IPv6/Firewall
IPv6/Firewall
ICMPv6
Das Internet Control Message Protocol (ICMP) ist ein Kernbestandteil der Internetprotokollfamilie
- Austausch von Fehlermeldungen und Informationsnachrichten
Bei IPv4 ist es gängige Praxis, ICMP an der Firewall zu blockieren
- Unter IPv6 hat ICMPv6 eine deutlich stärkere Bedeutung bekommen
- Für Mechanismen, wie pMTUd, unerlässlich
- Eine undifferenzierte Filterung von ICMPv6 kann Erreichbarkeitsprobleme mit sich bringen
Daher sollte bei IPv6 keine generelle Sperrung von ICMPv6 erfolgen
Folgende ICMPv6-Typen sollten zumindest teilweise zugelassen werden (vgl. auch RFC/4890)
- Nicht genannte Typen sollten gesperrt werden
- Die Bezeichnungen „vom Internet“ und „zum Internet“ beziehen sich jeweils auf das System, das die Verbindung aufbaut oder deren Endpunkt darstellt (in der Regel ein ALG)
| IPv6-ICMP Nachricht (Typ) | Zwischen internen Netzen | Vom Internet | Zum Internet |
|---|---|---|---|
| Destination unreachable (1) | ✓ | ✓ | ✓ |
| Packet too big (2) | ✓ | ✓ | ✓ |
| Time exceeded (3) | ✓ | ✓ | ✓ |
| Parameter Problem (4) | ✓ | ✓ | ✓ |
| Echo-Request (128) | ✓ 1 | ✗ | ✓ 1 |
| Echo-Antwort (129) | ✓ 2 | ✓ 2 | ✗ |
| Multicast (130-132, 143, 151-153) | ✓ 3 | ✓ 3 | ✓ 3 |
| Router (133, 134) | ✓ 3 | ✗ | ✗ |
| Neighbor (135,136) | ✓ 3 | ✓ 3 | ✓ 3 |
| Redirect (137) | ✓ 3/4 | ✗ | ✗ |
| ICMP-Information (139) | ✓ 1 | ✗ | ✗ |
| ICMP-Information (140) | ✓ 2 | ✗ | ✗ |
| Reverse-Neighbor (141) | ✓ 1 | ✗ | ✗ |
| Reverse-Neighbor (142) | ✓ 2 | ✗ | ✗ |
- Legende
- 1 = von der Management-Station aus
- 2 = zur Management-Station hin
- 3 = ohne Forwarding
- 4 = ausgehend vom Router
Quelle
OPNsense
iptables
Regeln Client
* mangle
: PREROUTING ACCEPT [ : ]
: INPUT ACCEPT [ : ]
: FORWARD ACCEPT [ : ]
: OUTPUT ACCEPT [ : ]
: POSTROUTING ACCEPT [ : ]
COMMIT
#
* filter
: INPUT DROP [ : ]
: FORWARD DROP [ : ]
: OUTPUT ACCEPT [ : ]
: ndp-slaac - [ : ]
: trashlog - [ : ]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack -- ctstate INVALID -j trashlog
-A INPUT -m conntrack -- ctstate RELATED , ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ndp-slaac
-A INPUT -s fe80::/1 -d fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack -- ctstate NEW -j ACCEPT
-A INPUT -s fe80::/1 -p tcp -m tcp -- dport 22 -m conntrack -- ctstate NEW -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 130 -m hl --hl-eq 1 -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 131 -m hl --hl-eq 1 -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 132 -m hl --hl-eq 1 -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 143 -m hl --hl-eq 1 -j ACCEPT
-A trashlog -j LOG -- log - prefix " TRASHLOG : " --log - level 5
-A trashlog -j DROP
COMMIT
Regeln Router
* mangle
: PREROUTING ACCEPT [ : ]
: INPUT ACCEPT [ : ]
: FORWARD ACCEPT [ : ]
: OUTPUT ACCEPT [ : ]
: POSTROUTING ACCEPT [ : ]
COMMIT
#
* filter
: INPUT DROP [ : ]
: FORWARD DROP [ : ]
: OUTPUT ACCEPT [ : ]
: bad - eh - [ : ]
: icmpv6-filter - [ : ]
: ndp-minimal - [ : ]
: trashlog - [ : ]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack -- ctstate RELATED , ESTABLISHED -j ACCEPT
-A INPUT -m conntrack -- ctstate INVALID -j trashlog
-A INPUT -p ipv6-icmp -j ndp-minimal
-A INPUT -i eth1 -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp -- dport 53 -m conntrack -- ctstate NEW -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp -- dport 53 -m conntrack -- ctstate NEW -j ACCEPT
-A FORWARD -m conntrack -- ctstate RELATED , ESTABLISHED -j ACCEPT
-A FORWARD -p ipv6-icmp -j icmpv6-filter
-A FORWARD -i eth1 -o sixxs -m conntrack -- ctstate NEW -j ACCEPT
-A FORWARD -i eth1 -o nat64 -m conntrack -- ctstate NEW -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A bad - eh -m rt --rt - type --rt - segsleft -j DROP
-A icmpv6-filter -s fe80::/1 -j DROP
-A icmpv6-filter -d fe80::/1 -j DROP
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack -- ctstate NEW -j ACCEPT
-A icmpv6-filter -d 2a01:198:200:8a23:200:ff:fe60:d1e/128 -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack -- ctstate NEW -j ACCEPT
-A icmpv6-filter -d ff00::/8 -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j DROP
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 3/1 -j ACCEPT
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -j ACCEPT
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -j ACCEPT
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 4/2 -j ACCEPT
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 3/0 -j ACCEPT
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 137 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 147 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 139 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 140 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 144 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 145 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 146 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 147 -j DROP
-A icmpv6-filter -j DROP
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 130 -m hl --hl-eq 1 -j ACCEPT
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 131 -m hl --hl-eq 1 -j ACCEPT
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 132 -m hl --hl-eq 1 -j ACCEPT
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 143 -m hl --hl-eq 1 -j ACCEPT
-A trashlog -j LOG -- log - prefix " TRASHLOG : " --log - level 5
-A trashlog -j DROP
COMMIT
Anhang
Siehe auch
Links
Weblinks