IPv6 Firewall help
Posted: Wed Jun 14, 2023 4:09 am
Hi guys, hope everyone is doing ok.
I'm quite new with IPv6 and I'm experimenting with GNS3 before apply the knowledge in production, I usually use the following firewall base with IPv4: https://wiki.mikrotik.com/wiki/Basic_un ... all_script I have no problems with it and I usually add the LAN network to support list (example: 172.16.0.0/24), I was trying to replicate this Firewall rules for IPv6, but I'm experience 2 problems:
1. The first one is that I was not able to replicate the rules for Port Scan because looks IPv6 firewall doesn't have the PSD menu on extra menu
2. The ICMP rules, I change that to ICMPv6 and changed the types and codes to adjust that, but I'm aving lot of issues, most of it with drop rule. Since I understand ICMPv6 is part of the heart of IPv6 should I just forget about ICMPv6 rules and just use 1 to accept all ICMPv6 traffic ?
Again I'm trying to use this firewall as base: https://wiki.mikrotik.com/wiki/Basic_un ... all_script
And this is what I currently made for IPv6:
All help I can get will be appreciated 
I'm quite new with IPv6 and I'm experimenting with GNS3 before apply the knowledge in production, I usually use the following firewall base with IPv4: https://wiki.mikrotik.com/wiki/Basic_un ... all_script I have no problems with it and I usually add the LAN network to support list (example: 172.16.0.0/24), I was trying to replicate this Firewall rules for IPv6, but I'm experience 2 problems:
1. The first one is that I was not able to replicate the rules for Port Scan because looks IPv6 firewall doesn't have the PSD menu on extra menu
2. The ICMP rules, I change that to ICMPv6 and changed the types and codes to adjust that, but I'm aving lot of issues, most of it with drop rule. Since I understand ICMPv6 is part of the heart of IPv6 should I just forget about ICMPv6 rules and just use 1 to accept all ICMPv6 traffic ?
Again I'm trying to use this firewall as base: https://wiki.mikrotik.com/wiki/Basic_un ... all_script
And this is what I currently made for IPv6:
Code: Select all
/ipv6 firewall address-list add address=x.x.x.x/x disabled=no list=support
/ipv6 firewall address-list
add address=::/128 comment="Unspecified address" disabled=no list=bogons
add address= ::1/128 comment="Loopback" disabled=no list=bogons
add address=fe80::/10 comment="Link Local # Check if you need this subnet before enable it" disabled=yes list=bogons
add address=::ffff:0:0/96 comment="IPv4-mapped addresses" disabled=no list=bogons
add address=::/96 comment="IPv4-compatible addresses" disabled=no list=bogons
add address=100::/64 comment="Remotely triggered black hole addresses" disabled=no list=bogons
add address=2001:10::/28 comment="Overlay routable cryptographic hash identifiers (ORCHID)" disabled=no list=bogons
add address=2001:db8::/32 comment="Documentation prefix" disabled=no list=bogons
add address=fec0::/10 comment="Site-local unicast (deprecated)" disabled=no list=bogons
add address=3ffe::/16 comment="6bone" disabled=no list=bogons
add address=::224.0.0.0/100 comment="other" list= bogons
add address=::127.0.0.0/104 comment="other" list= bogons
add address=::/104 comment="other" list= bogons
add address=::255.0.0.0/104 comment="other" list= bogons
/ipv6 firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input \
comment="Add Syn Flood IP to the list" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" disabled=no src-address-list=Syn_Flooder
add action=jump chain=input comment="Jump for icmp input flow" disabled=no jump-target=ICMP protocol=icmpv6
add action=drop chain=input\
comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST"\
disabled=yes dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" disabled=no jump-target=ICMP protocol=icmpv6
add action=drop chain=forward comment="Drop to bogon list" disabled=no dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours"\
connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" disabled=no dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" disabled=no port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" disabled=no port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" connection-state=established\
disabled=no
add action=accept chain=input comment="Accept to related connections" connection-state=related disabled=no
add action=accept chain=input comment="Full access to SUPPORT address list" disabled=no src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"\
disabled=yes
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood, adjust the limit as needed" disabled=no icmp-options=128:0 limit=2,5 protocol=icmpv6
add action=accept chain=ICMP comment="Echo reply" disabled=no icmp-options=129:0 protocol=icmpv6
add action=accept chain=ICMP comment="Time Exceeded" disabled=no icmp-options=3:0 protocol=icmpv6
add action=accept chain=ICMP comment="Destination unreachable" disabled=no icmp-options=1:0-3 protocol=icmpv6
add action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=2:0 protocol=icmpv6
add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=no protocol=icmpv6
add action=jump chain=output comment="Jump for icmp output" disabled=no jump-target=ICMP protocol=icmpv6