User Tools

Site Tools


edgerouter:ipv6-no-unsolicit

Protect IPv6 Enabled Client Machines From Unsolicited Internet Traffic

One of the biggest issues with enabling IPv6, is that it has the potential to expose client machines to malicious traffic. The easiest way to give yourself a little bit of extra protection while still allowing full outside connectivity without resorting to IPv6 NAT (shudders), is to block all incoming connections while still allowing all outbound.

  set firewall ipv6-name Internet-To-LAN default-action drop
  set firewall ipv6-name Internet-To-LAN description 'Internet to LAN'
  set firewall ipv6-name Internet-To-LAN rule 1 action accept
  set firewall ipv6-name Internet-To-LAN rule 1 description 'Drop Incoming IPv6 unless related'
  set firewall ipv6-name Internet-To-LAN rule 1 state established enable
  set firewall ipv6-name Internet-To-LAN rule 1 state related enable
  set firewall ipv6-name Internet-To-LAN rule 2 action drop
  set firewall ipv6-name Internet-To-LAN rule 2 state invalid enable
  set firewall ipv6-name LAN-To-Internet default-action accept
  set firewall ipv6-name LAN-To-Internet description 'LAN to Internet'
  set firewall ipv6-name LAN-To-Internet rule 1 action accept
  set firewall ipv6-name LAN-To-Internet rule 1 state established enable
  set firewall ipv6-name LAN-To-Internet rule 1 state related enable
  set firewall ipv6-name LAN-To-Internet rule 2 action drop
  set firewall ipv6-name LAN-To-Internet rule 2 state invalid enable
  # Bind LAN-To-Internet rule to LAN interface 'in'
  set interfaces ethernet eth1 firewall in ipv6-name LAN-To-Internet
  # Bind Internet-To-LAN rule to IPv6 WAN interface 'in'
  set interfaces tunnel tun0 firewall in ipv6-name Internet-To-LAN
edgerouter/ipv6-no-unsolicit.txt · Last modified: 2015/04/27 21:39 by brielle