Community discussions

MikroTik App
 
ajgnet
newbie
Topic Author
Posts: 46
Joined: Wed Apr 27, 2022 1:57 am

Block IPv6 Portscans - Rule works for IPv4 but not IPv6

Thu Mar 02, 2023 3:10 am

I'm trying to block IPv6 portscans coming to my router. The below filter rules work for IPv4 but get ignored for IPv6 (no traffic matches). What am I doing wrong?
add action=drop chain=input comment="BLOCK PORT SCAN - Drop Port scanners" src-address-list=port_scanners
add action=drop chain=forward comment="BLOCK PORT SCAN - Drop Port scanners" src-address-list=port_scanners
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=input comment="-- BLOCK PORT SCAN - NMAP FIN Stealth scan" \
    protocol=tcp src-address-list=!do_not_blacklist tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=forward comment="-- BLOCK PORT SCAN - NMAP FIN Stealth scan" \
    protocol=tcp src-address-list=!do_not_blacklist tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=input comment="-- BLOCK PORT SCAN - SYN/FIN scan" protocol=tcp \
    src-address-list=!do_not_blacklist tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=forward comment="-- BLOCK PORT SCAN - SYN/FIN scan" protocol=\
    tcp src-address-list=!do_not_blacklist tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=input comment="-- BLOCK PORT SCAN - SYN/RST scan" protocol=tcp \
    src-address-list=!do_not_blacklist tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=forward comment="-- BLOCK PORT SCAN - SYN/RST scan" protocol=\
    tcp src-address-list=!do_not_blacklist tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=input comment="-- BLOCK PORT SCAN - FIN/PSH/URG scan" \
    protocol=tcp src-address-list=!do_not_blacklist tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=forward comment="-- BLOCK PORT SCAN - FIN/PSH/URG scan" \
    protocol=tcp src-address-list=!do_not_blacklist tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=input comment="-- BLOCK PORT SCAN - ALL/ALL scan" protocol=tcp \
    src-address-list=!do_not_blacklist tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=forward comment="-- BLOCK PORT SCAN - ALL/ALL scan" protocol=\
    tcp src-address-list=!do_not_blacklist tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=input comment="-- BLOCK PORT SCAN - NMAP NULL scan" protocol=\
    tcp src-address-list=!do_not_blacklist tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d chain=forward comment="-- BLOCK PORT SCAN - NMAP NULL scan" \
    protocol=tcp src-address-list=!do_not_blacklist tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
 
R1CH
Forum Guru
Forum Guru
Posts: 1108
Joined: Sun Oct 01, 2006 11:44 pm

Re: Block IPv6 Portscans - Rule works for IPv4 but not IPv6

Thu Mar 02, 2023 7:35 pm

Why do you have open ports to the internet to begin with? Just drop all inbound traffic rather than slowing down your router with these junk rules.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: Block IPv6 Portscans - Rule works for IPv4 but not IPv6

Thu Mar 02, 2023 7:44 pm

The idea is this: if some remote host tries to connect to IP/port combination which is not allowed (either it's not DST NATed in IPv4 or is blocked in IPv6), then such remote host is added to black list. Hence forth the same host can not connect to otherwise allowed/open IP/port combination (e.g. HTTP server).

I'm not entirely sure that this idea is feasible, so my firewalls don't do this kind of crap.
 
andriys
Forum Guru
Forum Guru
Posts: 1543
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Block IPv6 Portscans - Rule works for IPv4 but not IPv6

Thu Mar 02, 2023 8:11 pm

For IPv6 you have to define a separate set of firewall rules in /ipv6 firewall filter. It's not clear from your original post if you have those in place. The rules that work for IPv4 won't match the IPv6 packets.
 
User avatar
baragoon
Member
Member
Posts: 382
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA
Contact:

Re: Block IPv6 Portscans - Rule works for IPv4 but not IPv6

Thu Mar 02, 2023 8:32 pm

you missed an importaint part "psd", this option exists in the ipv4 firewall, but not implemented in the ipv6 firewall...
 
ajgnet
newbie
Topic Author
Posts: 46
Joined: Wed Apr 27, 2022 1:57 am

Re: Block IPv6 Portscans - Rule works for IPv4 but not IPv6

Fri Mar 03, 2023 3:13 pm

you missed an importaint part "psd", this option exists in the ipv4 firewall, but not implemented in the ipv6 firewall...
Thank you - I understand what you mean and this explains it. So it sounds like there is currently no way to do this in IPv6 until that feature is implemented.
 
User avatar
sysf
just joined
Posts: 6
Joined: Sat Jul 25, 2020 4:00 pm

Re: Block IPv6 Portscans - Rule works for IPv4 but not IPv6

Fri Mar 24, 2023 12:34 am

Are there any plans to implement this feature for IPv6?

Along with this feature, it'd be useful to be have an action that adds the prefix to an address list, e.g. the /64 prefix instead of the host address.
 
R1CH
Forum Guru
Forum Guru
Posts: 1108
Joined: Sun Oct 01, 2006 11:44 pm

Re: Block IPv6 Portscans - Rule works for IPv4 but not IPv6

Fri Mar 24, 2023 2:54 pm

The idea is this: if some remote host tries to connect to IP/port combination which is not allowed (either it's not DST NATed in IPv4 or is blocked in IPv6), then such remote host is added to black list. Hence forth the same host can not connect to otherwise allowed/open IP/port combination (e.g. HTTP server).

I'm not entirely sure that this idea is feasible, so my firewalls don't do this kind of crap.
This is a terrible idea. Without a complete handshake you have no guarantee that the remote IP isn't spoofed. So I can easily send you some packets with the IPs of Google, your DNS servers, ISP's DHCP server, etc. and now your firewall has become a DoS vector.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block IPv6 Portscans - Rule works for IPv4 but not IPv6

Fri Mar 24, 2023 6:30 pm

You're right, but I find it unlikely that an attack will send all (assigned) IPv6 addresses anything...
How many days and bandwidth would it take?....
Also port scans on IPv6...must already know the address...

In IPv4 now everything is simpler, they are a handful of addresses in comparison....
 
User avatar
sysf
just joined
Posts: 6
Joined: Sat Jul 25, 2020 4:00 pm

Re: Block IPv6 Portscans - Rule works for IPv4 but not IPv6

Sun Mar 26, 2023 1:36 am

You're right, but I find it unlikely that an attack will send all (assigned) IPv6 addresses anything...
How many days and bandwidth would it take?....
Also port scans on IPv6...must already know the address...

In IPv4 now everything is simpler, they are a handful of addresses in comparison....
There's still methods for active IPv6 hosts to be discovered externally, see e.g. https://arxiv.org/abs/2210.02522.

I observe occasional scanning of IPv6 hosts (even those using temporary privacy addresses), which is why I think such a feature would be useful.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Block IPv6 Portscans - Rule works for IPv4 but not IPv6

Sun Mar 26, 2023 6:45 pm

Yes, just use DNS, Tor, torrents.... and obviously.........

Who is online

Users browsing this forum: ciruliss, jerry1333 and 30 guests