Comments for Xaero.org http://www.xaero.org Tech news, reviews, and whatever else I wanna put here! Mon, 17 Oct 2011 19:24:25 +0000 hourly 1 http://wordpress.org/?v=3.3.1 Comment on Configuring a 6in4 tunnel on the pfSense firewall by Chris http://www.xaero.org/index.php/archive/configuring-a-6tin4-tunnel-on-the-pfsense-firewall/comment-page-1/#comment-2484 Chris Mon, 17 Oct 2011 19:24:25 +0000 http://www.xaero.org/?p=248#comment-2484 Hmm... I don't know of any off the top of my head, but I'd imagine that you'll want to change the address family in your IPv4 IPtables script to IPv6. Here's a sample IPTables filter I've grown over the years. <code> #!/bin/bash IPT=/sbin/iptables #flush current tables $IPT -F #allow all outgoing connections $IPT -P OUTPUT ACCEPT #first, deny all incoming $IPT -P INPUT DROP $IPT -P FORWARD DROP #Web $IPT -A INPUT -p tcp --dport 80 -j ACCEPT # Anti-attack stuff #First, deny loopback and private space $IPT -A INPUT --in-interface ! lo --source 127.0.0.0/8 -j DROP $IPT -A INPUT --in-interface ! lo --source 10.0.0.0/8 -j DROP $IPT -A INPUT --in-interface ! lo --source 172.16.0.0/12 -j DROP $IPT -A INPUT --in-interface ! lo --source 192.168.0.0/16 -j DROP #Next, rate limit ICMP $IPT -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT #Next, drop weird packets with weird TCP states $IPT -A INPUT -m state --state INVALID -j DROP $IPT -A FORWARD -m state --state INVALID -j DROP $IPT -A OUTPUT -m state --state INVALID -j DROP $IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP $IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP $IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP #Allow responses to connections we initiated... $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT </code> Hope that helps! Hmm… I don’t know of any off the top of my head, but I’d imagine that you’ll want to change the address family in your IPv4 IPtables script to IPv6. Here’s a sample IPTables filter I’ve grown over the years.


#!/bin/bash

IPT=/sbin/iptables

#flush current tables
$IPT -F

#allow all outgoing connections
$IPT -P OUTPUT ACCEPT

#first, deny all incoming
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
#Web
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT

# Anti-attack stuff

#First, deny loopback and private space
$IPT -A INPUT --in-interface ! lo --source 127.0.0.0/8 -j DROP
$IPT -A INPUT --in-interface ! lo --source 10.0.0.0/8 -j DROP
$IPT -A INPUT --in-interface ! lo --source 172.16.0.0/12 -j DROP
$IPT -A INPUT --in-interface ! lo --source 192.168.0.0/16 -j DROP

#Next, rate limit ICMP
$IPT -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT

#Next, drop weird packets with weird TCP states
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -A OUTPUT -m state --state INVALID -j DROP
$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

#Allow responses to connections we initiated...
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Hope that helps!

]]> Comment on Configuring a 6in4 tunnel on the pfSense firewall by Bart Grefte http://www.xaero.org/index.php/archive/configuring-a-6tin4-tunnel-on-the-pfsense-firewall/comment-page-1/#comment-2480 Bart Grefte Tue, 11 Oct 2011 18:28:25 +0000 http://www.xaero.org/?p=248#comment-2480 Okay. I know about IPtables, already have some books about it :) but I'm looking specifically for an IPv6 howto like this one but made for Debian. Okay.
I know about IPtables, already have some books about it :) but I’m looking specifically for an IPv6 howto like this one but made for Debian.

