[AusNOG] Globally Routed IPv6 and Windows Firewall

Greg Anderson ganderson at raywhite.com
Fri Jul 25 13:47:05 EST 2014 

I am not aware of any home router that out of the box has a firewall
enabled for clients out of the box with IPv4.  I generally expect that
clients are (badly) protected because there is no NAT unless specified by
an end user or UPNP.  On many you can enable firewalls for the clients but
they are usually for outbound traffic, or only inbound for a (usually
single) DMZ type device that nearly all ports are forwarded to.

My expectation for IPv6 would be pretty similar, unless there is a UPNP
implementation which I have seen very little of.  But why use UPNP when you
can just have the local firewall pop up and ask the user if they want to
permit the traffic locally?


On 25 July 2014 13:36, Damien Gardner Jnr <rendrag at rendrag.net> wrote:

> Hmmm I had assumed that Home routers  would simply firewall on v6 the way
> they do for v4, and provide a web interface to add exception rules..
> Would be interesting to find out if this is the case though!
>
>
> On 25 July 2014 13:34, Greg Anderson <ganderson at raywhite.com> wrote:
>
>> Definitely not a new problem, but I would consider it a previously very
>> uncommon problem.
>>
>> Whilst we seem to agree on filtering at the edge - is this something that
>> is going to be something used in the residential space?  This is very clear
>> in the enterprise space where things are less dynamic, but at home you are
>> now potentially opening firewall ports in two places, and Joe Public is not
>> going to understand how to do these things.
>>
>>
>> On 25 July 2014 13:20, Damien Gardner Jnr <rendrag at rendrag.net> wrote:
>>
>>> What I do (and we do at work) is run stateful firewalling on the
>>> home/office router, and don't allow inbound traffic on v6 unless it's for
>>> an established session.   Same as we did all those years ago when our
>>> homes/offices had a public /24 (We all had that at home right? ;) ).   It's
>>> certainly not a new problem :)
>>>
>>> Cheers,
>>>
>>> DG
>>>
>>>
>>> On 25 July 2014 13:11, Greg Anderson <ganderson at raywhite.com> wrote:
>>>
>>>> Good day Ladies and Gentlemen!
>>>>
>>>> I had a quick question because try as I might, anybody I have asked
>>>> this question to so far (and Google) have been unable to answer the
>>>> question for me.
>>>>
>>>> With the deployment of a dual stack IPv6 solution either in a corporate
>>>> or residential environment, I expect most users would have a single NIC in
>>>> most cases.
>>>>
>>>> For Windows firewall, IPv4 addresses in common cases are not globally
>>>> routed addresses that often have less restrictive firewall rules and
>>>> services running on them (EG SNMP, File/Printer sharing, RDP, Homegroup
>>>> etc).  In these cases, some would often use "Domain" or "Private" firewall
>>>> profiles on these NIC's.
>>>>
>>>> With the deployments of IPv6, they will also have local link IPv6
>>>> addresses (fine as they are not globally routed either obviously), and at
>>>> some point many will have a globally routed IPv6 address.  So this means,
>>>> for a given NIC, you will now have:
>>>>
>>>> - IPv4 Reserved address for Private local networking
>>>> - IPv6 Reserved address for Private local networking
>>>> - IPv6 Globally routed address (and possibly a second temporary address)
>>>>
>>>> Suddenly when the deployment of Globally routed IPv6 addresses happen:
>>>> because the NIC has a private profile there is suddenly private services
>>>> exposed to the Internet.  (Let's put our tin foil hat on and ignore the
>>>> difficulties of brute force scanning an IPv6 subnet).
>>>>
>>>> Option 1 is obvious - change your NIC's network type to public, and if
>>>> you don't want everything to break reconfigure all your rules to permit
>>>> traffic only from local link addresses (IE - a real pain in the _)
>>>>
>>>> Is there an option 2?  Ideally, I would like the public ranges to be
>>>> automatically detected (or specifically reconfigurable) as a globally
>>>> routed IP address range and therefore to be able to apply multiple profiles
>>>> (Public and Private/Domain) to a single NIC.
>>>>
>>>> I am considering this from a residential dumb end user perspective as
>>>> well as enterprise - so whilst I would like a technical solution (and I am
>>>> aware those of us smart enough can still firewall at the edge just like we
>>>> do today) - many residential users will not have these skills - they are
>>>> likely to really open themselves up.  So I am interested to see if I am
>>>> missing something very obvious...
>>>>
>>>> Thoughts?
>>>>
>>>> - Greg
>>>>
>>>> _______________________________________________
>>>> AusNOG mailing list
>>>> AusNOG at lists.ausnog.net
>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> Damien Gardner Jnr
>>> VK2TDG. Dip EE. GradIEAust
>>> rendrag at rendrag.net -  http://www.rendrag.net/
>>> --
>>> We rode on the winds of the rising storm,
>>>  We ran to the sounds of thunder.
>>> We danced among the lightning bolts,
>>>  and tore the world asunder
>>>
>>
>>
>>
>> --
>>
>>
>
>
> --
>
> Damien Gardner Jnr
> VK2TDG. Dip EE. GradIEAust
> rendrag at rendrag.net -  http://www.rendrag.net/
> --
> We rode on the winds of the rising storm,
>  We ran to the sounds of thunder.
> We danced among the lightning bolts,
>  and tore the world asunder
>



--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140725/28f38547/attachment-0001.html>

More information about the AusNOG mailing list