firewall
Click on the red underlined text to get to the source
... filtering of ICMPv6 by firewalls may have a detrimental effect on the
establishment and maintenance of IPv6 communications. On the other
...
...
In a few cases, the appropriate rules will depend on whether the
firewall is protecting
o an individual host ...
... most cases without damaging the functionality of the network. This
means that firewall filters for ICMPv6 have to be more carefully
...
... (standardized) Type values would normally be expected to be allowed
to be sent to or pass through firewalls, and may be essential to the
establishment and maintenance of communications (see Section 2.4)
whereas Informational messages will generally be the subject ...
... whereas Informational messages will generally be the subject of
policy rules, and those passing through end site firewalls can, in
many but by no means all cases, be dropped without damaging IPv6
communications.
...
... Unreachable messages are any-to-end in nature. Generally, end-to-end
and any-to-end messages might be expected to pass through firewalls
depending on policies but local communications must not.
...
... ICMPv6 messages have a role in establishing or maintaining
communications to and from the firewall and such messages have to be
accepted by firewalls for local delivery ...
... communications to and from the firewall and such messages have to be
accepted by firewalls for local delivery. Generally, a firewall will
...
... accepted by firewalls for local delivery. Generally, a firewall will
also be acting as a router so that all the messages that might be
...
... used in configuring a router interface need to be accepted and
generated. These messages should not transit through a firewall that
is also acting as a router as they are normally intended for use
...
... end-to-end or
any-to-end are essential to the establishment and maintenance of
communications. These messages must be passed through firewalls and
might also be sent to and from firewalls to assist with establishment
...
... communications. These messages must be passed through firewalls and
might also be sent to and from firewalls to assist with establishment
and maintenance of communications. For example, the Packet Too Big
...
... ICMPv6 messages that are not associated with
communication establishment or maintenance will normally be
legitimately attempting to pass through a firewall from inside to out
or vice versa, but in most cases decisions as to whether or not to
allow them to pass can be made on the basis of local policy without
...
...
This memo recommends filtering configurations for firewalls designed
to minimize the security vulnerabilities that can arise in using the
...
... of doing this is to establish strict filtering policies in site
firewalls to limit the unauthenticated ICMPv6 messages that can pass
between the site and the wider Internet ...
... dropping some of the ICMPv6 traffic passing through the firewall and
allowing enough of the traffic through to make sure that efficient
...
... link-local messages and does not limit the filtering
that firewalls can apply, and its role in security is therefore not
...
... discussed further in this document.
Firewalls will normally be used to monitor ICMPv6 to control the
following security concerns ...
... IPsec, so that it is difficult to carry out such attacks in practice,
they should not be allowed through a site boundary firewall. On the
other hand, a site may employ multiple "layers" of firewalls. In
...
... they should not be allowed through a site boundary firewall. On the
other hand, a site may employ multiple "layers" of firewalls. In
this case, Renumbering messages might be expected to be allowed to
transit interior firewalls ...
... firewalls. In
this case, Renumbering messages might be expected to be allowed to
transit interior firewalls but not pass across the outer boundary.
...
... Because some ICMPv6 error packets need to be passed through a
firewall in both directions, malicious users can potentially use
these messages to communicate between inside and outside, bypassing
administrative inspection. For example, it might be possible to
...
... Firewalls integrated with an individual host ("end host firewalls")
can be treated as end site firewalls, but the special considerations
...
... host firewalls")
can be treated as end site firewalls, but the special considerations
discussed in Section 4.2 may be relevant because the firewall is not
...
... can be treated as end site firewalls, but the special considerations
discussed in Section 4.2 may be relevant because the firewall is not
a router.
...
... very good reason for dropping this category.
o Messages that may be dropped in firewall/routers, but these
messages may already be targeted to drop for other reasons (e.g.,
...
... router. Special considerations apply to
transit traffic if the firewall is not a router as discussed in
Section 4.2.
...
... message should be allowed or dropped.
Depending on the capabilities of the firewall being configured, it
may be possible for the firewall to maintain state ...
... Depending on the capabilities of the firewall being configured, it
may be possible for the firewall to maintain state about packets that
may result in error messages ...
... Echo Requests) that are expected to receive a specific
response. This state may allow the firewall to perform more precise
checks based on this state, and to apply limits on the number of
...
... ICMPv6 packets accepted incoming or outgoing as a result of a packet
traveling in the opposite direction. The capabilities of firewalls
to perform such stateful packet inspection vary from model to model,
and it is not assumed that firewalls ...
... firewalls
to perform such stateful packet inspection vary from model to model,
and it is not assumed that firewalls are uniformly capable in this
respect.
...
... respect.
Firewalls that are able to perform deep packet inspection may be able
to check the header fields in the start ...
...
ICMPv6 messages transiting firewalls inbound to a site may be treated
differently depending on whether they are addressed to a node on the
...
... nodes not on the site should be dropped, but would generally be
forwarded by firewalls on transit sites.
...
... IP layer although they will actually be inspecting
the IP packets as they pass through (firewall/bridges).
...
... there is no need to configure additional rules to prevent these
packets traversing a firewall/router, although administrators may
...
... unicast address.
Accordingly, it is not essential to configure firewall/router rules
to drop out-of-specification packets of these types. If they have
...
... link-local source and destination addresses, allowing them to
traverse the firewall/router, they would be rejected because of the
checks performed at the destination ...
... router, they would be rejected because of the
checks performed at the destination. Again, firewall administrators
may still wish to configure rules to log or drop such out-of-
...
... specification packets.
For firewall/bridges, slightly different considerations apply. The
physical links ...
