• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Firewall security questions

Started by b1izzard, December 08, 2009, 12:00:22 AM

Previous topic - Next topic

b1izzard

I am not in complete understanding of how IPV6 and firewalls function and have a few questions:

1.  If the firewall blocks traffic coming in, how do you configure specific ports to be open?  I have a D-Link DIR-615 router.   I want to setup a Windows RDP connection to my computer so I can access it remotely. 

2.  When running a port scan, I tried to scan my client IPV6 address 2001:470:1f04:6db::2/ and it showed one port open for TCP 53.  I am assuming this must be DNS on the D-Link? 

3.  Does HE filter any traffic whatsoever, or is it wide open?

4.  If I want to create a second HE tunnel for a 2nd network behind another D-Link router on separate static IPv4 WAN address, will I be able to communicate between these just as I would if I had 2 separate IPV4 only networks on their own static WAN IP's?  I do this all the time with IPV4, but don't have a clue on IPV6. 

Thanks!

   

broquea

Re #1, last I checked, the DIR-615 didn't do any IPv6 firewalling, and that you had to do it on the host. I don't see any mention of an IPv6 firewall in the firmware rev notes up through latest.

Re #2, Probably, try a v4 portscan and see if it gets the same behavior, be interesting to know.

Re #3, we don't filter traffic, it's wide open.

Re #4, yes, both networks will have globally routed IPv6 addresses. As long as they have unfiltered services (or filtered with specific hosts/networks allowed) they should be able to communicate with each other.

b1izzard

I tried running an IPV4 port scan on port 25 for my W2K3 Exchange server using grc.com and it was in stealth.  I added a port forwarding rule and tested it again and it was open.  I ran an ipv6 port scan on the server IP address and all 1000 ports were closed (see below).  I do have the 'Client IPV4 address' pointing to my D-Link IP of 192.168.1.1 for the client netsh configuration (example: netsh int ipv6 add v6v4tunnel IP6Tunnel 192.168.1.1 72.x.x.74, but let me know if this is wrong), as from what I can tell that is the correct way to do it when behind a firewall.

How can I get this to work?  Do I need a different firewall capable of passing traffic through, or do I have to directly connect my server to the internet?  I don't want to directly connect it unless I have to.  If you know of any good software or hardware devices that are inexpensive that will do what I need it to, please let me know.  Thanks.

****ipv6 port scan result*****
This utility will perform a basic nmap portscan from 2001:470:0:aa::2 to the supplied IPv6 address. Do note, this is simply a quick probe and is not a replacement for an in-depth security scan.

You may probe any IPv6 address within your routed /64s or /48s as well as your side's tunnel endpoint.
IPs available for you to scan are in the following prefixes:
•2001:470:1f04:6db::2/128
•2001:470:1f05:6db::/64
•2001:470:8055::/48

Enter the IPv6 address to check:
Options Skip initial ping (-PN)Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-08 07:20 PST
All 1000 scanned ports on 2001:470:1f05:6db:20c:29ff:fe2e:7697 are closed

Nmap done: 1 IP address (1 host up) scanned in 3.78 seconds
*************


jimb

I'm confused now.  Why are you setting up tunnels on your windows hosts when you have the DIR615 acting as your IPv6 router???

You should not be setting up 6in4 tunnels on your windows boxes.  Just your DIR-615.  Then default routes should point to it.  It will route the IPv6 traffic to HE and back.

b1izzard

I was worried that might be confusing.  Let me clarify.  Basically I am going to setup 2 IPV6 networks.  Pretend one is in New York behind a D-Link IPV6 router.  Another is in Los Angeles behind another IPV6 D-Link router.  I just want to set them up so I can IPV6 between them, by which I will use the 'Create Regular Tunnel' to add another tunnel so I have one for LA and one for New York. If there is a problem with this plan or I am misguided, please let me know.

My current setup for New York behind the D-Link router is that I have 2 Windows 2008 Servers, which I setup with the following information.  The D-Link gateway IP is 192.168.1.1.

