MikroTik
Image via Wikipedia

Novi internetni protokol je tu, kot sem že omenjal bo prinesel tudi cel kup težav. Prva je gotovo varnost omrežji.
Seveda ne trdim, da je Ipv6 kaj bolj nevaren od obstoječega Ipv4, gre le za to, da ni več t.i. NAT mehanizma, ki je interne IP naslove zakril za požarnim zidom in s tem uvedel neko logično pregrado. Dobra praksa je seveda bila, da poleg samega NAT pravila dodamo tudi potrebne filtre, vendar tega v glavnem v praksi nismo kaj dosti počeli.

Od uvedbe Ipv6 sem iskal primerno konfuguracijo za požarni zid na svojem Mikrotik usmerjevalniku in sem jo zgleda danes našel. Lepota je v tem, da je zelo razdelana in natančna. Precejšen del je namenjen ICMP protokolu, ki bo verjetno glavna tema varnosti pri Ipv6, saj ga ne smemo več blokirati. zato je smiselno vsaj videti, kaj se tam dogaja in zadeve do neke mere regulirati.

Skripto sem našel tule in jo malo popravil, ker ni dosledno uporabljala globalnih spremenljivk in zato ni delala.

Kratka navodila

Nastavite le prve tri globalne spremenljivke, da bodo ustrezale vašemu ipv6 omrežju. Prva označuje Ipv4 2 Ipv6 tunel, razen če imate Ipv6 že kar na priključtu ponudnika – v tem primeru vnesite ta priključek, druga določa vaš subnet, pretja pa priključek (ali bridge), kjer so interni uporabniki.

Svoj brezplačni Ipv6 tunel lahko naredite na http://tunnelbroker.net . Mikrotik je med podprtimi usmerjevalniki, tako da vam bodo kar generirali kodo, ki jo potem prilepite v svoj usmerjevalnik. Moralo bi delovati kar takoj, mene je malce hecal network discovery, zna biti, da je v aktualni verziji že popravljeno.

:global wan sit1
:global locals 2001:xx:xx:xx::/64 
:global lan UporabnikiIpv6

/ipv6 firewall address-list{
add address=$locals comment=”” disabled=no list=local
}

