Blocking IPV6 Traffic / Teredo



  • I'm a new pfSense user, and relatively new to network admin as well.  I'm trying to tighten up my home network and for the moment want to block all ipV6 traffic until I can figure out what to do with the security issues it creates.

    I turned off IPv6 in System / Advanced / Networking by leaving the following boxes unchecked:

    • All IPv6 traffic will be blocked by the firewall unless this box is checked
    • Enable IPv4 NAT encapsulation of IPv6 packets

    I thought that should do it, but ipv6leak.com showed that IPv6 was leaking. 
    I went to http://ipv6-test.com/ and found the following:
    (** The IPv6 and IPv4 Addresses have been modified to maintain privacy)

    
    IPv6 connectivity
    IPv6          	Supported 	
    Address        	2001:0:9a38:6acd:2674:70dc:9e00:9d84 	**
    Type 	        Teredo 	
    Teredo server 	157.56.106.189 	
    v4 address 	99.255.98.102:36691 	**
    SLAAC       	No 	
    ICMP 	        Not tested 	
    Hostname 	None 	
    ISP            	Rogers Cable Communications Inc. [Canada] 	
    
    

    I created a firewall rule which I though would block this traffic, but it was still getting through.

    IPv4 * * * 157.56.106.189/24 * * none   Block Microsoft Teredo Server

    For good measure, I blocked a whole /24, but ipv6-test.com still shows traffic going to 157.56.106.189.
    I even nuked the state table, but the connection rebuilt with this firewall rule in place.

    I've attached a copy of my firewall rules… The rule in question is the 2nd one from the top of the list.

    I put rule #3 in before I discovered ipv6-test.com and this teredo parasite.

    Can remove Rule #3 - does unchecking the boxes disables all IPv6 traffic that isn't tunneled though IPv4 and make this rule redundant.

    I suspect the best way to attack this is to block Port 3544 for either source / destination / any protocol.

    I found the following in the state table when it rebuilt.
    States
    Packets Bytes

    
    LAN  udp 	157.56.106.189:3544 <- 192.168.1.18:60845                      	MULTIPLE:MULTIPLE 	25 / 24 	2 KiB / 3 KiB 	
    WAN  udp 	192.168.0.19:33603 (192.168.1.18:60845) -> 157.56.106.189:3544 	MULTIPLE:MULTIPLE 	25 / 24 	2 KiB / 3 KiB
    
    

    Note that the WAN has a NAT in front of it (the cable company router - I hope to eventually get rid of it, but I need it for the moment until I get everything moved over to the pfSense router… but I've got a lot of stuff to figure out before I'm ready to move things over.)

    The firewall rule blocks anything with a destination 157.56.106.189/24 so I can't figure out why this connection should still be happening.

    Any suggestions would be much appreciated.




  • Rules are applied inbound on an interface, not outbound.  So your rule you put on your WAN is saying "block any traffic inbound on my WAN interface that is sourced from any IPV4 address, with any IPV4 protocol, that is destined to 157.56.106.189/24".

    Is 157.56.106.189 inside your network (LAN side of pfSense) or outside (WAN side of pfSense)?  How about 192.168.0.0/16?  LAN side or WAN side?
    What would happen if you put that same rule on your LAN interface?



  • @mer:

    Rules are applied inbound on an interface, not outbound.  So your rule you put on your WAN is saying "block any traffic inbound on my WAN interface that is sourced from any IPV4 address, with any IPV4 protocol, that is destined to 157.56.106.189/24".

    Is 157.56.106.189 inside your network (LAN side of pfSense) or outside (WAN side of pfSense)?  How about 192.168.0.0/16?  LAN side or WAN side?
    What would happen if you put that same rule on your LAN interface?

    Thanks, I missed this distinction: Rules are applied inbound on an interface, not outbound.

    They don't call that protocol Teredo for nothing (named after a parasitic worm that makes holes in wood that is submerged in water).  It was a real pain to kill!

