IPv6 Firewall ICMPv6 quirk

Similar Messages

• Airport Extreme IPv6 firewall bug

  I've been experimenting with IPv6 support in the Airport Extreme, and I think I found a bug.
  If a host on the WAN side has a smaller MTU, as might be the case if it is being tunneled, then attempting to run a bunch of data through a TCP connection will naturally result in the remote host returning an ICMPv6 packet too big notification. Those don't seem to be making it through the IPv6 firewall in the AEBS back to the originating host. This locks up the TCP connection. Reducing the MTU of the local host's interface is a workaround, but it's annoying.

  This magically fixed itself some time ago.

• Creating IPv6 firewall exceptions for several machines

  Hi,
  I've just set up my Airport Extreme (802.11n) with my new IPv6 tunnel (SixXS). I have a /48 prefix, all my home computers are individually pingable, all have forward and reverse DNS, my name appears on WHOIS for both the domain and IP address range.
  I'm very happy. My 20 years of masquerading are over!
  Now, when configuring the IPv6 firewall on the AE, I'd like to setup an exception, say SSH, for all machines on my network.
  When I enter an exception such as this (anonymized, RFC 3849):
  IPv6 address: 2001:db8:1234:0:260d:cd3f:fc81:2a0f
  TCP port(s): 22
  UDP port(s):
  This works fine. But, it would be logical that the following would also work:
  IPv6 address: 2001:db8:1234::/64
  TCP port(s): 22
  UDP port(s):
  Meaning that connections to TCP port 22 would be allowed to any address in that subnet. However, it doesn't.
  Now, is this a feature which is not present in the current firmware of the AE?
  Or am I doing it the wrong way?
  Really, I hope it's the second alternative. Or else, I will have to add an exception to every single host. Now, it's not that I have a lot of machines. There are six nodes on my network. FreeBSD, Linux and a couple of macs.
  But if you multiply that by the number of services that each machine will support, say 3-6, you get 18 to 36 exceptions on the firewall.
  Now, it's doable, of course. I can enter say 24 individual exceptions.
  However, a list of 24 is a lot harder to manage and to look at in the small box of the airport utility's interface, than a list of 6 exceptions would be.
  I would feel safer maintaining a small list.
  The AE allows an exception for ALL ports of a single machine. And that would be an option I would rather not use.
  Anyone?

  This appears to have been fixed in firmware 7.4

• Problem with IPV6 Firewall since firmware 7.6.1

  I have problem with IPV6 Firewall (port forwarding using a HE tunnel) since firmware 7.6.1 upgrade,  IPV6 oubound is working, but ports are not forwarding to my local IPV6 adress, have used IPV6 Firewall, and it worked before
  Ant sugesttions, solutions?

  Go back one firmware version into release 7.6
  I had similar problems with an IPv6 tunnel not working anymore after the 7.6.1 upgrade.
  When I 'rolled' back to 7.6, my IPv6 tunnel came back working.
  I also use the old Airport Express application on my OS/X, the new one with the globe on the black screen is missing IPv6 tabs in the application..

• Forwarding through IPv6 Firewall partial solution

  I figured out how to selectively forward port 22 (ssh) to all of my internal machines at home, through the Airport Express's IPv6 firewall. I couldn't find documentation for this, so I'm sharing, to help anyone else that might be trying to accomplish the same.
  Under Advanced / IPv6 Firewall, add an Exception. This hint is how to choose the appropriate IPv6 address so that you add port forwarding for a specific port to all machines. For the IPv6 address field, enter
  (that is a double colon).
  So my exception looks like this:
  Description - ssh
  IPv6 Address - ::
  Specific TCP and UDP ports
  TCP Port(s) - 22
  UDP Port(s) -
  Note that I have no security fears for enabling port 22, because my personal IPv6 address space is 64 bits, which would take ages for anyone to probe to find my machines listening on port 22, just so that they could then probe for obvious accounts and passwords. And password probing is easy to defeat anyway --- just disable password-based logins and require public/private key logins.

  Call your ISP and have them set your Modem into BRIDGED MODE... ask them also for your account username and password... Go to your router setup page and configure its IP to 192.168.2.1 and set it to PPPoE, you have to type your username and password after this then save the settings... that way, your westell will be a modem only and your firewall will only be the LInksys

• RV220W - Feature Request - IPv6 Firewall

  At this moment (firmware 1.0.3.5) the router has no IPv6 firewall and therefore when used in a typical dual stack IPv4/IPv6 network it has no protection regarding IPv6 traffic. Hopefully this will be fixed with a firmware update before the World IPv6 Day on the 6th of June 2012.