/ipv6 firewall filter {
 remove [find]
}
/ipv6 firewall filter {
add action=accept chain=output comment=Multicast disabled=no dst-address=\
    ff02::/16
add action=drop chain=forward comment=Invalid connection-state=invalid \
    disabled=no
add action=jump chain=forward comment=Forward-icmpv6 disabled=no jump-target=\
    forward-icmp protocol=icmpv6
add action=accept chain=forward comment=”forward established” \
    connection-state=established disabled=no
add action=accept chain=forward comment=related connection-state=related \
    disabled=no
add action=accept chain=forward comment=Forward-locals connection-state=new \
    disabled=no dst-address=2000::/3 dst-address-list=!local \
    out-interface=$wan src-address-list=local in-interface=$lan
add action=accept chain=forward comment=Forward-Internet connection-state=new \
    disabled=no out-interface=$lan dst-address-list=local in-interface=$wan\
     src-address=2000::/3 src-address-list=!local
add action=log chain=forward comment=”” disabled=no log-prefix=””
add action=drop chain=forward comment=”” disabled=no
add action=accept chain=input comment=Multicast disabled=no dst-address=\
    ff02::/16 in-interface=$lan
add action=jump chain=input comment=icmpv6 disabled=no jump-target=input-icmp \
    protocol=icmpv6
add action=accept chain=input comment=Established connection-state=\
    established disabled=no
add action=drop chain=input comment=Invalid connection-state=invalid \
    disabled=no
add action=accept chain=input comment=lan disabled=no in-interface=\
    $lan src-address-list=local
add action=jump chain=input comment=input-internet disabled=no in-interface=\
    $wan jump-target=input-internet-v6 src-address-list=!local
add action=log chain=input comment=”default log” disabled=no log-prefix=””
add action=drop chain=input comment=”default input drop” disabled=no
add action=accept chain=input-icmp comment=”Destination Unreachable RFC4443″ \
    disabled=no icmp-options=1:0 protocol=icmpv6
add action=accept chain=input-icmp comment=”Packet Too big RFC4443″ disabled=\
    no icmp-options=2:0 protocol=icmpv6
add action=accept chain=input-icmp comment=”Echo request RFC4443″ disabled=no \
    icmp-options=128:0 protocol=icmpv6
add action=accept chain=input-icmp comment=”Echo Reply RFC4443″ disabled=no \
    icmp-options=129:0-255 protocol=icmpv6
add action=accept chain=input-internet-v6 comment=”” disabled=no
add action=accept chain=input-icmp comment=”Neighbor Advertisement RFC4861″ \
    disabled=no icmp-options=136:0-255 protocol=icmpv6
add action=accept chain=input-icmp comment=”Neighbor Solicitation RFC4861″ \
    disabled=no icmp-options=135:0-255 protocol=icmpv6
add action=accept chain=input-icmp comment=”Parameter Problem RFC4443″ \
    disabled=no icmp-options=4:0 protocol=icmpv6
add action=log chain=input-icmp comment=”” disabled=no log-prefix=””
add action=drop chain=input-icmp comment=”Default drop” disabled=no
add action=jump chain=output comment=Output-icmpv6 disabled=no jump-target=\
    output-icmp protocol=icmpv6
add action=log chain=output comment=”” disabled=no log-prefix=””
add action=accept chain=output-icmp comment=”Destination Unreachable RFC4443″ \
    disabled=no icmp-options=1:0 protocol=icmpv6
add action=accept chain=output-icmp comment=”Packet Too big RFC4443″ \
    disabled=no icmp-options=2:0 protocol=icmpv6
add action=accept chain=output-icmp comment=”Echo request RFC4443″ disabled=\
    no icmp-options=128:0 protocol=icmpv6
add action=accept chain=output-icmp comment=”Echo Reply RFC4443″ disabled=no \
    icmp-options=129:0-255 protocol=icmpv6
add action=accept chain=output-icmp comment=”Neighbor Advertisement RFC4861″ \
    disabled=no icmp-options=136:0-255 protocol=icmpv6
add action=accept chain=output-icmp comment=”Neighbor Solicitation RFC4861″ \
    disabled=no icmp-options=135:0-255 protocol=icmpv6
add action=accept chain=output-icmp comment=”Parameter Problem RFC4443″ \
    disabled=no icmp-options=4:0 protocol=icmpv6
add action=drop chain=output-icmp comment=”” disabled=no
add action=accept chain=forward-icmp comment=”Echo Reply RFC4443″ disabled=no \
    icmp-options=129:0-255 protocol=icmpv6
add action=accept chain=forward-icmp comment=\
    “Destination Unreachable RFC4443″ disabled=no icmp-options=1:0 protocol=\
    icmpv6
add action=accept chain=forward-icmp comment=”Packet Too big RFC4443″ \
    disabled=no icmp-options=2:0 protocol=icmpv6
add action=accept chain=forward-icmp comment=”Echo request RFC4443″ disabled=\
    no icmp-options=128:0 protocol=icmpv6
add action=accept chain=forward-icmp comment=”Neighbor Advertisement RFC4861″ \
    disabled=yes icmp-options=136:0-255 protocol=icmpv6
add action=accept chain=forward-icmp comment=”Neighbor Solicitation RFC4861″ \
    disabled=yes icmp-options=135:0-255 protocol=icmpv6
add action=accept chain=forward-icmp comment=”Parameter Problem RFC4443″ \
    disabled=no icmp-options=4:0 protocol=icmpv6
add action=log chain=forward-icmp comment=”” disabled=no log-prefix=””
add action=drop chain=forward-icmp comment=”Default Drop” disabled=no
}

 

 

Reblog this post [with Zemanta]
Share This