Firewall Best Practices with IPv6
At its core, pfsense is a firewall. We know this. We also know at the time of writing this IPv6 is still in development for IPv6. However, I believe this is important. By viewing:
ipv6 access-list NO_RECONNAISSANCE
deny any fec0::/10 (depreciated site-local addresses)
permit any ff02::/16 (link-local scope)
permit any ff0e::/16 (global scope)
deny any ff00::/8 (block all multicast)
permit any any
That is, the Cisco world. Here in the pfsense world I wonder if we could discuss, or if someone would be kind enough to demonstrate some really essential practices we should be keeping in mind when introducing IPv6 onto our networks either through tunnels, and especially when we are getting it directly though our ISPs. Any such discussion would be most appreciated. I would really like to see a screenshot of an example of IPv6 firewall rules. I am really concerned about IPv6 security and really would like to join others in really getting the upper hand on this. Thanks.
Nobody? Well I am going to give it a go then. This is what I have and I read this like this will block all Multicast and Depreciated Site-local address queries from the anybody on the other end of my HE.net tunnel. Still not sure if I am barking up the right three at all though:
i would remove your last rule… unless you want everyone to be able to access your IPv6 network..By default, everything is blocked on a interface. Well expect LAN
I'm going to add these rules to mine with logging and see how much traffic comes. Also, I deny ICMP traffic to my network since its enabled by default. If you look at /tmp/rules.debug. You'll see what rules are created by default and what we add.
If I remove the last rule, won't that cut me off from the IPv6 internet?
Not at all.. By having that rule, if I knew your IPv6 addresses, I could ping, look around on your network. Your LAN, or the interface with your clients, needs to have a rule to allow IPv6 traffic.
here is what I have for my IPv6 HE Tunnel:
Allow IPv6 TCP * * 2001:470:xxxx 80 (HTTP) * none HTTP Access to Web Server Allow IPv6 TCP * * 2001:470:xxxx 443 (HTTPS) * none HTTPS Access to Web Server Block IPv6 ICMP * * * * * none No Logging of ICMP traffic to WANIPv6 Address
For my LAN
Allow IPv6 * LAN net * * * * none Default allow IPv6 LAN to any rule Allow IPv4 * LAN net * * * * none Default allow IPv4 LAN to any rule
Hey thanks, see, important info! ;D