  Cisco has a long list of bugs associated to the RV220W that needs to be addressed before they start adding new features.  We moved up to the SA540.  Not only are there ipv6 firewall options, the SA540 has IPS for a nominal yearly (or 3 year) fee.  You are looking at < $200 (from provantage.com) for a 3-year IPS license.  Not bad.

• RV110W + IPv6 Webserver Inbound access

  Model : RV110W      Firmware : 1.2.0.9
  Hi!
  I'm studying the RV110W IPv6 Firewall in the context of a long IPv6 study / Blog post ( 30+ posts yet ).
  The RV110W IPv6 Firewall got me totally puzzled.
  I've remade all the tests, and this appears :
  To allow external access to an IPv6 Web Server located on the Lan side of the RV110W, it seems that :
  creating an inbound allow rule is useless and unneeded.
  creating a Single Port Forwarding rule is compulsory and sufficient.
  1. Can anybody confirm this ?
  2. Does this IPv6 Single Port Forwarding rule actually automatically creates an ' invisible ' IPv6 Firewall allow in rule ?
  3. How comes an IPv6 Firewall allow in rule is not enough ?
  4. could anybody explain me this misterious sentence, from the RV110W admin guide :
      " Port forwarding is not appropriate for servers on the LAN, since there is a dependency on the LAN device making an outgoing connection before incomming ports are opened. Some applications require ... ... "
     What is appropriate for servers on the LAN then ? Isn't LAN the place for servers ? isn't port forwarding the historical way to make Lan servers accessible to the outside world ? This sentence seems to describe Statefull Firewall functionning, so is the sentence mistyped, and actually should be ' Port Forwarding IS appropriate for servers on the LAN, since ... " ?
  Thanks for any help
  PS. I also found an IPv6 Firewall ICMPv6 quirk, that I put on another thread

  Hi computerone1, thank you for using our forum, my name is Luis I am part of the Small business Support community.
  Well as you know Port forwarding and the Access List are different, the Port forwarding forward the port and the Access list create a rule to provide access or deny it. I this case I will recommend you to use both protocols in order provide control of the access to your server.
  I hope you find this answer useful
  Greetings,
  Luis Arias.
  Cisco Network Support Engineer.

• IPv6 Passthrough?

  My IPTV box uses IPv6 through the router supplied by my ISP.  If I connect the IPTV box to the TC with it in router mode using any of the three IPv6 setting options of host, tunnel or router, the IPTV box doesn't work.  I tried a different router with an IPv6 passthrough setting option and the IPTV box worked with that one in router mode.
  I prefer to use my TC as the primary router but my IPTV box only works with it in bridge mode.  Does anyone know how to configure a Time Capsule for IPv6 passthrough?

  Erik,
  Thanks for your reply ...
  I have upgraded the software on my ASA 5505 yesterday from 8.2 to 8.4, and I have to tell you ... I have never been so excited by an ASA upgrade ... anyway ... I triend to use a Cisco 3560G-PS-S as a tunnel endpoing on the inside of my network but appearently the software on this hardware does not support this command "tunnel mode ipv6ip" which makes it impossible to set up a tunnel ... I got the tunnel up but there is no way to ping the other site of the IPv6 tunnel ...
  Anyway ... I discoveren what NAT rules / object groups / access-lists I need in order to create the NAT rule ... but there is something wlse that I don;t understand...
  What IPv6 addresses have you configured on the inside/outside of your ASA?
  And what IPv6 addresses have you configured on your iternal hosts on the "inside" of your network?
  I recon that the "inside" hosts uses your Ipv6 endpoint device as a defaut gateway and that this tunnel endpoint uses the tunnel interface as a default gateway ... and that this device is also handing out the IPv6 addressesin your "inside" network right?
  And what IPv6 address do you have configured on the outside/inside of the ASA? is that the /64 you get from the tunnel provider (Hurricane Electric or Sixxs) and I guess this traffic is routed to the tunnel endpoint device as well?
  So IPv6 firewalling is not possible?
  Let me know if I have it correct ...
  Thanks,
  Iwan

