[ale] IPv6

Michael H. Warfield mhw at wittsend.com
Sun Nov 9 22:20:58 EST 2003 

On Tue, Nov 04, 2003 at 04:54:50AM -0500, Robert L. Harris wrote:

> The biggest problem is enabling ipv6 and not modifying your firewall
> rules to cover ipv6 also.  If you duplicate your iptables rules to
> another script and in that script modify "iptables" to "ipv6tables" and
> remove IPv4 specific host entries you should have almost the same
> coverage, you just might need to allow for things such as only allowing
> ssh from certain hosts, etc.

	You also have to realize that most IPv6 traffic is going to
be embedded in SIT (IPv4 protocol 41 aka ipv6 in /etc/protocols and
6over4 in the RFCs).  If you don't terminate those tunnels ON your
firewall, your IPv4 firewall will only see it as SIT traffic (and not
decode or process the encapsulated tcp or udp traffic) and your IPv6
firewall will not see it at all (since it's IPv4 traffic and not
native IPv6 traffic).  To get your firewall in position to deal with
IPv6 traffic, you have to block forwarding of the IPv6 transition
tunnels and terminate them ON or in front of your firewall and then
route IPv6 native through your firewall.  Fortunately, this isn't
difficult.  Unfortunately, the bad guys know that none of this is
difficult but that few people know about it or do it.

> Thus spake George Johnson (gljay at earthlink.net):
> 
> >    I was just at the AUUG meeting tonight.  Just how easily is a system
> >    running ipv4 hacked by a someone running ipv6?  Does a firewall protect
> >    you from it?  Where are some good sites on the subject of hacking with
> >    ipv6?
> > 
> >    George Johnson
> 
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> 
> 
> :wq!
> ---------------------------------------------------------------------------
> Robert L. Harris                     | GPG Key ID: E344DA3B
>                                          @ x-hkp://pgp.mit.edu
> DISCLAIMER:
>       These are MY OPINIONS ALONE.  I speak for no-one else.
> 
> Life is not a destination, it's a journey.
>   Microsoft produces 15 car pileups on the highway.
>     Don't stop traffic to stand and gawk at the tragedy.



> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale


-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: not available

More information about the Ale mailing list