Firewall – lready a recommended IPv6 Firewall setup

best practicesfirewallipv6

I'd like to switch from private-IPv4-subnet-behind-NAT to IPv6, but of course I have no intention of exposing my users' workstations "unprotected" to the net.

Some obvious points up-front:

Allow access to provided services
Deny access to workstations

Is there a recommended firewall setup guideline that talks about the details and experiences with such setups?

Best Answer

The advice is largely unchanged from public-IPv4-subnet-behind-Firewall setups that we've had in the .EDU space since the beginning of the commercial Internet. Since early .EDU subnet allocations were rather generous (my old work has an IPv4 /16 allocation, and I know of another institution our size that has a /16 and another /18 for good measure) these institutions have deep experience protecting publicly routeable IP addresses behind firewalls. Heck, that setup was what the original IP creators had in mind.

The principles (from memory):

Do not allow external access to internal IP addresses unless there is a specific business need (default deny).
Allow ICMP to internal addresses as the IP protocols rely on it to determine network conditions.
- Ping-sweeps should be blocked by your IPS config.
- Keep in mind that just because a machine in ping-able, does not mean it is connectable!
Reverse DNS lookups do matter for some use-cases, so be sure that they're working right.

A short list, I know. But the basic firewall principle going back 20 years is the same: allow access only to those IP:port combinations you want to permit, deny everything else.

Related Solutions

Linux – IPv6 and NAT, routing to multiple ISPs

Without BGP and 'business class' ISPs multihoming isn't going to work for you. It is possible to do 1-to-1 NAT with IPv6. I don't know how to configure it on Linux though. There is another way though:

You will get a prefix from both ISPs. Probably a /56 or a /48. It doesn't really matter in this case if the link to the ISP gets it's own addresses or not. IPv6 can work perfectly with unnumbered uplinks. What you then do is to connect a router from each ISP to your LAN, and both should advertise a /64 from their own ISP on your LAN. So all your systems get (at least) two public IPv6 addresses: one from each ISP. You can give the advertisements of your primary ISP a higher priority. When the link to the ISP goes down the corresponding router should withdraw its advertisement and your systems will start using the other link.

The only downside is when one ISP doesn't accept packets with a source address from the other ISP. If that is the case then the routers should check the source address and forward traffic with the wrong source address to the other router.

If you only get a single /64 from your ISP then you can use that on your LAN. They should give you more than that though. A /48 used to be the standard for many years, a /56 is becoming more normal these days, but you should definitely get more than a /64.

Debian – Dual stack linux router, can’t forward IPv6 prefix

You will need to assign an IPv6 address to eth1 as it won't be able to autoconfigure. Pick an /64 address from your /56 although you may be able to use your /56. I've used the prefix 2001:0db8:a1b2:c2d3::/64 in the example below.

# This is an IPv6 interface
iface eth1 inet6 static
    address  2001:0db8:a1b2:c2d3::1
    netmask  64

Best Answer

Related Solutions

Linux – IPv6 and NAT, routing to multiple ISPs

Debian – Dual stack linux router, can’t forward IPv6 prefix

Related Topic