New York tunnel:
Server IPv4 address: 72.52.104.74
Server IPv6 address: 2001:470:1f04:6db::1/64
Client IPv4 address: 173.x.x.11 (Changed to 192.168.1.1 which is the D-Link IP)
Client IPv6 address: 2001:470:1f04:6db::2/64 
Available DNS Resolvers
Anycasted IPv6 Caching Nameserver: 2001:470:20::2
Anycasted IPv4 Caching Nameserver: 74.82.42.42
Routed IPv6 Prefixes and rDNS Delegations
Routed /48: 2001:470:8055::/48 
Routed /64: 2001:470:1f05:6db::/64 

RDNS Delegation NS1: none 
RDNS Delegation NS2: none 
RDNS Delegation NS3: none 
BGP Details
ASN: none


On the 2 Windows 2008 Servers, I have added the following commands:

netsh interface ipv6 add v6v4tunnel IP6Tunnel 192.168.1.1 72.52.104.74
netsh interface ipv6 add address IP6Tunnel 2001:470:1f04:6db::2
netsh interface ipv6 add route ::/0 IP6Tunnel 2001:470:1f04:6db::1

I can ping the IPV6 internet and browse IPV6 web sites, so things seem to be working correctly from that aspect.

>>I'm confused now.  Why are you setting up tunnels on your windows hosts when you have the DIR615 acting as your IPv6 router???

Does this clarify the above question, or am I even farther off on this?

broquea

#5
When your tunnel is terminated on the dlink, you shouldn't be running the tunnel commands on the windows machines. They should be automatically configuring IPv6 addresses from Routed /64: 2001:470:1f05:6db::/64 if that is what you put as LAN IP on the dlink. The dlink is where the tunnel should be terminated on, because you can't have the same tunnel terminated on multiple devices, or else the last one configured tends to be the only one working.

Terminate tunnel on the dlink, have it advertise to all hosts on the lan, and that should be good to go.

jimb

#6
Quote from: b1izzard on December 08, 2009, 04:16:40 PM
I was worried that might be confusing.  Let me clarify.  Basically I am going to setup 2 IPV6 networks.  Pretend one is in New York behind a D-Link IPV6 router.  Another is in Los Angeles behind another IPV6 D-Link router.  I just want to set them up so I can IPV6 between them, by which I will use the 'Create Regular Tunnel' to add another tunnel so I have one for LA and one for New York. If there is a problem with this plan or I am misguided, please let me know.

My current setup for New York behind the D-Link router is that I have 2 Windows 2008 Servers, which I setup with the following information.  The D-Link gateway IP is 192.168.1.1.

New York tunnel:
Server IPv4 address: 72.52.104.74
Server IPv6 address: 2001:470:1f04:6db::1/64
Client IPv4 address: 173.x.x.11 (Changed to 192.168.1.1 which is the D-Link IP)
Client IPv6 address: 2001:470:1f04:6db::2/64  
Available DNS Resolvers
Anycasted IPv6 Caching Nameserver: 2001:470:20::2
Anycasted IPv4 Caching Nameserver: 74.82.42.42
Routed IPv6 Prefixes and rDNS Delegations
Routed /48: 2001:470:8055::/48  
Routed /64: 2001:470:1f05:6db::/64  

RDNS Delegation NS1: none  
RDNS Delegation NS2: none  
RDNS Delegation NS3: none  
BGP Details
ASN: none


On the 2 Windows 2008 Servers, I have added the following commands:

netsh interface ipv6 add v6v4tunnel IP6Tunnel 192.168.1.1 72.52.104.74
netsh interface ipv6 add address IP6Tunnel 2001:470:1f04:6db::2
netsh interface ipv6 add route ::/0 IP6Tunnel 2001:470:1f04:6db::1

I can ping the IPV6 internet and browse IPV6 web sites, so things seem to be working correctly from that aspect.

>>I'm confused now.  Why are you setting up tunnels on your windows hosts when you have the DIR615 acting as your IPv6 router???

Does this clarify the above question, or am I even farther off on this?

Agh.  OK.  I see what you're trying to do.  You have two separate tunnels emulating two networks.  One is terminated to the Dlink, the other to win2008.

I've already spotted a major problem.  A tunnel terminates to ONE and only ONE host.  You're trying to do a 6in4 tunnel with TWO different 2008 boxes.  You can't do that.  You must use one as a router, and the other as a LAN host which goes through the router.

