Page 2 of 2 FirstFirst 12
Results 16 to 24 of 24

Thread: Rules for IPV6 (native) and IPV4 (Tunneled) Traffic

  1. #16
    Join Date
    Jul 2010
    Posts
    322

    Re: Rules for IPV6 (native) and IPV4 (Tunneled) Traffic

    Manny,
    Thanks for your expertise... that what I thought but did not realize how this translated into home networks as well.

    Again, Thanks for helping me understand this.

  2. #17
    Join Date
    Mar 2009
    Posts
    577

    Re: Rules for IPV6 (native) and IPV4 (Tunneled) Traffic

    Thanks Manny!

    Now I owe you 2 Moosehead ales! They may be illegal down there! 6%!
    Best Regards!

    .... there is always time to do it over, but never enough to do it right the first time....

  3. #18
    Join Date
    May 2003
    Location
    CSA Consulate,Rm.101,Glos. UK
    Posts
    5,815

    Re: Rules for IPV6 (native) and IPV4 (Tunneled) Traffic

    Quote Originally Posted by Escalader View Post
    Thanks Manny!

    Now I owe you 2 Moosehead ales! They may be illegal down there! 6%!
    speaking of a couple of moosehead ales, here's what happens
    Regards,

    CAVE CANEM
    ET SEMPER PARATUS

    Win7 x64 SP1, i7 quad core 3770k, 16GB ram, Custom build PC wi. Asus P8Z77-I MB, nVidia GTX650, Firefox 31.0a1 x64,
    Thunderbird 31.0a1 x64, IE10, Asus DSL-N55U router, Outpost Security Suite9.1 (4642.690.1951),
    in-house IT Support Dept. consisting of two greyhounds, both of which are now very fast angels, and one saluki



  4. #19
    Join Date
    Oct 2003
    Location
    Georgia, USA
    Posts
    12,671

    Re: Rules for IPV6 (native) and IPV4 (Tunneled) Traffic

    Quote Originally Posted by Escalader View Post
    Thanks Manny!

    Now I owe you 2 Moosehead ales! They may be illegal down there! 6%!
    Thanks. I'll collect it.
    Regards,
    Manny Carvalho
    MS-MVP Windows since 2002

  5. #20
    Join Date
    Mar 2009
    Posts
    577

    Re: Rules for IPV6 (native) and IPV4 (Tunneled) Traffic

    Manny:

    I am shocked you would collect after you saw the image posted of the devestating effects!
    Best Regards!

    .... there is always time to do it over, but never enough to do it right the first time....

  6. #21
    Join Date
    May 2003
    Location
    CSA Consulate,Rm.101,Glos. UK
    Posts
    5,815

    Re: Rules for IPV6 (native) and IPV4 (Tunneled) Traffic

    the moose on the right is also obviously under age!
    Regards,

    CAVE CANEM
    ET SEMPER PARATUS

    Win7 x64 SP1, i7 quad core 3770k, 16GB ram, Custom build PC wi. Asus P8Z77-I MB, nVidia GTX650, Firefox 31.0a1 x64,
    Thunderbird 31.0a1 x64, IE10, Asus DSL-N55U router, Outpost Security Suite9.1 (4642.690.1951),
    in-house IT Support Dept. consisting of two greyhounds, both of which are now very fast angels, and one saluki



  7. #22
    Join Date
    Mar 2009
    Posts
    577

    Re: Rules for IPV6 (native) and IPV4 (Tunneled) Traffic

    Hello:

    There is a US Cert paper out on blocking/filtering of IPv6 traffic. Here is it's title.

