Re: [Mikrotik] IPv6 Newbie

Thu, 31 Jan 2013 08:27:45 -0800 

Thanks for all the input guys!

Rory McCann
Minn-Kota Ag Products
P: 701-403-4877 | E: [email protected]

On 1/30/2013 4:36 PM, Don Gould wrote:

Hi Rory,

http://www.jrwz.net/technical/mikrotik-ipv6/s06.html

You will note that he accepts icmpv6 traffic.

2   chain=forward action=accept protocol=icmpv6
I was concerned about this, so I raised some discussion around our local NOG about it at the time.
It seems that if you don't accept the icmpv6 traffic then 'stuff will break'.
The rest of the site has some useful stuff about tunnels on it as well. I found it quite a useful resource. 

D


On 31/01/2013 10:42 a.m., Rory McCann wrote:

Hey guys,

So I decided to set myself up with a couple of free tunnels from HE so I
could play around with IPv6. I've got everything up and working
correctly, but one thing I'm nervous about is that with my computers now
publicly accessible via IPv6, what is the best way to protect/firewall
traffic at the router? Using MT 5.22 on an x86 box, here's some of the
rules I have in place:

/ipv6 firewall filter
add action=reject chain=input comment="Winbox Filtering" disabled=no
dst-port=8291 protocol=tcp reject-with=tcp-reset
src-address-list=!IPv6-Space
add action=reject chain=input comment="SSH Filtering" disabled=no
dst-port=22 protocol=tcp reject-with=tcp-reset src-address-list=!IPv6-Space 
add action=drop chain=forward comment="Block all
unidentified/non-established traffic" connection-state=new disabled=no
dst-address-list=IPv6-Space src-address-list=!IPv6-Space

The Winbox and SSH rules drop SSH traffic not coming from my prefix
("IPv6-Space" address list). I also have a rule that matches
connection-state to new and drops the traffic if it's destined to my
prefix and coming from outside my prefix using that same address list.
That stopped the ability to access my servers/computers from the public
net, so that seems to be what I was looking for, however I'm wondering
if there are some other rules I should put in place or adjust to further
protect my devices?

How are you guys handling this? My network is a corporate network so I'm
not serving any customers, just playing around.

Thanks!





_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Reply via email to