Second, if you read my previous message, I tried to explain that when behind a NAT, you can only have ONE 6in4 tunnel per public IP.  In other words, if you have a bunch of hosts behind a NAT device behind a single public IP, only ONE can do a 6in4 tunnel to the same tunnel server.  If you use two different tunnel servers, it may work, since it now has two unique source IPs on the return traffic.

Unlike protocols which use TCP or UDP, 6in4 doesn't have ports, so the NAT device has no way of mapping the return traffic to the proper inside IP.  So for things like web browsing, you can have 100 different hosts talking to the same web server, and mapping all of them to the same public IP, and because it has TCP ports to work with, the NAT device can sort out which is which upon receiving the return traffic.  Since 6in4 simply doesn't have ports, it being merely an IPv4 packet with its protocol number field set to 41 containing an IPv6 packet as payload, it has no way of figuring out which inside host originally sent the packet.  If you have say, 192.168.1.5 and 192.168.1.6 talking to the same tunnel server on the internet, the source IPs on the outgoing traffic get NATed to the SAME public IP, and return traffic from the tunnel server for both .5 and .6 will have the same destination public IP, so the NAT device has no clue whether to route a given return packet to .5 or .6.

So, if you have two 6in4 routers behind a NAT device, you either have to map each router to be NATed to a separate public source IP (#1), OR use a separate destination tunnel server IP (#2).  And #2 still may not work, depending on how retarded your NAT device is (in theory it should if that NAT device has a proper implementation of NAT).  :P


b1izzard

Ok, one tunnel per IP.  Got it.  I'm still not clear on what the configuration is supposed to be to have one web server publicly accessible.  Let's forget about the 2 tunnels and focus on just 1.  If you could review the following information and the attached diagram and tell me what I have misconfigured, then that would greatly help me to make sense of how it's supposed to be configured. 

Here is the route print and TCP/IP info from the Windows 2008 server:
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination      Gateway
10    266 ::/0                     fe80::224:1ff:fef5:a02
  1    306 ::1/128                  On-link
12     18 2001::/32                On-link
12    266 2001:0:4137:9e50:14fa:2132:3f57:fe9a/128
                                    On-link
10     18 2001:470:1f05:6db::/64   On-link
10    266 2001:470:1f05:6db:4f6:430e:50ff:4f1d/128
                                    On-link
10    266 fe80::/64                On-link
12    266 fe80::/64                On-link
10    266 fe80::4f6:430e:50ff:4f1d/128
                                    On-link
12    266 fe80::14fa:2132:3f57:fe9a/128
                                    On-link
  1    306 ff00::/8                 On-link
12    266 ff00::/8                 On-link
10    266 ff00::/8                 On-link
===========================================================================
Persistent Routes:
If Metric Network Destination      Gateway
  0 4294967295 ::/0                     2001:470:1f04:6db::1
===========================================================================

TCP/IP info:
Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-78-E5-68
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:470:1f05:6db:4f6:430e:50ff:4f1d(Pref
erred)
   Link-local IPv6 Address . . . . . : fe80::4f6:430e:50ff:4f1d%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.101(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, December 07, 2009 7:52:04 PM
   Lease Expires . . . . . . . . . . : Monday, December 14, 2009 7:52:05 PM
   Default Gateway . . . . . . . . . : fe80::224:1ff:fef5:a02%10
                                       192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 8:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{04CF5110-234E-4D95-8399-978745604
DD4}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e50:14fa:2132:3f57:fe9a(Pref
erred)
   Link-local IPv6 Address . . . . . : fe80::14fa:2132:3f57:fe9a%12(Preferred)
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter IP6Tunnel:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Direct Point-to-point Adapater
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Sorry to be a PITA.  Thanks for your help.

b1izzard

Sorry broquea, I somehow missed your last post and read only jimb's.  I'll try that out now and let you know.  I'm guessing I have to run netsh int ipv6 reset to clear it out?


broquea

and make sure in that LAN IP field on the dlink, you put, character for character: 2001:470:1f05:6db::1

it already know it will be a /64 range

jimb

OK. Where do I start.

First, based on the diagram, it looks like you are trying to establish a 6in4 tunnel from BOTH the win2008 machine AND the D-Link.  This is now how it's done.  The 6in4 tunnel is ONLY established from the DLINK to HE.  The LAN machines, including your win2008 box, should NOT have any 6in4 tunnel.  There should be NO v6v4tunnel on the windows 2008 box.

