In some email I received from David Carmean, sie wrote:
> On Sat, Oct 30, 2004 at 03:09:37PM +1000, Darren Reed wrote:
> > In some email I received from Paul D. Robertson, sie wrote:
> > > Is anyone doing anything with IPv6 other than either "let it back if I
> > > talk it out," "block it completely," or "ignore it and hope it goes away?"
> >
> > I'm rather dismayed at firewalling and IPv6, even just within packet
> > filters, because there seems to be little understandng (as yet) of
> > what IPv6 does and can do, along with the security implications of
> > that. What extension headers need to be blocked ? What ones are
> > safe to allow ? What are the risks with each of these ?
>
> Darren, Can you talk about your ideas in this direction?
>
> I've just compiled ipf 4.1.2 with BPF support to get at the IPv6
> next-header field(s) and the extension headers themselves; was hoping to
> try something like using "tcpdump -dd ip6 protochain 43" to generate BPF
> code to match a routing header that might be buried behind a hop-by-hop
> header, but that generates 39 4-tuples or nearly 1KB of code (!).
You don't need to use BPF. The full list of options is:
block ... with v6hdrs routing,dstopts,frag,esp,hopopts,esp,ipv6,none
But the parser needs a small patch to swallow all of that.
Cheers,
Darren
Index: tools/ipf_y.y
===================================================================
RCS file: /devel/CVS/IP-Filter/tools/ipf_y.y,v
retrieving revision 1.69.2.19
diff -c -r1.69.2.19 ipf_y.y
*** ipf_y.y 2004/10/31 18:44:44 1.69.2.19
--- ipf_y.y 2004/11/02 07:59:38
***************
*** 56,62 ****
static struct wordtab icmptypewords[16];
static struct wordtab ipv4optwords[25];
static struct wordtab ipv4secwords[9];
! static struct wordtab ipv6optwords[5];
static struct wordtab logwords[33];
%}
--- 56,62 ----
static struct wordtab icmptypewords[16];
static struct wordtab ipv4optwords[25];
static struct wordtab ipv4secwords[9];
! static struct wordtab ipv6optwords[8];
static struct wordtab logwords[33];
%}
***************
*** 1395,1408 ****
{ "call", IPFY_CALL },
{ "code", IPFY_ICMPCODE },
{ "count", IPFY_COUNT },
- { "dstopts", IPFY_IPV6OPT_DSTOPTS },
{ "dup-to", IPFY_DUPTO },
{ "eq", YY_CMP_EQ },
{ "esp", IPFY_ESP },
{ "fastroute", IPFY_FROUTE },
{ "first", IPFY_FIRST },
- { "frag", IPFY_FRAG },
{ "flags", IPFY_FLAGS },
{ "frags", IPFY_FRAGS },
{ "from", IPFY_FROM },
{ "ge", YY_CMP_GE },
--- 1395,1407 ----
{ "call", IPFY_CALL },
{ "code", IPFY_ICMPCODE },
{ "count", IPFY_COUNT },
{ "dup-to", IPFY_DUPTO },
{ "eq", YY_CMP_EQ },
{ "esp", IPFY_ESP },
{ "fastroute", IPFY_FROUTE },
{ "first", IPFY_FIRST },
{ "flags", IPFY_FLAGS },
+ { "frag", IPFY_FRAG },
{ "frags", IPFY_FRAGS },
{ "from", IPFY_FROM },
{ "ge", YY_CMP_GE },
***************
*** 1564,1570 ****
{ NULL, 0 },
};
! static struct wordtab ipv6optwords[5] = {
{ "hopopts", IPFY_IPV6OPT_HOPOPTS },
{ "ipv6", IPFY_IPV6OPT_IPV6 },
{ "none", IPFY_IPV6OPT_NONE },
--- 1563,1572 ----
{ NULL, 0 },
};
! static struct wordtab ipv6optwords[8] = {
! { "dstopts", IPFY_IPV6OPT_DSTOPTS },
! { "esp", IPFY_ESP },
! { "frag", IPFY_FRAG },
{ "hopopts", IPFY_IPV6OPT_HOPOPTS },
{ "ipv6", IPFY_IPV6OPT_IPV6 },
{ "none", IPFY_IPV6OPT_NONE },
