Comments on: ip6tables: IPv6 Firewall For Linux

By: Fábio

Fábio — Sat, 25 Jun 2011 17:31:02 +0000

Using this firewall I’m not able to use autoconfiguration. Am I right? ‘Cause it uses ICMPv6 messages that you are blocking here, allowing only “ping” messages.

By: Anders

Anders — Wed, 02 Feb 2011 17:17:50 +0000

There are ways of randomize/annonymize your IPv6 host address.
With that you can’t analyze trafick outside your corporate firewall to see what is inside just by checking IPv6 addresses.

NAT is just not a good solution to any problem I have seen. The problem is the mind set on people that has been forced to use NAT the last 15 years.

NAT is a hack, to get around the problem with IPv4 addresses running out. It don’t give you any security that you can’t get with IPv6 and firewalls, which you MUST have anyway, even if you use NAT.

By: Zloy

Zloy — Tue, 01 Feb 2011 19:48:17 +0000

># Allow full outgoing connection but no incomming stuff
>$IPT6 -A INPUT -i $PUBIF -m state –state ESTABLISHED,RELATED -j ACCEPT
>$IPT6 -A OUTPUT -o $PUBIF -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

These lines do not work in RHEL/CentOS 5.x because its kernel does not support stateful IPv6 firewalling. See https://bugzilla.redhat.com/show_bug.cgi?id=243739
But I use similar configuration in another distros with newer kernel.

By: Albert

Albert — Tue, 01 Feb 2011 15:02:56 +0000

Hello

Private networks I guess still have their use. It is difficult to convince certain organizations (health, banks, etc) to use ipv6 in their internal networks, as if they somehow need to “use the internet” for anything, their whole internal network is just a part of the whole “ipv6″ internet. They still want their “private” addressing while using IP protocols. They don’t want external “anlytics” being performed on what each of their potential ipv6 addresses look on the internet.

What’s the option for doing something like that, that does not imply application level proxies?

By: Anders

Anders — Wed, 18 Nov 2009 19:01:23 +0000

Yes, I forgot.

NAT has nothing to do with security. Firewall is the tool for that. There is ways of pass a NAT without a propper firewall setting.

There is LOTS of people that don’t understand this, and some will argue about that. Please don’t do that, just read relevant RFC:s. And use a propper firewall setting on all your machines.

By: Anders

Anders — Wed, 18 Nov 2009 18:56:34 +0000

Alex: Last drop is not necessary, but it should be put there to be secure, it’s easy to make mistakes, and this will hopefully catch some…

Becouse the script doesn’t warn about this: IPv6 ICMP is much more than just PING. If one filter that one, IPv6 will not work propperly.

Bibi: Any links with more information? I am interested in all stuff about IPv6.

By: bibi

bibi — Fri, 24 Jul 2009 08:11:57 +0000

this script is NOT secure, read on icmpv6 security problems….

By: Alex

Alex — Tue, 19 May 2009 15:54:05 +0000

Hi :)
I’m just wondering if the last Input DROP is necessary as the default policy already is DROP ?

cheers!

By: Martijn

Martijn — Tue, 06 Jan 2009 23:35:15 +0000

Yes, that is definitely useful! Thanks for the quick response Vivek. Implementing it now.

By: Vivek Gite

Vivek Gite — Mon, 05 Jan 2009 18:40:10 +0000

@ Martijn,

I’ve just updated the script. Hope this helps!

By: Martijn

Martijn — Mon, 05 Jan 2009 17:14:38 +0000

Hi, interesting script. Thanks for sharing it.

However, it’s missing one thing that would make it a lot more useful:
The PUBIF variable is set but never used, so the rules now apply to all interfaces, instead of just the public interface. If you could modify the script to use the PUBIF variable, it will still be useful for pc’s but also for IPv6 routers.

Hope you’ll consider this. Thanks.

By: diay

diay — Sun, 14 Sep 2008 17:47:51 +0000

thanks for sharing a shell script.