[AusNOG] Globally Routed IPv6 and Windows Firewall

Damien Gardner Jnr rendrag at rendrag.net
Fri Jul 25 13:36:25 EST 2014


Hmmm I had assumed that Home routers  would simply firewall on v6 the way
they do for v4, and provide a web interface to add exception rules..
Would be interesting to find out if this is the case though!


On 25 July 2014 13:34, Greg Anderson <ganderson at raywhite.com> wrote:

> Definitely not a new problem, but I would consider it a previously very
> uncommon problem.
>
> Whilst we seem to agree on filtering at the edge - is this something that
> is going to be something used in the residential space?  This is very clear
> in the enterprise space where things are less dynamic, but at home you are
> now potentially opening firewall ports in two places, and Joe Public is not
> going to understand how to do these things.
>
>
> On 25 July 2014 13:20, Damien Gardner Jnr <rendrag at rendrag.net> wrote:
>
>> What I do (and we do at work) is run stateful firewalling on the
>> home/office router, and don't allow inbound traffic on v6 unless it's for
>> an established session.   Same as we did all those years ago when our
>> homes/offices had a public /24 (We all had that at home right? ;) ).   It's
>> certainly not a new problem :)
>>
>> Cheers,
>>
>> DG
>>
>>
>> On 25 July 2014 13:11, Greg Anderson <ganderson at raywhite.com> wrote:
>>
>>> Good day Ladies and Gentlemen!
>>>
>>> I had a quick question because try as I might, anybody I have asked this
>>> question to so far (and Google) have been unable to answer the question for
>>> me.
>>>
>>> With the deployment of a dual stack IPv6 solution either in a corporate
>>> or residential environment, I expect most users would have a single NIC in
>>> most cases.
>>>
>>> For Windows firewall, IPv4 addresses in common cases are not globally
>>> routed addresses that often have less restrictive firewall rules and
>>> services running on them (EG SNMP, File/Printer sharing, RDP, Homegroup
>>> etc).  In these cases, some would often use "Domain" or "Private" firewall
>>> profiles on these NIC's.
>>>
>>> With the deployments of IPv6, they will also have local link IPv6
>>> addresses (fine as they are not globally routed either obviously), and at
>>> some point many will have a globally routed IPv6 address.  So this means,
>>> for a given NIC, you will now have:
>>>
>>> - IPv4 Reserved address for Private local networking
>>> - IPv6 Reserved address for Private local networking
>>> - IPv6 Globally routed address (and possibly a second temporary address)
>>>
>>> Suddenly when the deployment of Globally routed IPv6 addresses happen:
>>> because the NIC has a private profile there is suddenly private services
>>> exposed to the Internet.  (Let's put our tin foil hat on and ignore the
>>> difficulties of brute force scanning an IPv6 subnet).
>>>
>>> Option 1 is obvious - change your NIC's network type to public, and if
>>> you don't want everything to break reconfigure all your rules to permit
>>> traffic only from local link addresses (IE - a real pain in the _)
>>>
>>> Is there an option 2?  Ideally, I would like the public ranges to be
>>> automatically detected (or specifically reconfigurable) as a globally
>>> routed IP address range and therefore to be able to apply multiple profiles
>>> (Public and Private/Domain) to a single NIC.
>>>
>>> I am considering this from a residential dumb end user perspective as
>>> well as enterprise - so whilst I would like a technical solution (and I am
>>> aware those of us smart enough can still firewall at the edge just like we
>>> do today) - many residential users will not have these skills - they are
>>> likely to really open themselves up.  So I am interested to see if I am
>>> missing something very obvious...
>>>
>>> Thoughts?
>>>
>>> - Greg
>>>
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>>>
>>
>>
>> --
>>
>> Damien Gardner Jnr
>> VK2TDG. Dip EE. GradIEAust
>> rendrag at rendrag.net -  http://www.rendrag.net/
>> --
>> We rode on the winds of the rising storm,
>>  We ran to the sounds of thunder.
>> We danced among the lightning bolts,
>>  and tore the world asunder
>>
>
>
>
> --
>
>


-- 

Damien Gardner Jnr
VK2TDG. Dip EE. GradIEAust
rendrag at rendrag.net -  http://www.rendrag.net/
--
We rode on the winds of the rising storm,
 We ran to the sounds of thunder.
We danced among the lightning bolts,
 and tore the world asunder
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140725/89aa2269/attachment.html>


More information about the AusNOG mailing list