    Technical Information Paper TIP-12-225-01
    Fundamental Filtering of IPv6 Network Traffic 1
    Tim Stahl, Michael King, Robert Renstrom

    Here is an excerpt:

    • All traffic from these address or ranges should be blocked both inbound and outbound.
    o The loopback address is  ::1/128.
    5
     Can be displayed as
    • 0:0:0:0:0:0:0:1
    • ::1
    o The unspecified address, similar to the IPv4 address 0.0.0.0, is  ::/128, and is
    only used when an interface doesn’t know what its link local address is yet.
    6
     Can be displayed as
    • 0:0:0:0:0:0:0:0
    • ::/0
    • ::
     Depending on your IPv6 implementation, this address may be seen within
    your network but should not appear on the internet or be routed to it.
    o The IPv4-mapped address is  ::FFFF:0:0/96.
    7
     The IPv4 address 129.107.86.36 can be displayed as
    • 0:0:0:0:0:FFFF:129.107.86.36
    • ::FFFF:129.107.86.36
     IPv4-mapped addresses should not be confused with the similar, and
    deprecated, IPv4-compatible addresses. IPv4-mapped addresses can be used
    in a dual-stack environment to map IPv4 addresses to IPv6 addresses allowing
    IPv6-only applications to operate with IPv4 nodes.
     While they can be used internally on your network, they are not routable in the
    internet.
    8
    o Link-local unicast addresses
    9
     fe80::/10, fe90::/10, fea0::/10, feb0::/10
     Should be treated similarly to the private address space in IPv4. Expect to see
    these on your internal network, but don’t allow it to cross your network border
    in either direction.
    o Site-local addresses are  fc00::/7.
    10
     This range functions the same as the IPv4 private address ranges

    Now this is highly complex for anybody (me included) and I don't have the skills or time or patience to harden my OP Pro FW settings to implement rules for these new addresses.

    So what is my question?

    Does the new version of OP FW pro take care of these rules (hundreds of them) for IPv6 by creating presets? what about user LAN settings?

    Please let the thread know what us users have to do, if anything? So far not knowing I other than make the same tick Manny showed me months ago.
    Best Regards!

    .... there is always time to do it over, but never enough to do it right the first time....

  8. #23
    Join Date
    Oct 2003
    Location
    Georgia, USA
    Posts
    12,671

    Re: Rules for IPV6 (native) and IPV4 (Tunneled) Traffic

    OP can handle IPv6 but like almost all IPv4 rules you have to make them yourself unless you use the available presets. OP, for example, won't have a built in rule, but do look in the low level rules there should be one there that mentions IPv6, to block the loopback address [which by the way should not always be blocked]. Most equipment can't yet handle, although Windows can, the IPv6 protocol so on old machines this won't matter. For example, my new router can handle IPv6 but none of my network cards can so it'll be a while for me - maybe a long while - before I turn on my router's IPv6 capability.

    For right now, unless you have an IPv6 network capable card, don't worry about it and leave it turned off. There's nothing to harden right now. Some time in the future when IPv6 becomes more common, and it will, then we will have to deal with it but for now it's safe to ignore it for a little bit longer. Mostly it's knowing how to handle the new IPv6 address terminology.

    Edit: I forgot, the IPv6 ICMP rules are built in.
    Last edited by Manny Carvalho; 11-11-2012 at 04:33.
    Regards,
    Manny Carvalho
    MS-MVP Windows since 2002

  9. #24
    Join Date
    Mar 2009
    Posts
    577

    Re: Rules for IPV6 (native) and IPV4 (Tunneled) Traffic

    Quote Originally Posted by Manny Carvalho View Post
    OP can handle IPv6 but like almost all IPv4 rules you have to make them yourself unless you use the available presets. OP, for example, won't have a built in rule, but do look in the low level rules there should be one there that mentions IPv6, to block the loopback address [which by the way should not always be blocked]. Most equipment can't yet handle, although Windows can, the IPv6 protocol so on old machines this won't matter. For example, my new router can handle IPv6 but none of my network cards can so it'll be a while for me - maybe a long while - before I turn on my router's IPv6 capability.

    For right now, unless you have an IPv6 network capable card, don't worry about it and leave it turned off. There's nothing to harden right now. Some time in the future when IPv6 becomes more common, and it will, then we will have to deal with it but for now it's safe to ignore it for a little bit longer. Mostly it's knowing how to handle the new IPv6 address terminology.

    Edit: I forgot, the IPv6 ICMP rules are built in.
    Hi Manny:

    I have taken your advice (again!) and looked at my OP FW Pro 64 bit ICMPv6 settings. I have them ALL blank in and out so that means (I hope) that none of those connections will be allowed.

