                   A SECOND LIFE FOR THE LINKSYS Part 3
                   Drilling holes in the IPv6 Firewall
                   By Michiel van der Vlist, 2:280/5555


Last year I wrote two articles on how to set up an old Linksys WRT54GL
as a router for IPv6. If you missed it last year's Fidonews 31 and 32,
you can download them at: http://www.vlist.org/downloads/fidonews/2011/
And probably from the editor's system as well.

In these articles I described how to configure the Linksys as the end
point of a 6in4 tunnel and how to route an Ipv6 subnet to the LAN,
thereby providing IPv6 connectivity for the machines on the LAN. I also 
described how to configure the Ipv4 NAT to forward ports to specific
host. For example for a web server or a binkp server. What the articles
did not cover is how to do the equivalent for IPv6. I had not figured
That out myself then. I have now, so here is my report.

First, forget about what is written on the subject in the OpenWrt wiki.
The method described there does not work.

Second, we have to understand that the mechanism for making a server on
your LAN available to the outside world is different for IPv4 and IPv6.
In IPv4 all machines on the LAN share one globally routeable IPv4
address. The LAN is behind a NAT that translates to and from the
internal IP address on the LAN.

Without specific instructions the router does not know where to send an
unsollicited incoming packet and so it is dropped. A NAT has the side
effect of acting as a statefull firewall. To make a server available
one instructs the NAT to forward the port number for the server to the
internal address of the server.

In IPv6 there is no NAT. Every machine has - or at least can have - its
own unique globally routeable IPv6 address. There is no need to tell
the router where to send an unsollicited incoming packet. It already
knows because the packet has the unique address of the destination.

Some say the absence of NAT in IPv6 is a security risk because every
machine is directly connected to the internet. But that is only true
for routers that lack a firewall. Technically it is perfectly OK to
have a router without a firewall. Then one needs to do nothing to
allow unsollicited incoming packets. each machine on the LAN will
need its own firewall.

The version of OpenWrt that this is all about does have an IPv6
firewall though and by default it is configured to reject all
unsollicited incoming packets. So we need not worry about machines
exposed to the internet. Unless of course we make a configuration
error.

In IPv6 we are more flexible in what we allow or disallow than in
IPv4. In IPv4 we forward a specific port to a specific destination.
Most routers are limited to doing just that. So only protocols that
use ports can be forwarded. And usually it is limited to tcp and udp.
It is not possible for example to forward a ping.

In IPv6 we make an opening in the firewall for a specific destination.
We can add additional restrictions, such as port numbers or protocols,
but we need not. So we are not limited to protocols that use port
numbers as tcp and udp.

We can also allow ICMP that does not use port numbers.

Changes to the firewall are made by editing the file
/etc/config/firewall

Here is how to make the machine with address 2001:DB8::2462 pingable
from outside. We ONLY want to make it pingable, no more. So we restrict
the protocol to ICMP and the type to echo request.

Add the following lines to /ect/config/firewall:

[code]

# Allow ping6ing a specific host on the LAN

config  rule
        option  src     wan
        option  dest    lan
        option  family  ipv6
        option  proto   icmp
        option  icmp_type echo-request
        option  dest_ip 2001:DB8::2462
        option  target  ACCEPT

[/code]

If you have an IPv6 connection and want to see it work, you can ping6
my RIPE Atlas probe at atlas.vlist.eu.

For a binkp server we only want to allow what is needed to make that
work, So we restrict to port 24554 and protocol tcp.

[code]

# A binkp server on the Fido machine

config  rule
        option  src        wan
        option  dest       lan
        option  family     ipv6
        option  src-dport  24554
        option  proto      tcp
        option  dest_ip    2001:DB8::f1d0:2:280:5555
        option  target     ACCEPT

[/code]


Note that changes made to the firewall configuration do not take effect
until the firewall is restarted. Either by rebooting the router or by
executing the following command: /etc/init.d/firewall restart


Enjoy.


¸ Michiel van der Vlist, all rights reserved.
Permission to publish in the FIDONEWS file scho and the FIDONEWS
discussion echo as originating from 2:2/2