• IPv6 - No buffer space available

  Anyone else seen this IPv6 weirdness:
  6to4 tunnel to Hurricane Electric. Mac Pro is the router and tunnel endpoint (gif0). ip Protocol 41 passed through various routers/firewalls, etc.
  sysctl'd ipv6 forwarding on and RA.
  statically assigned /64 either end on subnet 2001:feed:d00d:1f04:: for tunnel
  local wire net /64 subnet 2001:feed:d00d:1f05:: (I made up these example addrs, so don't get all bothered
  rtadvd configured for en0, with :tc=ether.
  en0 assigned a /128%en0 address in Control Panel. Perfect, works
  great.
  After about 8 hours, connectivity dies, err= "Sendmsg: No buffer space
  available".
  FYI: sysctl kern.ipc.maxsockbuf: 4194304
  I can still ping locally and hit either end of the tunnel, but no external addresses, as routing has stopped. ipv6 and icmpv6 are not transmitted or received to/from routed nets. Inbound traffic is dumped on the floor, with no icmpv6 message, such as a type 1 (no route available).
  What (semi) fixes it is to NOT assign the /128%en0 in Control Panel, instead ifconfig the address for en0. However, this stimulates a bug in rtadvd where it assigns an incorrect link local fe80:: as the default gw, if the Control Panel IPv6 is set to Auto. Even if rtadvd is configured correctly, a bug overrides the
  rtadvd.conf en0 addr and advertises an incorrect link local addr as route 'default'.
  netstat still shows the correct default route, gif0 is fine in terms of routes and so on and ip6fw rules are flushed for the purposes of this test.
  Rock and a hard place .
  thanks!
  geoff

  Hi Ananda and Vyara,
  Thanks a lot for your replies!
  Restart did not help (including restart the machine).
  From the google search I also hit the same MS page. Obviously it did not help either. I guess there is some problem with connection to the SQL server. I checked the tcp connections and another server which is running well has more connections than this one.
  Regards,
  Hart

• NAT firewall in Time Capsule and config via AirPort Utility

  I just checked the firewall on my Time Capsule via http://www.grc.com/ and it failed on the "All Service Ports" test with "Stealth" on the following ports:
  135/epmap : DCE end point resolution
  139/netbios-ssn : NetBIOS Session Service
  445/microsoft-ds : Microsoft Directory Service
  593/http-rpc-epmap : HTTP RPC Ep Map
  I'm sure this isn't a major security violation but having looked at AirPort Utility v 5.3.2 (Under; Advanced --> Port Mapping/IPv6) I can't see any useful options to increase the security of the firewall by blocking the above ports.
  Having looked at the help page for AirPort Utility: "Customizing the IPv6 firewall" I'm confused because it refers to a "IPv6 Firewall" tab under the advanced settings in AirPort Utility that does not appear on my screen (i.e. 'Allow Teredo tunnels' etc).
  Has anyone managed to setup Time Capsule so that it passes the above 'Shields Up' test? I'd be interested if they could post some instructions here.

  Hi, I don't think you read my post properly. I'm not asking for 'stealthing' support. I'm complaining about the fact that the Time Capsule fails security tests when the ports I list are probed.
  It's possible that I did ... and if so, I apologize. I assumed that when you stated "... it failed on the "All Service Ports" test with "Stealth"", you were referring to the desired outcome to have the Time Capsule respond with a status of "Stealth" for all ports tested.
  Note that all the other ports that I've not listed passed the test (Time Capsule did not respond to probes) and I just want to configure the same behavior for these failing ports.
  Again, if you want the Time Capsule to respond to the GRC tests with "Stealth" this may not be achievable. The AirPorts do not have an option to close individual ports or control their status when responding to tests like these that I'm aware of ... at least not natively through the AirPort Utility.
  You may find the following blog an interesting read: Just how important is it to be stealthy on the 'Net?. I offer it only as an alternate opinion to GRC's stance on the topic.