    For the benefit of anyone else who may wants to BLOCK MICROSOFT TEREDO, I'll post solution here….

    So far, the only networks that popped up were

    
    NetRange:       157.54.0.0 - 157.60.255.255
    CIDR:           157.56.0.0/14, 157.54.0.0/15, 157.60.0.0/16
    NetName:        MSFT-GFS
    NetHandle:      NET-157-54-0-0-1
    Parent:         NET157 (NET-157-0-0-0-0)
    NetType:        Direct Assignment
    OriginAS:       AS8075
    Organization:   Microsoft Corporation (MSFT)
    
    NetRange:       94.0.0.0 - 94.255.255.255
    CIDR:           94.0.0.0/8
    NetName:        94-RIPE
    NetHandle:      NET-94-0-0-0-1
    Parent:          ()
    NetType:        Allocated to RIPE NCC
    
    

    I created an alias ms_teredo
    Firewall / Aliases / IP
    ms_teredo 157.56.0.0/14, 157.54.0.0/15, 157.60.0.0/16, 94.0.0.0/8 Microsoft Teredo Servers

    And then a firewall block rule on the LAN side to prevent any traffic destined for those servers.
    Firewall / Rules / LAN

    IPv4 * * * ms teredo * * none   Block Microsoft Teredo Server

    I wasted the better part of a day figuring out how to block teredo, so I though I should document it for the benefit of others.  I've included a couple of screen caps that might help out someone new.






  • Fantastic  ;D  That's one of the subtle things lots of folks miss.  Don't forget about ordering:  user defined rules "first match wins".  If you put a block all rule first, your pass rules don't get triggered.

    Floating rules are applied a bit differently, so make sure you research them before using (they have in and out and are typically applied before interface specific rules)


  • Rebel Alliance Global Moderator

    Fantastic??  Seems like a horrible idea to me  for starters are the machines on this network not under your control?  Why would you not just remove it from the machines?  If they are not under your control why are you blocking it?

    netsh interface teredo set state disabled

    Couldn't you just go here to what to block?
    https://msdn.microsoft.com/en-us/library/windows/desktop/bb190948(v=vs.85).aspx
    Required Firewall Exceptions for Teredo

    Wouldn't it be easier to just block udp port 3544..  This is spelled out in the teredo rfc https://tools.ietf.org/html/rfc4380
    2.7.  Teredo UDP Port

    The UDP port number at which Teredo servers are waiting for packets.
      The value of this port is 3544.

    So wouldn't a simple rule of dest udp 3244 be easier and better, since no other services should really be using that port ever.. If you can not just the best choice turn it off at the source.

    So really there is nothing on this /8 other than teredo?  94.0.0.0/8  that seems highly highly wasteful of netblock and how many networks are you blocking there?  You need to be very careful when blocking large swatches of net space..  Just quick look shows your 94/8 is owned by lots of different companies..  So you don't want to talk to any of their services?

    inetnum:        94.0.0.0 - 94.15.255.255
    netname:        BSKYB-BROADBAND
    descr:          Sky UK Limited

    inetnum:        94.16.0.0 - 94.16.0.255
    netname:        SSP_Europe_Services
    descr:          SSP Europe Services public

    inetnum:        94.17.0.0 - 94.17.127.255
    netname:        MELITACABLE
    descr:          Melita plc

    etc..

    You do think that MS is using any of that address space for anything other than teredo?  You are blocking all services to those networks.  Looks like those IPs belong to their routing, peering and dns group.  So guessing lot more stuff then just teredo servers would fall into that block..



  • Sorry, John, I was trying to give a little positive reinforcement to the OP.  It also sounds like it's on his home network and he's trying to learn what's on it and understand security implications.  Nothing wrong with that, is there?  If I stepped out of line, sorry.


