I have a Hurricane Electric 6in4 tunnel up and running and added this WAN6 interface into my WAN firewall zone on OpenWrt 21.02.2 running on a Raspberry Pi 4.
The WAN zone is set to Drop/Accept/Drop for Input/Output/Forward (see below) and all IPv4 port scans show a stealth response for all ports, meaning that the firewall dropped the inbound SYN request instead of responding by closing the socket. This is my desired behavior as I do not want any probes to reveal my presence.
IPv6 port scans, however, always return CLOSED for every port. At first I did not trust the port scanner so I ran a TCPDUMP capture during the scan and do indeed see the router responding to each inbound IPv6 SYN request with an immediate RST packet.
Does anyone know why the behavior is different between IPv4 and IPv6?
What can I do to force a Drop on for IPv6?
Thanks in advance!
config zone option name 'wan' option output 'ACCEPT' option masq '1' option mtu_fix '1' option input 'DROP' option forward 'DROP' list network 'wan' list network 'WAN6'