• Hi all,

    Forgive me if I missed this, but is there a guide for configuring an adequate firewall for IPv6? Since we can't hide behind a NAT anymore, it seems pretty crucial to get it locked down a bit. I did some nmaps and saw how wide open everything is behind IPv6; it's pretty scary. So what are you guys running in your firewall rules?

    Thanks in advance!

  • LAYER 8 Global Moderator

    What is scary about block ALL but what you need?  Just like what you do with ipv4, inbound is blocked by default, its only open if you OPEN it..

    I currently don't have any inbound open other than icmp.  I did at one time have ipv6 for the ntp server I run, but when I switched native ipv6 vs tunnel I have been having to stability issues with lan IPv6 range changing, so wanted to give it a few snapsnots of upgrades before I open that back up, etc.

  • Hi johnpoz,

    Are you implying it's blocked by default on v6 as well? Mine doesn't seem to be that way, as I can see services on my desktop computers v6 address from the internet without any allowing rules. I suppose it's possible the rules got wiped out somehow. What is the proper way to block everything with v6?

  • LAYER 8 Global Moderator

    Yeah they would be blocked by default, unless you created a rule, or your tunneling through pfsense.

    What is your ipv6 setup?  Tunnel, native?, what?

    How are you checking that they are open?  You can do a quick check here http://www.subnetonline.com/pages/ipv6-network-tools.php

    So you can see - pings works, then disable the rule that allows it, and then ping doesn't work

  • Rebel Alliance Developer Netgate

    Both IPv6 and IPv4 are blocked by default. If something is getting through, it's either being passed by pfSense, or your PC is using an IPv6 tunneling technique directly (e.g. teredo) and the firewall doesn't see the IPv6 traffic.

  • Sorry for the confusion, it seems things are being filtered so it's working as intended.

    johnpoz - thanks for the site for checking, it seems I was doing it wrong.

  • LAYER 8 Global Moderator

    How were you doing it?  Checking it from host that was on your IPv6 network?