  • Rebel Alliance Global Moderator

    Positive encouragement is great when it warranted.. Learning is Fantastic as well.. I don't see either of those things in this post to be honest..  Sorry I just call them how I see them..

    I would be all for disable of all the MS ipv6 transition methods.. I personally think their turning on of 3 different methods out of the box is just an asinine approach, and very security thoughtless of them.. Which is not really surprising from MS ;)

    If this is home network, and I concur with this assessment why would he not just disable it?  Better yet if he is not ready for ipv6 on his network all his window machines should just turn off IPv6 until such time as he wants to correctly set it up.  Simple reg entry takes 2 seconds

    reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 255

    That is  close as your going to to get to turning off ipv6 completely in windows machines.

    If what he wants is to prevent teredo, simple rule blocking udp 3544 would do it.  No time spent looking up where traffic is going, blocking huge amounts of the public internet on all ports, etc.



  • Thanks mer/johnpos for your comments… you are both correct... and I do value input that will make me aware of the negative implications of my actions and possibly better ways of doing things.  I'll respond below:

    @johnpoz:

    Positive encouragement is great when it warranted.. Learning is Fantastic as well.. I don't see either of those things in this post to be honest..  Sorry I just call them how I see them..

    It didn't bother me, but some people may take that "tone" personally… a slightly softer tone may be useful in avoiding conflict, but in this context I value the content over the tone.

    @johnpoz:

    I would be all for disable of all the MS ipv6 transition methods.. I personally think their turning on of 3 different methods out of the box is just an asinine approach, and very security thoughtless of them.. Which is not really surprising from MS ;)

    Lately I think MS has gone way past security thoughtless.  It's part of the whole trend to dumb stuff down so the non-digerati can use it and MS can get revenue from their customers by selling data on user habits to advertisers (or maybe worse).

    If I turn stuff off, I don't trust a Microsoft update (or malware) not to turn it back on.  (I am reading reports of people disabling Windows 10 upgrades and MS undoing the changes and pushing an update against the wishes of the computer owner. From my perspective Microsoft is no longer trustworthy. I will likely be blocking all Microsoft back-channels and only opening what I need for updates on a very limited basis when needed, but I'm not here yet.)

    @johnpoz:

    If this is home network, and I concur with this assessment why would he not just disable it?  Better yet if he is not ready for ipv6 on his network all his window machines should just turn off IPv6 until such time as he wants to correctly set it up.  Simple reg entry takes 2 seconds

    reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 255

    That is  close as your going to to get to turning off ipv6 completely in windows machines.

    Thanks for this input-I had no idea how to do this and didn't want to spend the time Googling it. I may disable it in windows eventually but I'd rather firewall first and then once I know the firewall is working disable stuff.  (I also don't know what I'm going to break, so I want to make it easy to turn back on if necessary as well.)

    In the past I have discovered almost all of the "questionable activity" on my systems from my firewall.  (Likely nothing serious, but stuff I just wasn't comfortable with.)  AMAP I'm heading in the direction of "default deny" and opening up only what I need based on an understanding of why I need it open and where it's going.

    @johnpoz:

    If what he wants is to prevent teredo, simple rule blocking udp 3544 would do it.  No time spent looking up where traffic is going, blocking huge amounts of the public internet on all ports, etc.

    Now that I've gone though the exercise, and understand the nature of the beast, I think I will take johnpoz's advice and switch to blocking port 3544.  Next step will be to set up a package like pfBlockerNG or Suricata and add a MSblocklist.

    Thanks again.


  • Rebel Alliance Global Moderator

    Glad to see someone else is into content vs tone ;)  Sometimes its like talking to 13 year old girls on their first period around here, or anywhere on the net really and if forget to call them pretty every other sentence they get their panties all in a bunch ;) hehehe

    Sad to say but yeah I don't like the direction MS is headed either.  All the phone home, less then upfront details is not what I like to see in my choice of OS either.