... bridges, slightly different considerations apply. The
physical links on either side of the firewall/bridge are treated as a
single logical link ...
... routers and hosts attached to the link containing the firewall/bridge
are built to the correct specifications so that out-of-specification
...
... host firewall can generally be thought of as a special case of
a firewall/bridge, but the only link-local messages that need to be
...
...
Appendix A.4 suggests some more specific checks that could be
performed on Parameter Problem messages if a firewall has the
necessary packet inspection capabilities.
...
... IPv6 nodes on the site to be
possible, it is essential that the connectivity checking messages are
allowed through the firewall. It has been common practice in IPv4
networks to drop Echo Request messages in firewalls ...
... firewall. It has been common practice in IPv4
networks to drop Echo Request messages in firewalls to minimize the
risk of scanning attacks on the protected network ...
... beyond the link on which they were initially transmitted. If the
firewall is a firewall/bridge rather than a firewall ...
... link on which they were initially transmitted. If the
firewall is a firewall/bridge rather than a firewall/router ...
... firewall is a firewall/bridge rather than a firewall/router, these
messages should be allowed to transit the firewall ...
... firewall/router, these
messages should be allowed to transit the firewall as they would be
intended for establishing communications between the two physical
...
... needed to filter messages with link-local addresses in a firewall/
router. As discussed in Section 4.1, these messages are specified so
...
...
Administrators may also wish to consider providing rules in firewall/
routers to catch illegal packets sent with hop limit ...
... Administrators of end sites
should be aware of this and determine whether they wish to allow
these messages through the firewall. Firewalls protecting transit
sites must allow all types of error messages ...
... should be aware of this and determine whether they wish to allow
these messages through the firewall. Firewalls protecting transit
sites must allow all types of error messages to transit the site but
...
... site administrators can either adopt a policy of allowing all these
messages through the firewall, relying on end hosts to drop
unrecognized messages, or drop all such messages at the firewall ...
... firewall, relying on end hosts to drop
unrecognized messages, or drop all such messages at the firewall.
Different policies could be adopted for inbound and outbound
messages.
...
... filter these messages at site boundaries. If
a site has internal as well as boundary firewalls, individual
policies should be established for the internal firewalls depending
...
... as boundary firewalls, individual
policies should be established for the internal firewalls depending
on whether or not the site wishes to use Router Renumbering:
...
... traffic addressed
to an interface on a firewall. For a small number of messages, the
desired behavior may differ between interfaces on the site or private
...
... desired behavior may differ between interfaces on the site or private
side of the firewall and the those on the public Internet side of the
firewall ...
...
As discussed in Section 4.3.1, dropping connectivity checking
messages will prevent the firewall being the destination of a Teredo
tunnel ...
... is not essential to filter these messages even if they are not
allowed at the firewall/router:
...
... It may be desirable to drop these messages, especially on public
interfaces, if the firewall is not also providing mobile home agent
services ...
... administrators should take a case-by-case approach to whether
firewalls, routers in general, and other nodes should accept these
...
... Administrators should be aware
of this and determine whether they wish to allow these messages to be
sent to the firewall.
...
... MTUs, Packet Too Big messages
should not be expected at the firewall and could be dropped if they
arrive.
...
... error messages in all cases and these outgoing messages are allowed
through firewalls, the attacker may be able to identify active
...
... network
topology. The vulnerability could be mitigated whilst helping to
establish communications if the firewall was able to examine such
error messages in depth and was configured to only allow Parameter
...
... 136) messages are essential to the establishment and maintenance of
communications on the local link. Firewalls need to generate and
accept these messages to allow them to establish and maintain
interfaces ...
... 134) messages are essential to the establishment and maintenance of
communications on the local link. Firewalls need to generate (since
the firewall will generally be behaving as a router ...
... link. Firewalls need to generate (since
the firewall will generally be behaving as a router) and accept these
messages to allow them to establish and maintain interfaces ...
... router is using SEND, the firewall must be able to exchange these
messages with nodes on the link ...
... notify other nodes of their existence or change of state. Firewalls
that also act as multicast routers need to process these messages on
...
... mobile node and its home agent. They must be expected to be sent
from outside a site and must traverse site-boundary firewalls to
reach the home agent in order for Mobile IPv6 ...
... o If the site provides home agents for mobile nodes, the firewall
must allow incoming Home Agent Address Discovery ...
... Type values in a way of which the network administrator (and hence
the firewall) is not aware.
[RFC4443 ...
...
Any ICMPv6 Informational messages of which the firewall is not aware
should be allowed to transit through the firewall but should not be
...
... ICMPv6 Informational messages of which the firewall is not aware
should be allowed to transit through the firewall but should not be
accepted for local delivery on any of its interfaces ...
... transit networks. At end site boundaries any incoming ICMPv6 Error
messages of which the firewall is not aware may be allowed through
the firewall in line with the specification in [RFC4443 ...
... ICMPv6 Error
messages of which the firewall is not aware may be allowed through
the firewall in line with the specification in [RFC4443], which
requests delivery ...
... experimental use in two protocols. This message is
sent end-to-end and may need to pass through firewalls on sites that
are supporting the experimental protocols.
...
... Appendix B. Example Script to Configure ICMPv6 Firewall Rules ...
... #!/bin/bash
# Set of prefixes on the trusted ("inner") side of the firewall
export INNER_PREFIXES="2001:DB8:85::/60"
...
... # local addresses should be filtered.
# Do not use this if the firewall is a bridge.
# Optional for firewalls ...
... link local addresses
# If the firewall is a router:
# These rules should be redundant as routers ...
... addresses but to be sure...
# DO NOT ENABLE these rules if the firewall is a bridge
if ["$FILTER ...