]]> Comment on Configuring a 6in4 tunnel on the pfSense firewall by Chris http://www.xaero.org/index.php/archive/configuring-a-6tin4-tunnel-on-the-pfsense-firewall/comment-page-1/#comment-2478 Chris Mon, 03 Oct 2011 20:43:43 +0000 http://www.xaero.org/?p=248#comment-2478 Bart, I don't do a lot of work in Debian these days, but the last time I checked, pf was only available on the BSDs - FreeBSD, NetBSD, OpenBSD. I have a few links to some great starter material for iptables under Linux here: http://www.xaero.org/index.php/archive/mastering-iptables/ Hope that helps! Chris Bart,

I don’t do a lot of work in Debian these days, but the last time I checked, pf was only available on the BSDs – FreeBSD, NetBSD, OpenBSD. I have a few links to some great starter material for iptables under Linux here:

http://www.xaero.org/index.php/archive/mastering-iptables/

Hope that helps!

Chris

]]> Comment on Configuring a 6in4 tunnel on the pfSense firewall by Bart Grefte http://www.xaero.org/index.php/archive/configuring-a-6tin4-tunnel-on-the-pfsense-firewall/comment-page-1/#comment-2477 Bart Grefte Sun, 02 Oct 2011 14:39:53 +0000 http://www.xaero.org/?p=248#comment-2477 Hmm, my last response got removed? It's strange indeed and I think it's the implementation in XP, but I doubt MS will ever create an update for it. As for a firewall, I have installed ESET Smart Security v4.2.71.2 (switching to v5 after I've tested it) on all the clients since it supports IPv6. Set it to interactive mode so if someone tries to get in, I get a warning, if a program wants to go online, I get a warning as well. Both with IPv4 and v6. Then it's just the matter of setting it to allow or block it :). ps. Can I use this howto with Debian as well or are there to many differences between Linux and FreeBSD? Thinking about ditching pfSense because lack of 802.11n support in FreeBSD drivers. Hmm, my last response got removed?

It’s strange indeed and I think it’s the implementation in XP, but I doubt MS will ever create an update for it.

As for a firewall, I have installed ESET Smart Security v4.2.71.2 (switching to v5 after I’ve tested it) on all the clients since it supports IPv6. Set it to interactive mode so if someone tries to get in, I get a warning, if a program wants to go online, I get a warning as well. Both with IPv4 and v6. Then it’s just the matter of setting it to allow or block it :) .

ps. Can I use this howto with Debian as well or are there to many differences between Linux and FreeBSD? Thinking about ditching pfSense because lack of 802.11n support in FreeBSD drivers.

]]> Comment on Configuring a 6in4 tunnel on the pfSense firewall by Chris http://www.xaero.org/index.php/archive/configuring-a-6tin4-tunnel-on-the-pfsense-firewall/comment-page-1/#comment-2469 Chris Sat, 10 Sep 2011 19:13:10 +0000 http://www.xaero.org/?p=248#comment-2469 Bart, I'm glad you've resolved your connectivity problems on your laptop. That is indeed strange that XP doesn't revert to IPv4. I wonder if it's a DNS issue or if the IPv6 stack on XP isn't as mature as on Win7? Regardless, please remember that when you configure a 6in4 tunnel on your pfSense device (or any router for that matter), you are now completely exposed to the Internet and no longer have the inherent protections that NAT gives you, so you'll want to configure some firewall rules for your IPv6 network to keep the bad guys out. Chris Bart,

I’m glad you’ve resolved your connectivity problems on your laptop. That is indeed strange that XP doesn’t revert to IPv4. I wonder if it’s a DNS issue or if the IPv6
stack on XP isn’t as mature as on Win7? Regardless, please remember that when you configure a 6in4 tunnel on your pfSense device (or any router for that matter), you are
now completely exposed to the Internet and no longer have the inherent protections that NAT gives you, so you’ll want to configure some firewall rules for your IPv6 network to keep the bad guys out.