    While I am a big promoter of ipv6, I personally don't think its quite ready for prime time as of yet.  I have it running on my network via HE tunnel, since not a fan of my ipv6 prefix changing on the whim of my isp.. What is odd is have had the same ipv4 for years, it never changes. So why should my ipv6 prefixes.  What I like is the simplicity the HE tunnel brings and that /48 is mine don't have to worry about that changing.  So while I have multiple /64's running other than the guest network everything is static.  IPv6 is off or controlled on all my devices.  I have my main workstation setup so I can turn it on whenever I want with a click.  But I don't have all those transition items ;)  Just a nice simple dual stack when I need it.

    While I don't like the idea of MS turning on any updates they want, I can understand the desire/need to do so..  The problem is the user base to be honest - your typical user is just completely and utterly clueless..  Its like the movie idiocracy when it comes to IT, they don't run updates they still click on anything shiny and open anything that says hey here is your invoice.  So when there is a major security issue that needs to be patched - sometimes maybe just F the idiot user and update it if they are not going too.. Its for their own freaking good - cuz you don't then they complain why all their files got encrypted and someone is asking for 200$ to give them their files back…

    While I can see the use of default deny outbound in some networks, in a home network where its MY devices its more trouble than its worth.  I don't run untrusted software, while I don't especially like everything ms is doing.  My tinfoil hat is not quite tight enough to think they are sending all my passwords to their servers sort of thing.  Nor do I have a piece of tape over my webcam ;) etc..

    While running a IDS/IPS can be a very learning experience - be ready for lots and lots and lots of noise.. That if you get caught up in you will be chasing your tail on.. Make sure you put it in monitor only mode and start trimming down the noise right.. If you have it block your going to break stuff that is for sure - if its just your stuff not that big of deal, sure you smart enough to get if working again..

    As to pfblocker - big fan of bcan177's work on that package.  Its very feature rich, and works!! I personally not a fan of the auto rule stuff.  But I do use the aliases list feature to block the top 20, and use it to control access for my ntp to only NA countries, etc.  So yeah that is a great addition to pfsense for sure.



  • @johnpoz:

    Sad to say but yeah I don't like the direction MS is headed either.  All the phone home, less then upfront details is not what I like to see in my choice of OS either.

    While I don't like the idea of MS turning on any updates they want, I can understand the desire/need to do so..  The problem is the user base to be honest - your typical user is just completely and utterly clueless..  Its like the movie idiocracy when it comes to IT, they don't run updates they still click on anything shiny and open anything that says hey here is your invoice.  So when there is a major security issue that needs to be patched - sometimes maybe just F the idiot user and update it if they are not going too.. Its for their own freaking good - cuz you don't then they complain why all their files got encrypted and someone is asking for 200$ to give them their files back...

    All this dumbing down actually makes it harder for the crooks… now if you do actually know something, it's harder to see what is actually happening.  Hide the extension off files so you can't tell it's an executable DUMB, and been happening for 25 years with WinDoze.  Taking away meaningful error messages so it's impossible to troubleshoot.

    Then add on some java or javascript and cloud everything, intertwine them all together so that if any one element gets hacked you are PWNED.  Would be nice to container and firewall the individual packages so that traffic analysis is at least possible and damage could be contained a bit easier.

    @johnpoz:

    While I am a big promoter of ipv6, I personally don't think its quite ready for prime time as of yet.  I have it running on my network via HE tunnel, since not a fan of my ipv6 prefix changing on the whim of my isp.. What is odd is have had the same ipv4 for years, it never changes. So why should my ipv6 prefixes.  What I like is the simplicity the HE tunnel brings and that /48 is mine don't have to worry about that changing.  So while I have multiple /64's running other than the guest network everything is static.  IPv6 is off or controlled on all my devices.  I have my main workstation setup so I can turn it on whenever I want with a click.  But I don't have all those transition items ;)  Just a nice simple dual stack when I need it.