• Allowing an IPv6 Tunnel Broker to passthrough ASA

  I am in the process of setting up an IPv6 Tunnel Broker on a 1811 router I have in my home lab so I can start working with IPv6 and getting access to IPv6 only websites and/or content.  I believe that I have the 1811 setup correctly but am having problems getting the Tunnel Broker traffic (which is IPv4 based) to pass through my ASA.  I know that I need to allow protocol 41 to come through from the outside but cant seem to find a way to get it to go through.
  I am using 8.2.5 firmware on my 5505.  I would prefer to not have to upgrade to 8.3 or 8.4 because of the way the NAT rules and some other things change.  My ISP only offers me a single IP address.  Would prefer not to have to upgrade to business service to get multiple ip addresses.  I have been looking for docs on how to do this but so far havent found anything that points me in the right direction.
  Ran a protocol capture and noticed this error in the ASDM log - 3Jan 18 2012 19:16:20209.51.181.2regular translation creation failed for protocol 41 src Inside:192.168.1.100 dst Outside:209.51.181.2
  In looking at the rules, it appears that I need an access rule to allow the protocol 41 traffic to go outbound.
  Added these lines to the ASA config -
  object-group protocol IPV6inIP
  protocol-object 41
  access-list inside_access_in line 2 extended permit object-group IPV6inIP any any
  Still getting the above error after putting the config lines just listed.  Beginning to suspect that the 8.2.5 binary doesnt support protocol forwarding.  I dont see the traffic leaving the ASA, so that would seem to indicate that 8.2.5 cant do protocol forwarding in the NAT rules.
  Any suggestions/links appreciated,
  Ron

  Erik,
  Thanks for your reply ...
  I have upgraded the software on my ASA 5505 yesterday from 8.2 to 8.4, and I have to tell you ... I have never been so excited by an ASA upgrade ... anyway ... I triend to use a Cisco 3560G-PS-S as a tunnel endpoing on the inside of my network but appearently the software on this hardware does not support this command "tunnel mode ipv6ip" which makes it impossible to set up a tunnel ... I got the tunnel up but there is no way to ping the other site of the IPv6 tunnel ...
  Anyway ... I discoveren what NAT rules / object groups / access-lists I need in order to create the NAT rule ... but there is something wlse that I don;t understand...
  What IPv6 addresses have you configured on the inside/outside of your ASA?
  And what IPv6 addresses have you configured on your iternal hosts on the "inside" of your network?
  I recon that the "inside" hosts uses your Ipv6 endpoint device as a defaut gateway and that this tunnel endpoint uses the tunnel interface as a default gateway ... and that this device is also handing out the IPv6 addressesin your "inside" network right?
  And what IPv6 address do you have configured on the outside/inside of the ASA? is that the /64 you get from the tunnel provider (Hurricane Electric or Sixxs) and I guess this traffic is routed to the tunnel endpoint device as well?
  So IPv6 firewalling is not possible?
  Let me know if I have it correct ...
  Thanks,
  Iwan

• IPv6 bridging configuration

  I have an Airport Extreme 802.11n running firmware 7.4.2. Its LAN port is connected to Gigabit Ethernet LAN that provides native IPv6 (i.e. no tunnels required) at a university. My MacBook Pro running 10.6.4 has no problem obtaining a valid IPv6 address automatically when connected to the same Ethernet, so IPv6 is working fine.
  What I would like to do is configure the AEBS to continue to NAT IPv4 traffic, but to bridge IPv6 traffic so that WiFi clients can obtain their own IPv6 address. While I can find endless tutorials around on setting up the AEBS as a tunnel endpoint, I can't find any information on how to bridge IPv6 traffic from LAN to WAN.
  The only IPv6 configuration option is Mode, which can be "Host" or "Tunnel". Since Tunnel is obviously not what I want, I have Host selected, and have Configure IPv6 set to "Automatically". However, when configured this way, my MBP does not get an IPv6 address when solely connected via WiFi to the AEBS.
  Am I missing something? Does the AEBS support IPv6 tunnels, but not (the much easier and hopefully increasingly more common) native IPv6 for wireless clients? Any help would be appreciated.

  It's not working for you because you obviously assumed wrong. Turn on Tunnel mode. Now you should be able to go out using ipv6 on your MBP. Try http://ipv6.google.com/
  If you want to be able to connect from the outside in to your MBP then you need to shut off the ipv6 firewall. I (and nobody else it seems) can't get the ipv6 firewall exceptions to work, so it's either block all or no incoming traffic until Apple fixes this. Turning the ipv6 firewall off obviously exposes your machine to the public ipv6 internet.
  good luck.

• Apple tv-firewall prolem?

  In Leopard 10.5.1 Itunes sees the Apple Tv.
  With the firewall on set to allow only essential services and Itunes added to appliocations attempting to sync a movie I'm told to make sure port 3689 needs to be opened, but no information other than that.
  If I turn the firewall off I can sync the movie, but have been unable to stream one. I can get the "source" to appear on Apple Tv, but it dims after attempting to access it.
  Seems odd!
  Sharing is enabled and I have repaired permissions also.
  Using Airport extreme

  After installing 10.5.1 I had the same problem. I then decided to reinstall 10.5. without any additional software on my iMac and I resetted my AppleTV to factory settings. After doing this I could use my Apple TV with 10.5. but it still worked erratic somehow.
  All the problems completely went away after I have changed the configuration of my Airport Extreme. Please try the following:
  1. Open AirPort Utility, located in the Utilities folder inside the Applications on a Mac, or in
  Start > All Programs > AirPort on a Windows computer.
  2. Select your base station from the list, and then enter the base station password.
  3. Click the Advanced button, and then click IPv6 Firewall
  Deactivate “Allow Teredo tunnels” and “Allow incoming IPSec authentication”
  4. Restart the Airport Extreme
  Please let me know if it works for you.
  Ody

• Time Capsule Firewall configuration

  Does anyone have the IPv6 Firewall enabled? If so how do you have yours configured? There's basically little info in the docs regarding this firewall or how to properly configure it's settings.

  Issue is resolved. I used the initial random generated shared secret that was generated by Lion Server. The shared secret has special characters. IOS did not like the special characters. See iPhone Console Log below:
  Jul 26 20:00:36 iPhone-4 racoon[718] <Info>: [718] INFO: @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/)
  Jul 26 20:00:36 iPhone-4 racoon[718] <Info>: [718] INFO: Reading configuration from "/etc/racoon/racoon.conf"
  Jul 26 20:00:36 iPhone-4 racoon[718] <Info>: [718] ERROR: /var/run/racoon/68.9.232.78.conf:6: "?gLA" syntax error
  Jul 26 20:00:36 iPhone-4 racoon[718] <Info>: [718] ERROR: fatal parse failure (1 errors)
  That is why I never saw any attempt to connect. The actual process would bomb out before attempting to make a connection to the server.
  The shared secret key was:
  Y|WNwvM_O"?gLA$F@adT
  Looks like it was the " or the ? symbols.
  Once I changed the shared secret key the issue went away and the iPhone and iPad could connect to vpn without issue.
  Figured I'd let you all know

• Firewall blocks Airplay (even under 'allow all traffic')

  Hi every body,
  I am somewhat at the end of my knowledge. I have a mac mini server running Lion 10.7.2 server. Interestingly, my the server's firewall blocks
  a) all airplay traffic and
  b) 'reading Airport confirguration' requests
  even when the firewall is set to 'allow all traffic'. However, when I completely switch it off, everything works just fine.
  Any help would really be appreciated.
  Thanks a lot.
  Nonresidentalien
  P.S. I have also tried to open ports 80 (t), 443(t), 554 (t/u), 3689(t), 5297(t), 5289(t/u), 5353(u), 49159(u) and 49163(u) with no success

  Pointing to the IPv6 thread was a good idea. After reading it, I found out that the firewall preferences in Server Admin only show you IPv4 related firewall rules.
  There is a terminal command that allows you to play with IPv6 rules. And by doing so, I was actually able to get AirPlay working again.
  First, you want to show you the current IPv6 firewall rules. In my case they looked like this (10.7.2):
  reptilehouse:~ sascha$ sudo ip6fw show
  01000        285      96163 allow ipv6 from any to any via lo0
  01100         66       5750 allow ipv6 from any to ff02::/16
  65000          0          0 deny ipv6 from any to any
  65535          6        306 allow ipv6 from any to any
  As you can see, rule number 01100 only allows traffic to the local subnet, while the next rule (65000) blocks anything else. So you want to get rid of 65000:
  reptilehouse:~ sascha$ sudo ip6fw delete 65000
  To confirm, show the rule table again and you should see 65000 is gone:
  reptilehouse:~ sascha$ sudo ip6fw show
  01000        285      96163 allow ipv6 from any to any via lo0
  01100         66       5750 allow ipv6 from any to ff02::/16
  65535          6        306 allow ipv6 from any to any
  Mind you, the rule numbers could be different on your system and you could see more or less rules. But you get the idea.
  What I don't know if whether this is sticky, e.g. survives a reboot.