Don’t block any of the following 133 router solicit 134 router advertisement 135 neighbor solicit 136 neighbor advertisement 137 route redirection
Don’t block Multicast in general Link local addresses need to be treated a little different. IPV6 compliant routers will not forward link-local addresses. If you want you can add a failsafe to drop link local packets. I set the hop limit and also check to make sure it’s a link local address. I drop these. Most packets are sent with a hop limit of 255. There are certain instances you want to drop certain packets with a hop limit of 1. Some packets are legit with a hop count of 1, so this is where someone can craft a packet. You don’t want to advertise the following across sites: Node Information Query (Type 139) Node Information Response (Type 140) Router Renumbering (Type 138) Types 100, 101, 200, and 201 (experimental) Nothing changes on a port level. If you deny all and allow ports to certain hosts then you do the same for IPv6 hosts. If you want to test your IPV6 firewall configs you can test against: http://ipv6.chappell-family.com/ipv6tcptest/ http://www.ipv6scanner.com/ Justin Wilson [email protected] --- http://www.mtin.net Owner/CEO xISP Solutions- Consulting – Data Centers - Bandwidth http://www.midwest-ix.com COO/Chairman Internet Exchange - Peering - Distributed Fabric > On Jul 11, 2016, at 11:52 AM, Brent Smith <[email protected]> wrote: > > What is common practice for firewalling with IPv6? > > -- > Brent Smith > Network Technician > New Lisbon Broadband and Communications > www.nlbc.com > (765)332-2887 > MTCNA MTCWE > -- > > > _______________________________________________ > Ipv6 mailing list > [email protected] > http://lists.wispa.org/mailman/listinfo/ipv6 > _______________________________________________ Mikrotik-users mailing list [email protected] http://lists.wispa.org/mailman/listinfo/mikrotik-users
