TID: FMail-W32 2.1.3.7-B20170919   
   TZUTC: 0200   
   CHRS: CP850 2   
   PID: GED+W32 1.1.5-b20170303   
   MSGID: 2:280/5555 5d494c53   
   From Fidonews Feb 2012:   
      
                      A SECOND LIFE FOR THE LINKSYS Part 3   
                      Drilling holes in the IPv6 Firewall   
                      By Michiel van der Vlist, 2:280/5555   
      
      
   Last year I wrote two articles on how to set up an old Linksys WRT54GL   
   as a router for IPv6. If you missed it last year's Fidonews 31 and 32,   
   you can download them at: http://www.vlist.org/downloads/fidonews/2011/   
   And probably from the editor's system as well.   
      
   In these articles I described how to configure the Linksys as the end   
   point of a 6in4 tunnel and how to route an Ipv6 subnet to the LAN,   
   thereby providing IPv6 connectivity for the machines on the LAN. I also   
   described how to configure the Ipv4 NAT to forward ports to specific   
   host. For example for a web server or a binkp server. What the articles   
   did not cover is how to do the equivalent for IPv6. I had not figured   
   That out myself then. I have now, so here is my report.   
      
   First, forget about what is written on the subject in the OpenWrt wiki.   
   The method described there does not work.   
      
   Second, we have to understand that the mechanism for making a server on   
   your LAN available to the outside world is different for IPv4 and IPv6.   
   In IPv4 all machines on the LAN share one globally routeable IPv4   
   address. The LAN is behind a NAT that translates to and from the   
   internal IP address on the LAN.   
      
   Without specific instructions the router does not know where to send an   
   unsollicited incoming packet and so it is dropped. A NAT has the side   
   effect of acting as a statefull firewall. To make a server available   
   one instructs the NAT to forward the port number for the server to the   
   internal address of the server.   
      
   In IPv6 there is no NAT. Every machine has - or at least can have - its   
   own unique globally routeable IPv6 address. There is no need to tell   
   the router where to send an unsollicited incoming packet. It already   
   knows because the packet has the unique address of the destination.   
      
   Some say the absence of NAT in IPv6 is a security risk because every   
   machine is directly connected to the internet. But that is only true   
   for routers that lack a firewall. Technically it is perfectly OK to   
   have a router without a firewall. Then one needs to do nothing to   
   allow unsollicited incoming packets. each machine on the LAN will   
   need its own firewall.   
      
   The version of OpenWrt that this is all about does have an IPv6   
   firewall though and by default it is configured to reject all   
   unsollicited incoming packets. So we need not worry about machines   
   exposed to the internet. Unless of course we make a configuration   
   error.   
      
   In IPv6 we are more flexible in what we allow or disallow than in   
   IPv4. In IPv4 we forward a specific port to a specific destination.   
   Most routers are limited to doing just that. So only protocols that   
   use ports can be forwarded. And usually it is limited to tcp and udp.   
   It is not possible for example to forward a ping.   
      
   In IPv6 we make an opening in the firewall for a specific destination.   
   We can add additional restrictions, such as port numbers or protocols,   
   but we need not. So we are not limited to protocols that use port   
   numbers as tcp and udp.   
      
   We can also allow ICMP that does not use port numbers.   
      
   Changes to the firewall are made by editing the file   
   /etc/config/firewall   
      
   Here is how to make the machine with address 2001:DB8::2462 pingable   
   from outside. We ONLY want to make it pingable, no more. So we restrict   
   the protocol to ICMP and the type to echo request.   
      
   Add the following lines to /ect/config/firewall:   
      
   [code]   
      
   # Allow ping6ing a specific host on the LAN   
      
   config  rule   
           option  src     wan   
           option  dest    lan   
           option  family  ipv6   
           option  proto   icmp   
           option  icmp_type echo-request   
           option  dest_ip 2001:DB8::2462   
           option  target  ACCEPT   
      
   [/code]   
      
   If you have an IPv6 connection and want to see it work, you can ping6   
   my RIPE Atlas probe at atlas.vlist.eu.   
      
   For a binkp server we only want to allow what is needed to make that   
   work, So we restrict to port 24554 and protocol tcp.   
      
   [code]   
      
   # A binkp server on the Fido machine   
      
   config  rule   
           option  src        wan   
           option  dest       lan   
           option  family     ipv6   
           option  src-dport  24554   
           option  proto      tcp   
           option  dest_ip    2001:DB8::f1d0:2:280:5555   
           option  target     ACCEPT   
      
   [/code]   
      
      
   Note that changes made to the firewall configuration do not take effect   
   until the firewall is restarted. Either by rebooting the router or by   
   executing the following command: /etc/init.d/firewall restart   
      
      
   Enjoy.   
      
      
   ¸ Michiel van der Vlist, all rights reserved.   
   Permission to publish in the FIDONEWS file scho and the FIDONEWS   
   discussion echo as originating from 2:2/2   
      
   ---   
    * Origin: he.net certified sage (2:280/5555)   
   SEEN-BY: 1/123 15/2 19/10 154/10 203/0 221/0 6 226/17 229/354 426   
   SEEN-BY: 229/1014 240/5832 249/206 317 400 280/464 5003 5006 5555   
   SEEN-BY: 292/854 310/31 317/3 322/757 342/200 423/120 460/58 633/280   
   SEEN-BY: 640/1384 712/848 770/1 2452/250 3828/7 5019/40 5020/545 1042   
   SEEN-BY: 5020/12000 5053/58   
   PATH: 280/5555 464 229/426