    TLDR
    What do you pay for that service if I may ask?  How often is IPv6 needed these days?  I know it's going to be an issue very soon, but given the vastness of the IPv6 space it's really hard to screen stuff the way you can with IPv4.  What's the new paradigm, or is there one?

    @johnpoz:

    While I can see the use of default deny outbound in some networks, in a home network where its MY devices its more trouble than its worth.  I don't run untrusted software, while I don't especially like everything ms is doing.  My tinfoil hat is not quite tight enough to think they are sending all my passwords to their servers sort of thing.  Nor do I have a piece of tape over my webcam ;) etc..

    Who's to say when a "trusted" vendor packs up an unwanted guest and becomes "untrusted".  Unfortunately I'm more worried about my devices running commercial or Embedded firmware than most of the other stuff I'm running.  These IoT devices, TVs, Printers etc, can do some pretty dumb things, and the only way to fix the situation is to put them in a cage and filter, filter, filter.

    @johnpoz:

    While running a IDS/IPS can be a very learning experience - be ready for lots and lots and lots of noise.. That if you get caught up in you will be chasing your tail on.. Make sure you put it in monitor only mode and start trimming down the noise right.. If you have it block your going to break stuff that is for sure - if its just your stuff not that big of deal, sure you smart enough to get if working again..

    As to pfblocker - big fan of bcan177's work on that package.  Its very feature rich, and works!! I personally not a fan of the auto rule stuff.  But I do use the aliases list feature to block the top 20, and use it to control access for my ntp to only NA countries, etc.  So yeah that is a great addition to pfsense for sure.

    I agree bcan177's has done some really good stuff.  I posted this question https://forum.pfsense.org/index.php?topic=115252 and got this reference to an excellent security roadmap https://forum.pfsense.org/index.php?topic=78062.0.  It's a very long read, and a bit tough to understand all the nuances until you really get to know your stuff, but it's very well done and will be my starting point.  The threaded nature of forums is actually the biggest problem, because you have to read from start to finish because some of the early stuff is important, but then there is a lot that has been superseded.


  • Rebel Alliance Global Moderator

    HE is FREE..  you can get either just a single /64 or /64 and a /48, etc.  FREE..  And they have a fun little ipv6 cert you can get, get sage level and free t-shirt ;)

    "These IoT devices, TVs, Printers etc"

    Agreed the iot stuff is somewhat concerning - and I agree cage it off.  But I'm not to the point of blocking it outbound traffic.  For example this is where my directv dvr on its own vlan, locked down it can not talk to anything else on my network and I log what it does.  It doesn't really do much other than some dns queries and phones home to something running on amazonaws




  • @johnpoz:

    HE is FREE..  you can get either just a single /64 or /64 and a /48, etc.  FREE..  And they have a fun little ipv6 cert you can get, get sage level and free t-shirt ;)

    Thanks… I see that certification... I'll check this out when I get a moment... IPv6 is coming and I will eventually have to cope with it.

    Don't know much about IPv6 at this point, but /64 is an insanely large block of IPs (bigger than whole IPv4 address space), and from what I understand they are sort of the "minimum allocation"... kinda like a /32.

    Just curious what do you do with it? (On a home network?)

    @johnpoz:

    "These IoT devices, TVs, Printers etc"

    Agreed the iot stuff is somewhat concerning - and I agree cage it off.  But I'm not to the point of blocking it outbound traffic.  For example this is where my directv dvr on its own vlan, locked down it can not talk to anything else on my network and I log what it does.  It doesn't really do much other than some dns queries and phones home to something running on amazonaws

    The DVR likely needs to phone home to function. (It's probably also logging your TV viewing habits so they can sell it to advertisers and rating agencies as well.  I'm pretty sure most of the cable boxes do that, and you can't firewall them cause they are on their own coax network.)

    At one point I had a media player that offered open telnet service with root login, no password and /etc/passwd in ROM so you couldn't patch it.  How is that for a recipe for disaster!