From the output of the commands, I also see you have a bad default route pointing to the tunnel interface on the Dlink (although this may be left over from you trying to set up the tunnel on the win2008 box.  the route looks "costed out" because of the metric, but i'd delete it anyway).  The default route should point to the LAN interface of the DLINK.

Delete the IP6Tunnel interface ("netsh int ipv6 delete int IP6Tunnel") and the bad persistent IPv6 default route on the 2008 box.

The D-Link should have an address configured on it from your routed /64.  It can't end in a zero.  The address it looks like you used on the D-Link LAN interface is "2001:470:1f05:6db::0".  You can't use ::0.  Use "2001:470:1f05:6db::1" instead.  If the D-Link is doing RA, it should provide a proper IPv6 address and default route to your win2008 box.  From the output it looks like it is ("2001:470:1f05:6db:4f6:430e:50ff:4f1d" is being autoconfigured as your IPv6 global, and your default route is being set too):

{root@gts/pts/1}~# ipv6calc -i fe80::224:1ff:fef5:a02
No input type specified, try autodetection...found type: ipv6addr
No output type specified, try autodetection...found type: ipv6addr
Address type: unicast, link-local
Registry for address: reserved
Interface identifier: 0224:01ff:fef5:0a02
EUI-48/MAC address: 00:24:01:f5:0a:02
MAC is a global unique one
MAC is an unicast one
OUI is: D-Link Corporation


It's handing the link local address of the D-Link to your windows box as a default route.  This is just fine.

If you get rid of the tunnel interface on the win2008 box, and possibly the route, it should start just working to get to the internet, provided your DNS server and resolver is properly resolving AAAA records.

jimb

Quote from: b1izzard on December 08, 2009, 07:43:53 PM
Sorry broquea, I somehow missed your last post and read only jimb's.  I'll try that out now and let you know.  I'm guessing I have to run netsh int ipv6 reset to clear it out?
Yeah I also asked this in reply #3.  But you indicated that you're doing TWO tunnels, so I figured it was examples of your win2008 tunnel server.

Anyway, if you read my previous messages carefully, you'll see that having that 6in4 tunnel on the win2008 box is probably also screwing with your NAT device.  If you eventually want to get the 2nd tunnel up, make sure you review my reply #6.

b1izzard

Thanks guys.  That allowed me to scan for open ports.  I now have a few more questions.

1.  When doing it from the HE port scanner, it shows ports 80 and 3389 open.  When I try to use the subnetonline.com IPV6 scanner, I get the following:

Checked port 80 on Host/IP 2001:470:1f05:6db:4f6:430e:50ff:4f1d...
The checked port (80) is offline/unreachable
Reason: No route to host (113)

Any ideas on this? 

2.  It seems to me that having the D-Link is pointless since I can only have one tunnel, and all traffic is unfiltered and goes to one host.  Can you give me a good reason to have the D-Link in place? 

3.  Normally, in IPV4 I would have a terminal server, mail server, and VPN server NAT'ed behind one static IP.  So correct me if I'm wrong, but I'd either have to have 4 D-Link routers, or connect all 4 directly to the internet?

4.  Am I being paranoid, or isn't that extremely risky having a server directly connected to the internet with only a software firewall?  ISA server is pretty secure, but Windows 2008 would just be running off the standard firewall.

5.  What is a typical scenario for keeping a LAN secure so authorized people from inside and outside the organization can access it?  Typically, I have customers that I have setup for VPN, OWA, Term Server, etc, but since it's behind a NAT'ed static IP, all the ports except the few we need open are blocked.

Again, thanks a million!  I really appreciate all your help.

b1izzard

Jimb, I do read your posts, but sometimes I don't fully understand what it is your telling me because it's not super super specific for an IPV6 newbie like me. 

I think the whole thing that screwed me up and got me off track was the initial configuration page for the tunnel details.  Where it says:

"*NOTE* When behind a firewall appliance that passes protocol41, instead of using the IPv4 endpoint you provided to our broker, use the IPv4 address you get from your appliance's DHCP service.",  I construed 'The IPv4 address you get from your appliance's DHCP service' to be 192.168.1.1. 