Chris

]]> Comment on Configuring a 6in4 tunnel on the pfSense firewall by Bart Grefte http://www.xaero.org/index.php/archive/configuring-a-6tin4-tunnel-on-the-pfsense-firewall/comment-page-1/#comment-2467 Bart Grefte Thu, 08 Sep 2011 13:07:37 +0000 http://www.xaero.org/?p=248#comment-2467 Never mind, turns out the POP3 server was not listening on IPv6, it does now :) But strange that XP won't revert to IPv4 if IPv6 does not work, 7 reverts to IPv4 after a few seconds of no response through IPv6. Never mind, turns out the POP3 server was not listening on IPv6, it does now :)

But strange that XP won’t revert to IPv4 if IPv6 does not work, 7 reverts to IPv4 after a few seconds of no response through IPv6.

]]> Comment on Configuring a 6in4 tunnel on the pfSense firewall by Bart Grefte http://www.xaero.org/index.php/archive/configuring-a-6tin4-tunnel-on-the-pfsense-firewall/comment-page-1/#comment-2466 Bart Grefte Wed, 07 Sep 2011 11:17:25 +0000 http://www.xaero.org/?p=248#comment-2466 Hi Chris, I didn't see till today that you responded to my question :P... Anyway, the tunnel has been working like a charm, except today. My computer died (leaking capacitors), so now I am working on my laptop. After I set my account in Outlook 2010, Outlook was able to send test-emails but it was not able to log on onto the mailserver of my host to download incoming emails (strange, since outgoing works). Telnet using cmd gave a blinking _ and the host did not see my IP pop up in the logs over there. However, from my pfSense router it worked. So I disabled IPv6 on my laptop and guess what, Outlook works?! Is there anything in those scripts that might interfere with Outlook? Hi Chris,

I didn’t see till today that you responded to my question :P
Anyway, the tunnel has been working like a charm, except today.

My computer died (leaking capacitors), so now I am working on my laptop. After I set my account in Outlook 2010, Outlook was able to send test-emails but it was not able to log on onto the mailserver of my host to download incoming emails (strange, since outgoing works).
Telnet using cmd gave a blinking _ and the host did not see my IP pop up in the logs over there. However, from my pfSense router it worked. So I disabled IPv6 on my laptop and guess what, Outlook works?!

Is there anything in those scripts that might interfere with Outlook?

]]> Comment on Configuring a 6in4 tunnel on the pfSense firewall by Chris http://www.xaero.org/index.php/archive/configuring-a-6tin4-tunnel-on-the-pfsense-firewall/comment-page-1/#comment-2350 Chris Sun, 16 Jan 2011 15:34:59 +0000 http://www.xaero.org/?p=248#comment-2350 Great catch! It's actually referred to as <strong>6in4</strong>, not 6to4, so I've fixed the article. Great catch! It’s actually referred to as 6in4, not 6to4, so I’ve fixed the article.

]]> Comment on Configuring a 6in4 tunnel on the pfSense firewall by Andy http://www.xaero.org/index.php/archive/configuring-a-6tin4-tunnel-on-the-pfsense-firewall/comment-page-1/#comment-2349 Andy Fri, 14 Jan 2011 22:59:37 +0000 http://www.xaero.org/?p=248#comment-2349 Isn't this post actually just about setting up an IPv6 tunnel, not setting up a 6to4 tunnel? 6to4 does not require a tunnel broker and instead uses an anycast address for tunneling traffic. Isn’t this post actually just about setting up an IPv6 tunnel, not setting up a 6to4 tunnel? 6to4 does not require a tunnel broker and instead uses an anycast address for tunneling traffic.

]]> Comment on Configuring a 6in4 tunnel on the pfSense firewall by Chris http://www.xaero.org/index.php/archive/configuring-a-6tin4-tunnel-on-the-pfsense-firewall/comment-page-1/#comment-2347 Chris Sun, 28 Nov 2010 15:21:28 +0000 http://www.xaero.org/?p=248#comment-2347 Karl, Sounds like you don't have the rtadvd daemon running. You may want to check the config for that and make sure it matches your interface names. Alternatively, you could try statically assigning an address. Hope that helps! Karl,

Sounds like you don’t have the rtadvd daemon running. You may want to check the config for that and make sure it matches your interface names. Alternatively,
you could try statically assigning an address.

Hope that helps!

]]>