Firewall Best Practices with IPv6

xtropx · Jul 12, 2012, 12:20 AM

At its core, pfsense is a firewall. We know this. We also know at the time of writing this IPv6 is still in development for IPv6. However, I believe this is important. By viewing:

http://www.apricot.net/apricot2012/__data/assets/pdf_file/0004/45589/IPv6-Security-Threats-Mitigations_Apricot_v4.pdf

We have:

ipv6 access-list NO_RECONNAISSANCE
deny any fec0::/10 (depreciated site-local addresses)
permit any ff02::/16 (link-local scope)
permit any ff0e::/16 (global scope)
deny any ff00::/8 (block all multicast)
permit any any

That is, the Cisco world. Here in the pfsense world I wonder if we could discuss, or if someone would be kind enough to demonstrate some really essential practices we should be keeping in mind when introducing IPv6 onto our networks either through tunnels, and especially when we are getting it directly though our ISPs. Any such discussion would be most appreciated. I would really like to see a screenshot of an example of IPv6 firewall rules. I am really concerned about IPv6 security and really would like to join others in really getting the upper hand on this. Thanks.

xtropx · Jul 14, 2012, 4:32 PM

Nobody? Well I am going to give it a go then. This is what I have and I read this like this will block all Multicast and Depreciated Site-local address queries from the anybody on the other end of my HE.net tunnel. Still not sure if I am barking up the right three at all though:

Cino · Jul 14, 2012, 5:52 PM

i would remove your last rule… unless you want everyone to be able to access your IPv6 network..By default, everything is blocked on a interface. Well expect LAN

I'm going to add these rules to mine with logging and see how much traffic comes. Also, I deny ICMP traffic to my network since its enabled by default. If you look at /tmp/rules.debug. You'll see what rules are created by default and what we add.

xtropx · Jul 14, 2012, 6:28 PM

If I remove the last rule, won't that cut me off from the IPv6 internet?

Cino · Jul 14, 2012, 6:52 PM

Not at all.. By having that rule, if I knew your IPv6 addresses, I could ping, look around on your network. Your LAN, or the interface with your clients, needs to have a rule to allow IPv6 traffic.

here is what I have for my IPv6 HE Tunnel:


Allow IPv6 TCP 	* 	* 	2001:470:xxxx 	80 (HTTP) 	* 	none 	  	HTTP Access to Web Server  
Allow IPv6 TCP 	* 	* 	2001:470:xxxx 	443 (HTTPS) 	* 	none 	  	HTTPS Access to Web Server 
Block IPv6 ICMP 	* 	* 	* 	* 	* 	none 	  	No Logging of ICMP traffic to WANIPv6 Address

For my LAN


Allow IPv6 * 	LAN net 	* 	* 	* 	* 	none 	  	Default allow IPv6 LAN to any rule  
Allow IPv4 * 	LAN net 	* 	* 	* 	* 	none 	  	Default allow IPv4 LAN to any rule

xtropx · Jul 14, 2012, 7:53 PM

Hey thanks, see, important info! ;D