − − − − This website publishes a [http://ipv6.chappell-family.com/html/privacy_policy.html Privacy Policy.] Continued use of this website implies your consent to the storage of data outlined in the policy. + − ---- − <adsense>1</adsense>+
→Testing your IPv6 Firewall
==IPv6 Firewalls==
==IPv6 Firewalls==
===General Observations===
===General Observations===
Other useful links:
Other useful links:
* [http://www.h-online.com/nettools/rfc/drafts/draft-gont-opsec-ipv6-host-scanning-02.shtml draft-gont-opsec-ipv6-host-scanning-02:Network Reconnaissance in IPv6 Networks]
* [https://tools.ietf.org/id/draft-ietf-opsec-v6-12.html Operational Security Considerations for IPv6 Networks]
* [https://tools.ietf.org/html/rfc7707 Network Reconnaissance in IPv6 Networks]
* [http://www.nsa.gov/ia/_files/ipv6/I733-041R-2007.pdf NSA Design Considerations for IPv6]
As well as ensuring that your IPv6 firewall is enabled it is '''''strongly recommended''''' that you actively test that it is correctly protecting your host. I have received feedback from several disgruntled users detailing how their default firewall settings either weren't blocking any IPv6 traffic at all (e.g. some DLINK IPv6 enabled products and certain UK ISP-provided firewalls) or were leaving critical services open for remote access. That is not to say that any of these products are necessarily "broken", or "unfit for purpose", merely that they don't necessarily perform in the same way for IPv6 traffic as they did for IPv4 traffic.
As well as ensuring that your IPv6 firewall is enabled it is '''''strongly recommended''''' that you actively test that it is correctly protecting your host. I have received feedback from several disgruntled users detailing how their default firewall settings either weren't blocking any IPv6 traffic at all (e.g. some DLINK IPv6 enabled products and certain UK ISP-provided firewalls) or were leaving critical services open for remote access. That is not to say that any of these products are necessarily "broken", or "unfit for purpose", merely that they don't necessarily perform in the same way for IPv6 traffic as they did for IPv4 traffic.
If you wish to verify the operation of your IPv6 firewall then try my [http://ipv6.chappell-family.com/ipv6tcptest/ IPv6 firewall checker] which checks your IPv6 Ping response and scans a set of user-defined TCP ports.
If you wish to verify the operation of your IPv6 firewall then try the [https://ipv6.chappell-family.com/ipv6tcptest/ IPscan IPv6 firewall checker] which checks your machine's IPv6 Ping response and scans a set of UDP ports and user-defined TCP ports.
A '''''starting point''''' for an IPv6 iptables-based firewall can be found in the [[Raspberry_Pi_IPv6_firewall_tester_installation]] section.
This website publishes a Privacy Policy (link at the bottom of every page). Continued use of this website implies your consent to the use of data outlined in the policy.