IPv6 Firewall?

[VinceV]

Hello,

Is there any IPv6 firewalling functionality in the Asuswrt or Merlin firmware? I can't seem to find anything in the GUI, but wanted to make sure I wasn't missing anything.

After enabling IPv6, my hosts are now exposed to the public IPv6 Internet, which is a bit alarming...

I'd be happy to contribute to this effort if it were something that would be incorporated into the firmware.

Thoughts?

-Vince

 

[Nerre]

On Merlins homepage you can find a script "fixing" this.

Bottom part of this page:
http://www.lostrealm.ca/tower/node/81

 

[VinceV]

Awesome, thanks!

Merlin, do you have any interest in making this more of a "default" (GUI-accessible) feature? As IPv6 becomes more prevalent, I'd hate to see people enabling it and not knowing they're completely unprotected.

Again, I would be happy to contribute to adding this feature if there is interest...

Thanks,
Vince

 

[RMerlin]

Awesome, thanks!

Merlin, do you have any interest in making this more of a "default" (GUI-accessible) feature? As IPv6 becomes more prevalent, I'd hate to see people enabling it and not knowing they're completely unprotected.

Again, I would be happy to contribute to adding this feature if there is interest...

Thanks,
Vince

Developping a complete web interface for firewall rules would be a lot of work. I don't really have the time nor interest in such a thing at this time. However I do plan to at least add an option to allow people to select if they either want to open or firewall the subnet by default (Asus currently defaults as open as you noticed). No ETA yet as to when I'll have the chance to work on that switch.

 

[cmillar6]

Awesome, thanks!

Merlin, do you have any interest in making this more of a "default" (GUI-accessible) feature? As IPv6 becomes more prevalent, I'd hate to see people enabling it and not knowing they're completely unprotected.

Again, I would be happy to contribute to adding this feature if there is interest...

Thanks,
Vince

Asus really goofed here in my opinion, unacceptable to implement ipv6 on their firmware and not have a simple ipv6 firewall with a GUI. AsusWRT is the most feature rich firmware I have used on a router yet it lacks something so necessary. Even Linksys made a point of incorporating a fully functional ipv6 firewall when they ipv6 certified their routers. The average home user cannot be expected to run scripts to keep themselves protected. I just helped my neighbor configure their new router the other day and they didn't even know what WPA encryption was let alone configuring IP tables to protect themselves while using ipv6. For this reason I have disabled ipv6 on my AC66u and I'll fire it up when I'm forced to.

 

[jlake]

I agree, they need to add the firewall. However, on linksys routers, ipv6 comes enabled by default. So they almost had to have it if they were going to have ipv6 turned on by default.

I'll be the first to admit, I would have trustingly turned ipv6 on had I not read a previous thread in this forum.

Chinese government at work here? (Just kidding).

 

[RogerSC]

There's a discussion of a simple firewall script for IPv6 in this posting:

http://forums.smallnetbuilder.com/showpost.php?p=69873&postcount=22

which is from the larger context of the thread that you can take a look at by clicking on the thread link in the upper righthand corner of the above posting.

The simple firewall script above might be helpful, it's derived from RMerlin's original:

http://www.lostrealm.ca/tower/node/81

 

[bgvaughan]

Would it be difficult to use the existing IPv4 firewall settings, and simply mirror the IPv4 settings for IPv6? That wouldn't be ideal, but it would at least make some intuitive sense.

 

[VinceV]

Would it be difficult to use the existing IPv4 firewall settings, and simply mirror the IPv4 settings for IPv6? That wouldn't be ideal, but it would at least make some intuitive sense.

It probably wouldn't be that simple, unfortunately... With IPv6, there are a few different way hosts can get their addresses, and I don't know if there's an easy way for the router to correlate -- and keep updated -- the mapping between IPv4 addresses and IPv6 addresses. Also, with IPv4, you're usually dealing with a port forwarding from a single external IP to a variety of different, private, internal IPs instead of just a port being allowed or blocked.

I think the protocols are different enough, and will be implemented differently enough, that it makes sense to keep the firewall functionality separate.

-Vince

 

[RMerlin]

Would it be difficult to use the existing IPv4 firewall settings, and simply mirror the IPv4 settings for IPv6? That wouldn't be ideal, but it would at least make some intuitive sense.

IPv4 works as NAT, which is why you are firewalled by default - it's a feature of NAT. No special firewall rules required. IPv6 on the other hand is simply routed, that's why everything is open unless you have an actual series of firewall rules applied.