The Summit Open Source Development Group

User Tools

Site Tools

You are here: Welcome! » EdgeRouter Configuration Snippets » Protect IPv6 Enabled Client Machines From Unsolicited Internet Traffic
edgerouter:ipv6-no-unsolicit

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revisionBoth sides next revision
edgerouter:ipv6-no-unsolicit [2015/04/27 20:51] – created brielleedgerouter:ipv6-no-unsolicit [2015/04/27 21:27] brielle
Line 2: Line 2:
  
 One of the biggest issues with enabling IPv6, is that it has the potential to expose client machines to malicious traffic.  The easiest way to give yourself a little bit of extra protection while still allowing full outside connectivity without resorting to IPv6 NAT (**shudders**), is to block all incoming connections while still allowing all outbound. One of the biggest issues with enabling IPv6, is that it has the potential to expose client machines to malicious traffic.  The easiest way to give yourself a little bit of extra protection while still allowing full outside connectivity without resorting to IPv6 NAT (**shudders**), is to block all incoming connections while still allowing all outbound.
- 
-    set firewall group ipv6-address-group LAN-IPv6 description 'LAN IPv6 Addresses' 
-    set firewall group ipv6-address-group LAN-IPv6 ipv6-network 'xxxx:xx:xxxx:xxxx::/64' 
  
  
Line 11: Line 8:
     set firewall ipv6-name Internet-To-LAN rule 1 action accept     set firewall ipv6-name Internet-To-LAN rule 1 action accept
     set firewall ipv6-name Internet-To-LAN rule 1 description 'Drop Incoming IPv6 unless related'     set firewall ipv6-name Internet-To-LAN rule 1 description 'Drop Incoming IPv6 unless related'
-    set firewall ipv6-name Internet-To-LAN rule 1 destination group ipv6-address-group LAN-IPv6 
-    set firewall ipv6-name Internet-To-LAN rule 1 log disable 
-    set firewall ipv6-name Internet-To-LAN rule 1 protocol all 
     set firewall ipv6-name Internet-To-LAN rule 1 state established enable     set firewall ipv6-name Internet-To-LAN rule 1 state established enable
-    set firewall ipv6-name Internet-To-LAN rule 1 state invalid disable 
-    set firewall ipv6-name Internet-To-LAN rule 1 state new disable 
     set firewall ipv6-name Internet-To-LAN rule 1 state related enable     set firewall ipv6-name Internet-To-LAN rule 1 state related enable
 +    set firewall ipv6-name Internet-To-LAN rule 2 action drop
 +    set firewall ipv6-name Internet-To-LAN rule 2 state invalid enable
  
  
Line 24: Line 18:
     set firewall ipv6-name LAN-To-Internet rule 1 action accept     set firewall ipv6-name LAN-To-Internet rule 1 action accept
     set firewall ipv6-name LAN-To-Internet rule 1 description 'Allow all ipv6 out'     set firewall ipv6-name LAN-To-Internet rule 1 description 'Allow all ipv6 out'
-    set firewall ipv6-name LAN-To-Internet rule 1 log disable 
-    set firewall ipv6-name LAN-To-Internet rule 1 protocol all 
-    set firewall ipv6-name LAN-To-Internet rule 1 source group ipv6-address-group LAN-IPv6 
     set firewall ipv6-name LAN-To-Internet rule 1 state established enable     set firewall ipv6-name LAN-To-Internet rule 1 state established enable
-    set firewall ipv6-name LAN-To-Internet rule 1 state invalid disable 
-    set firewall ipv6-name LAN-To-Internet rule 1 state new enable 
     set firewall ipv6-name LAN-To-Internet rule 1 state related enable     set firewall ipv6-name LAN-To-Internet rule 1 state related enable
 +    set firewall ipv6-name LAN-To-Internet rule 2 action drop
 +    set firewall ipv6-name LAN-To-Internet rule 2 state invalid enable
 +    set firewall ipv6-name LAN-To-Internet rule 3 action accept
 +    set firewall ipv6-name LAN-To-Internet rule 3 state new enable
  
     # Bind LAN-To-Internet rule to LAN interface 'in'     # Bind LAN-To-Internet rule to LAN interface 'in'

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki