The IPscan IPv6 Firewall Tester (ICMPv6, IPv6 TCP and UDP Port Scanner)
IPscan offers much of the functionality you might hope to find in an IPv6 version of GRC's ShieldsUp® utility.
Recent web-browsers request IPv6 DNS lookups in preference to IPv4 if they are running on a host with IPv6 enabled. The ipv6.chappell-family.com domain has DNS entries for both IPv4 and IPv6 addresses. This makes it possible for IPv4-only hosts, which make up most of the current web traffic, including search engines, to use the same URL. Browsers running on IPv4-only hosts will not request an IPv6 address and will therefore access the website entirely using IPv4. The landing page, as linked below, attempts to determine whether your machine has a valid globally routable IPv6 address (2000::/3) and whether it is behind an HTTP proxy, by looking for well known HTTP header variables which indicate that this may be the case. Only if the hosts' IP address is determined to be globally-routable unicast IPv6 and there are no tell-tale HTTP proxy variables will the landing page offer links to initiate the scan, as shown in the figure below.
Please do NOT attempt to test hosts which are located behind HTTP proxies. Such proxies are very common in both corporate environments and on commercially-operated free wifi networks. The landing page for IPscan attempts to detect the common headers which such proxies insert, but it cannot detect truly transparent proxies. An HTTP Proxy is typically used by corporate networks to ensure employees are using their PCs in line with corporate computer-use policies. If you are interested in deploying your own HTTP proxy then Squid is highly recommended as a proxy able to perform not only the usual access control and content-caching tasks but also offering IPv4 and IPv6 inter-working between single and dual-stack clients and web-sites. For further details please read the IPv6 Squid Proxy article.
The tester allows a user to choose whether to include a commonly used set of TCP IPv6_Ports in their scan, as well as the ability to specify a number of their own specifically interesting TCP ports (this is intended to cover setups where you run services on non IANA-assigned ports, or just run less-common services). If you would like to see the list of commonly used ports expanded, or just changed, then please contact me.
The test begins by sending an ICMPv6 ECHO-REQUEST (an IPv6 ping) towards the host under test (HUT). The tester checks for related ICMPv6 responses from either the HUT or other hosts (e.g. routers and/or firewall devices protecting the HUT). If a response is detected from an host other than the HUT then the IPv6 address of this third-party is reported.
The test continues by scanning a fixed set of commonly used UDP IPv6_Ports. The IPv6 UDP port test sets its' socket tx/rx timeouts to be 2 seconds - consequently the results can take up to 2s per tested UDP port - although the actual time depends heavily upon the filtering that your system employs (e.g. firewalls which mark protected ports as 'unreachable' will resolve in much less than the allowed 2 second timeout assuming that your firewall sends the appropriate ICMPv6 packet in response).
The test finishes by scanning the user-selected IPv6 TCP ports. The IPv6 TCP port test sets its' socket Tx/Rx timeouts to be 1 second - consequently the results can take up to 1s per tested port - although this depends heavily upon the filtering your system employs (e.g. firewalls which mark protected ports as 'administratively prohibited' will resolve as PHBTD in much less than the allowed 1 second timeout assuming that your firewall sends an ICMPv6 type 1 code 1 packet in response).
The tester will indicate the status of the tested UDP and TCP ports as either OPEN, STEALTHed or one of a series of other states depending on the positive or negative feedback received from your machine. A typical result is shown in the figures below. Note that if you run the test using an interactive gui-based browser then hovering over specific port numbers produces a pop-up describing the service run on that specific port. For a more detailed explanation of the reported states please read ScanStatus.
IMPORTANT: this scanner will direct IPv6 TCP, UDP and ICMPv6 traffic towards the IP address that the webserver determines the request originates from. Please do NOT attempt to test machines that are operating behind transparent HTTP proxies, unless you also administer the proxy and specifically intend that machine to be tested.
If you wish to test your host now then please point your browser towards the IPv6 portscanner.
Test Server Source IPv6 Addresses
Tests performed from the www64.chappell-family.co.uk host will be sourced from IPv6 address: 2001:470:971f:6::4.
Note: during periods of planned server maintenance, a reduced service supporting only TCP testing may be offered, which will be sourced from an IPv6 address in the following range: 2001:8d8:100f::/48.
Raspberry Pi Powered IPv6 Firewall Tester
All tests performed during non-maintenance periods are now handled by a Raspberry Pi powered host.
Issues - Debugging
If you're having trouble accessing the landing page via IPv6 (i.e. your IP address is reported as IPv4) then please see the following IPv6_DEBUG section.
Observations on IPv6 firewalls and IPv6 Address Selection
For some general observations on IPv6 firewalls, as well as some useful references, please see the IPv6_Firewalls section.
Getting an IPv6 connection
If you don't already have an IPv6 connection but wish to get involved, then try a tunnel-broker such as Hurricane Electric.
If you would like to view or download the IPv6 firewall scanner source code then please visit the github page. If you deploy the scanner on an internet facing machine then please ensure that you protect users' privacy by following the instructions given in point 10 of the embedded README file.
URL for Sharing
If you find this utility useful then please feel free to share the following URL with new users:
https://ipv6.chappell-family.com/ipv6tcptest/ IPv6 Firewall Tester