    I have also looked at the low level rules and set up blocking rules on any mention of IPv6.



    Now I can enjoy life by watching the log for attempt by svchost to go out!

    Wow here is one already! Blocked by my rule!

    1:39:23 PM SVCHOST.EXE OUT UDPv6 ff02::1:2 547 *Block Outbound UDP to DHCPv6s 0 0


    In the US Cert paper, ff indicates it is a multicast address.

    Here for added excitement is a section on tunneling which can be used to bypass current Firewall blocking rules.

    Tunneling
    If an organization cannot obtain an IPv6 address natively, then creating a tunnel is a viable
    method to establish connectivity between an IPv4 and another running IPv6. Tunneling can
    provide the connectivity, but it also presents security considerations since it can also provide
    a method to surreptitiously gain access to a network. The suggestions listed below help to
    mitigate the security issues.
    26
    Internet Engineering Task Force, RFC 4065, http://tools.ietf.org/html/rfc4065. Last accessed on July 5, 2012.
    27
    Internet Engineering Task Force, RFC 4443, http://tools.ietf.org/html/rfc4443. Last accessed on July 5, 2012.
    28
    IANA ICMPv6
    TLP: GREEN
    TLP: GREEN
    US-CERT Technical Information Paper – TIP-12-225-01 Page 8 of 10
    o 6to4 tunneling
     6to4 addresses are  2002::/16.
    29
    The 6to4 addresses may be routed
    when the site is running a 6to4 relay or offering a 6to4 transit service. If not,
    then can be blocked.
    o Teredo /Miredo (Unix, Linux) tunneling
     Teredo addresses are  2001::/32.
    30
    • If you aren’t using or allowing this type of tunneling, these addresses
    can be blocked.
    o Intra-site Automatic Tunnel Addressing Protocol (ISATAP tunneling)
    • Filter for this string  0000:5EFEfollowed by the 32-bit IPv4
    address).
    • Additional tunneling information
    o Tunneled IPv6 within IPv4 traffic should be isolated to IPv4
    protocol 41.
    o Tunneled IPv6 within IPv6 will contain a “next header” value
    of 41. This indicates that the type of packet contained within
    the IPv6 packet is also IPv6, where you would normally expect
    this to be ICMPv4 (next header value of 1), TCP (next header
    value of 6) or some other higher level protocol or possibly an
    extension header like a fragmentation or routing extension
    header.
    • Organizations that do not yet use IPv6 should block all native and
    tunneled IPv6 traffic at their firewalls. Note that such blocking limits
    testing and evaluation of IPv6 and IPv6 tunneling technologies for
    future deployment. To permit such use, the firewall administrator can
    selectively unblock IPv6 or the specific tunneling technologies of
    interest for use by the authorized testers.
    31
    • “Use access control lists at border routers to block protocols 41 (used
    by 6to4), 43, 44, 58, 59, 60, and 192.88.99.1 (default anycast address
    of some 6to4 systems) would be a good place to start.”
    Last edited by Escalader; 11-11-2012 at 07:06. Reason: add quotes
    Best Regards!

    .... there is always time to do it over, but never enough to do it right the first time....

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. can create rules for icmp traffic?
    By HalfHuman in forum Outpost Pro FIREWALL General Discussions, Support, and Troubleshooting
    Replies: 1
    Last Post: 10-03-2006, 12:13
  2. Rules to Allow traffic are instead blocking traffic
    By Stoen in forum Rules Creation and Presets
    Replies: 4
    Last Post: 01-14-2006, 16:52
  3. ipv6 traffic = blocked
    By kathersis in forum Outpost Pro FIREWALL General Discussions, Support, and Troubleshooting
    Replies: 5
    Last Post: 03-04-2003, 04:53
  4. Native German wanted!
    By Danil in forum Retired Threads
    Replies: 3
    Last Post: 02-19-2002, 10:06
  5. ATTN! Technically educated native English speakers
    By Mikhail in forum Retired Threads
    Replies: 16
    Last Post: 11-09-2001, 01:00

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •