1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

IPv6 firewall fails to function.

Discussion in 'Asuswrt-Merlin' started by Erik Edwards, Jul 11, 2019.

Tags:
  1. Erik Edwards

    Erik Edwards New Around Here

    Joined:
    Nov 14, 2015
    Messages:
    7
    RT-AC56R 384.6 (latest for this model at time of posting)
    IPv6 firewall on/off switch seems to generate a complete blockage in the "on" position and had none of the rules entered in the GUI. In the "off" position it drops bad packets, but otherwise allows nearly everything through. Anyone have thoughts on this?
     
  2. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,608
    Location:
    Canada
    This is how a firewall works. When a firewall is enabled, it will block everything, and you have to create rules to allow explicit traffic.
     
  3. Erik Edwards

    Erik Edwards New Around Here

    Joined:
    Nov 14, 2015
    Messages:
    7
    Yeah, it should block everything, I understand that. What is broken is the processing of the permitted rules, they are _*completely*_ ignored.
     
  4. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,608
    Location:
    Canada
    Keep in mind that IPv6 is routed, not NATed. When configuring a rule, you must enter the correct destination IP for your device, not the router's IP if the goal is to allow traffic in for a specific device.
     
  5. Erik Edwards

    Erik Edwards New Around Here

    Joined:
    Nov 14, 2015
    Messages:
    7
    Here is the ip6tables -S output when the firewall is "off":
    -P INPUT ACCEPT
    -P FORWARD ACCEPT
    -P OUTPUT ACCEPT
    -N NSFW
    -N PControls
    -N SSHBFP
    -N UPNP
    -N logaccept
    -N logdrop
    -A INPUT -i eth0 -p ipv6-crypt -j ACCEPT
    -A INPUT -i eth0 -p ipv6-auth -j ACCEPT
    -A INPUT -i eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
    -A INPUT -i eth0 -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i br0 -m state --state NEW -j ACCEPT
    -A INPUT -i lo -m state --state NEW -j ACCEPT
    -A INPUT -m state --state INVALID -j logdrop
    -A INPUT -p tcp -m tcp --dport <port priv> -m state --state NEW -j SSHBFP
    -A INPUT -p ipv6-nonxt -m length --length 40 -j ACCEPT
    -A INPUT -i br0 -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 141 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 142 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 148 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 149 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 151 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 152 -j ACCEPT
    -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 153 -j ACCEPT
    -A INPUT -j logdrop
    -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    -A FORWARD ! -i br0 -o v6tun0 -j logdrop
    -A FORWARD -m state --state INVALID -j logdrop
    -A FORWARD -i br0 -o br0 -j ACCEPT
    -A FORWARD -p ipv6-nonxt -m length --length 40 -j ACCEPT
    -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
    -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
    -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
    -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
    -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
    -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
    -A OUTPUT -o eth0 -p ipv6-crypt -j ACCEPT
    -A OUTPUT -o eth0 -p ipv6-auth -j ACCEPT
    -A OUTPUT -o eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
    -A OUTPUT -o eth0 -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
    -A PControls -j ACCEPT
    -A SSHBFP -m recent --set --name SSH --rsource
    -A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j logdrop
    -A SSHBFP -j ACCEPT
    -A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
    -A logaccept -j ACCEPT
    -A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
    -A logdrop -j DROP

    ----------------------------------------------------
    Here is the same with the firewall "on":

    -P INPUT DROP
    -P FORWARD DROP
    -P OUTPUT ACCEPT
    -N logaccept
    -N logdrop
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -i br0 -m state --state NEW -j ACCEPT
    -A INPUT -i lo -m state --state NEW -j ACCEPT
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i br0 -o br0 -j ACCEPT
    -A FORWARD -i lo -o lo -j ACCEPT
    -A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
    -A logaccept -j ACCEPT
    -A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
    -A logdrop -j DROP

    ---------------------------------------------------
    Here are my manually entered rules (with public IPv6 address partially redacted, cut/paste from GUI):

    SSH-Alt ::/0 ::/0 <port priv> TCP
    DNS ::/0 2001:470<priv>/128 53 BOTH
    OpenVPN ::/0 2001:470<priv>/128 <port priv> BOTH
    HTTPS ::/0 ::/0 443 TCP
    DNSTLS ::/0 2001:470<priv>/128 853 TCP
    Mail ::/0 2001:470<priv>/128 25,465,586... TCP

    I know the docs say the :: doesn't need the /0, but in previous releases it has been necessary to include it otherwise it assumed a /128 on ::

    Its these manually entered rules that are missing.
     
    Last edited: Jul 12, 2019 at 11:06 AM
  6. Erik Edwards

    Erik Edwards New Around Here

    Joined:
    Nov 14, 2015
    Messages:
    7
    Any thoughts on the missing rules?