Well it could also technically be the IP address that YOU get as it says, which would be your IP.  Since there was no mention not to add the Windows sample configuration to the Windows host, I proceeded to.  Due to the **NOTE* message above, I construed the following netsh command needed to be modified from

netsh interface ipv6 add v6v4tunnel IP6Tunnel 173.160.167.11 72.52.104.74

to

netsh interface ipv6 add v6v4tunnel IP6Tunnel  192.168.1.1 72.52.104.74

Perhaps this information is somewhere on your site, but it seems that for newbies, it would be very helpful to add 2 hyperlinks to the tunnel details page and break it into categories for how to setup IPV6 using a router with PC's behind it, and also how to setup IPV6 for directly connecting your computer to the internet without a hardware firewall.   I guarantee it would have saved you guys some serious time having to answer my relentless postings.   :)

If I can pay you back by creating this documentation for you to review and post, I'd be happy to help.


jimb

Quote from: b1izzard on December 08, 2009, 08:59:21 PM
Thanks guys.  That allowed me to scan for open ports.  I now have a few more questions.

1.  When doing it from the HE port scanner, it shows ports 80 and 3389 open.  When I try to use the subnetonline.com IPV6 scanner, I get the following:

Checked port 80 on Host/IP 2001:470:1f05:6db:4f6:430e:50ff:4f1d...
The checked port (80) is offline/unreachable
Reason: No route to host (113)

Any ideas on this? 
Not sure why, but I can't ping or trace your host from outside.  Tunnel appears to be down.

Quote2.  It seems to me that having the D-Link is pointless since I can only have one tunnel, and all traffic is unfiltered and goes to one host.  Can you give me a good reason to have the D-Link in place? 
The fact that the D-Link doesn't appear to be able to firewall IPv6 traffic would be a big issue with me.  I wouldn't like that.

IPv6 traffic should be able to get to ANY host on your IPv6 routed /64 LAN via the D-Link.  It should NOT go only "to one host."  This is a bug or configuration problem.

Quote3.  Normally, in IPV4 I would have a terminal server, mail server, and VPN server NAT'ed behind one static IP.  So correct me if I'm wrong, but I'd either have to have 4 D-Link routers, or connect all 4 directly to the internet?
It is still possible to have TS, SMTP, and VPN behind a single NATed public IPv4 and reachable, while simultaneously running a 6in4 tunnel to the D-Link.  What's not possible is having more than one 6in4 tunnel running through the same IPv4 public IP NAT going to the same tunnel server.

These services should also be reachable via IPv6 directly, via the tunnel.

Quote4.  Am I being paranoid, or isn't that extremely risky having a server directly connected to the internet with only a software firewall?  ISA server is pretty secure, but Windows 2008 would just be running off the standard firewall.
I wouldn't do it.  I prefer to have defense in depth, running a network firewall at the ingress point, and having host based firewalls running on each host.  I personally network firewall my IPv6 traffic using ip6tables on my linux based IPv6 router.

Quote5.  What is a typical scenario for keeping a LAN secure so authorized people from inside and outside the organization can access it?  Typically, I have customers that I have setup for VPN, OWA, Term Server, etc, but since it's behind a NAT'ed static IP, all the ports except the few we need open are blocked.
Typically secure remote access requires a client VPN setup.  Services like OWA can typically be port forwarded to the outside, depending on how much you trust the security of OWA.  Many put these types of servers on a separate DMZ network.

If we're talking IPv6, all these services are reachable directly from the internet.  So if you want to block them, you simply block them with your network (and/or host) firewall's security policy.

But even in a situation like this, it's often risky to allow access to servers on your internal corporate LAN since any exploitable services may allow a hacker access to a machine on your internal LAN.  This is why, as I mentioned above, machines like this are often placed on a highly restricted DMZ network, or off site at a data center.

Security best practices for IPv6 isn't very different than security for IPv4.  The only real difference is that by default in the IPv4 world, most hosts are unreachable by default from the internet simply because you need a port forward, or static NAT to a public IPv4 for any inside host that you want to be reachable.  But any sane IPv6 network security policy will deny all by default, and only allow access to what you want to be access from the outside.  So in the end it boils down to the same thing, just less complicated setup required (no port forward/nat nonsense).