579
edits
Changes
Jump to navigation
Jump to search
Line 18:
Line 18: − − − This website publishes a [http://ipv6.chappell-family.com/html/privacy_policy.html Privacy Policy.] Continued use of this website implies your consent to the storage of data outlined in the policy. Line 35:
Line 32: − + − Line 55:
Line 51: − Further details of my Raspberry Pi Powered IPv6 firewall tester can be found here : [[Raspberry_Pi_IPv6_firewall_tester]].+ Line 61:
Line 57: − + + + + + − + − + − − +
no edit summary
An HTTP Proxy is typically used by corporate networks to ensure employees are using their PCs in line with corporate computer-use policies. [http://www.squid-cache.org/ Squid] is highly recommended as a proxy able to perform not only the usual access control and content-caching tasks but also offering IPv4 and IPv6 interworking between single and dual-stack clients and web-sites. For further details please read my [http://ipv6.chappell-family.com/docs/IPv6_Squid_v01.pdf IPv6 Squid Proxy article.]
An HTTP Proxy is typically used by corporate networks to ensure employees are using their PCs in line with corporate computer-use policies. [http://www.squid-cache.org/ Squid] is highly recommended as a proxy able to perform not only the usual access control and content-caching tasks but also offering IPv4 and IPv6 interworking between single and dual-stack clients and web-sites. For further details please read my [http://ipv6.chappell-family.com/docs/IPv6_Squid_v01.pdf IPv6 Squid Proxy article.]
The test begins by sending an ICMPv6 ECHO-REQUEST (an IPv6 ping) towards the host under test (HUT). The tester checks for related ICMPv6 responses from either the HUT or other hosts (e.g. routers and/or firewall devices protecting the HUT). If a response is detected from an host other than the HUT then the IPv6 address of this third-party is reported.
The test begins by sending an ICMPv6 ECHO-REQUEST (an IPv6 ping) towards the host under test (HUT). The tester checks for related ICMPv6 responses from either the HUT or other hosts (e.g. routers and/or firewall devices protecting the HUT). If a response is detected from an host other than the HUT then the IPv6 address of this third-party is reported.
The test continues by scanning a set of IPv6 UDP ports. The IPv6 UDP port test sets its' socket tx/rx timeouts to be 2 seconds - consequently the results can take up to 2s per tested UDP port - although this depends heavily upon the filtering your system employs (e.g. firewalls which mark protected ports as 'administratively prohibited' will resolve as PHBTD in much less than the allowed 2 second timeout assuming that your firewall sends an ICMPv6 type 1 code 1 packet in response).
The test continues by scanning a fixed set of commonly used '''UDP [[IPv6_Ports]]'''. The IPv6 UDP port test sets its' socket tx/rx timeouts to be 2 seconds - consequently the results can take up to 2s per tested UDP port - although the actual time depends heavily upon the filtering that your system employs (e.g. firewalls which mark protected ports as 'unreachable' will resolve in much less than the allowed 2 second timeout assuming that your firewall sends the appropriate ICMPv6 packet in response).
The test finishes by scanning the user-selected IPv6 TCP ports. The IPv6 TCP port test sets its' socket tx/rx timeouts to be 1 second - consequently the results can take up to 1s per tested port - although this depends heavily upon the filtering your system employs (e.g. firewalls which mark protected ports as 'administratively prohibited' will resolve as PHBTD in much less than the allowed 1 second timeout assuming that your firewall sends an ICMPv6 type 1 code 1 packet in response).
The test finishes by scanning the user-selected IPv6 TCP ports. The IPv6 TCP port test sets its' socket tx/rx timeouts to be 1 second - consequently the results can take up to 1s per tested port - although this depends heavily upon the filtering your system employs (e.g. firewalls which mark protected ports as 'administratively prohibited' will resolve as PHBTD in much less than the allowed 1 second timeout assuming that your firewall sends an ICMPv6 type 1 code 1 packet in response).
The tester will indicate the status of the tested UDP and TCP ports as either OPEN, STEALTHed or one of a series of other states depending on the positive or negative feedback received from your machine. A typical result is shown in the figure below. Note that if you run the test using an interactive gui-based browser then hovering over specific port numbers produces a pop-up describing the service run on that specific port. For a more detailed explanation of the reported states please read '''[[ScanStatus]]'''.
The tester will indicate the status of the tested UDP and TCP ports as either OPEN, STEALTHed or one of a series of other states depending on the positive or negative feedback received from your machine. A typical result is shown in the figure below. Note that if you run the test using an interactive gui-based browser then hovering over specific port numbers produces a pop-up describing the service run on that specific port. For a more detailed explanation of the reported states please read '''[[ScanStatus]]'''.
=== Raspberry Pi Powered IPv6 Firewall Tester ===
=== Raspberry Pi Powered IPv6 Firewall Tester ===
Outline details of my Raspberry Pi Powered IPv6 firewall tester can be found here [[Raspberry_Pi_IPv6_firewall_tester]], along with more complete [[Raspberry_Pi_IPv6_firewall_tester_installation]] details.
=== Issues - Debugging ===
=== Issues - Debugging ===
If you're having trouble accessing the landing page via IPv6 then please see the following '''[[IPv6_DEBUG]]''' section.
If you're having trouble accessing the landing page via IPv6 (i.e. your IP address is reported as IPv4) then please see the following '''[[IPv6_DEBUG]]''' section.
=== Observations on IPv6 firewalls and IPv6 Address Selection ===
For some general observations on IPv6 firewalls, as well as some useful references, please see the '''[[IPv6_Firewalls]]''' section.
=== Getting an IPv6 connection ===
=== Getting an IPv6 connection ===
If you don't already have an IPv6 connection but wish to get involved, then try a tunnel broker such as [http://tunnelbroker.net Hurricane Electric] or [http://www.sixxs.net SixXS].
If you don't already have an IPv6 connection but wish to get involved, then try a tunnel-broker such as [http://tunnelbroker.net Hurricane Electric] or [http://www.sixxs.net SixXS].
=== Source code ===
=== Source code ===
If you would like to view or use the IPv6 firewall scanner source code then please visit my '''[https://github.com/timsgit/ipscan github]''' page.
If you would like to view or download the IPv6 firewall scanner source code then please visit my '''[https://github.com/timsgit/ipscan github]''' page. If you deploy the scanner on an internet facing machine then please ensure that you protect users' privacy by following the instructions given in point 10 of the embedded [https://github.com/timsgit/ipscan/blob/master/README README] file.
=== Automation ===
=== Automation ===
If you'd like to automate IPv6 firewall testing, or run the same test a number of times on different hosts then please see my '''[[ScanAutomation]]''' section.
If you'd like to automate IPv6 firewall testing, or run the same test a number of times on different hosts then please see my '''[[ScanAutomation]]''' section and HTML '''[[ResultScraping]]''' section.