On 07/11/2016 08:52 AM, Brent Smith wrote: > What is common practice for firewalling with IPv6? >
The approach I have taken is: 1. Define IPv6 address blocks to parallel IPv4 address space, including private address space. 2. Apply the same TCP/UDP port rules in IPv6 as I currently have in IPv4. 3. Where NAT is being used for IPv4, and it is expected to be providing security to the hosts behind it, I set up a stateful firewall, reject or deny incoming connections, and allow outgoing connections. For Mikrotik/IPtables terminology, IIRC, that would be rejecting/dropping packets for connections in the invalid and new states from the outside, and allowing packets for connections in the related and established states. 4. I generally do not block ping even with IPv4. If it becomes a problem, I rate limit it. Remember that for IPv6, ICMP is used for discovering path size. If that type of ICMP packet is blocked, you can have weird problems where you can reach the host over IPv6, but trying to transfer data over that path doesn't work. (Especially if you have something with a smaller MTU in the path, like PPPoE.) I really have not tackled the issue of tunnels. But if a host wants to set up some kind of a tunnel, then I figure it's up to them to decide what incoming traffic they may want to block. -- Erik Andersen _______________________________________________ Mikrotik-users mailing list [email protected] http://lists.wispa.org/mailman/listinfo/mikrotik-users
