IPv6 Secure Stealth Firewall

I am using v18.06.1

BACKGROUND:
My ISP has native (I think that’s the right term) IPv6. IPv6 functions with out-of-the-box OpenWRT. I would like to use IPv6 as long as it is safe and secure to do so. I assume the stock firewall settings are secure. However neither IPv4 nor IPv6 ports are stealthed.

I know there is some debate regarding stealthing ports, but I think it still makes the most sense for me to do this for my home router. If not however, I know next to nothing and I am willing to be convinced otherwise with explanation.

I have gotten my IPv4 ports stealthed already by dropping input and forward packets in the WAN zone and dropping ICMP pings in the traffic rules.

QUESTIONS: How do I stealth IPv6 ports? Are there any security concerns with the stock OpenWRT firewall settings on either the IPv6 or IPv4 side?

Thanks so much for any help.

Can you explain what it is that your current firewall doesn't do that you want it to do? Is it that you want the firewall to DROP instead of REJECT packets? Just select DROP in the LuCi menu for the forwarding and/or input policy on WAN

Stealthing ipv6 completely would likely cause some problems as e.g. the path MTU needs to be negotiated with icmp6 as no packet fragmentation is allowed.

My current firewall settings allow an acknowledgment for port scans on IPv6. I do not want it to do this. I want my IPv6 ports to be stealth. They are not.

I have already set these settings in WAN. This does not seem to effect the IPv6 side.

I am using this IPv6 scanner to verify.

I have noticed that the consumer routers with stock firmware that I have tried have these ports stealthed by default. It doesn’t seem to effect functionality but then again I didn't extensively test them. Is there something different between them and OpenWRT?

did you restart your firewall / router after adjusting Forward rule to DROP?

yes. the issue doesn't seem to be related to this rule. When I switched this rule when stealthing IPv4 it didn't seem to do the trick until I dropped the ICMP packets in the traffic rules.

The forward option in the zones only seem to be used for traffic that's looping back to the same zone. Is this intentional?

The global forward option is REJECT on my router, and in the WAN zone it's DROP. This results in the following ip6tables rule in the zone_wan_forward chain:

zone_wan_dest_DROP  all      *      *       ::/0                 ::/0                 /* !fw3 */

And zone_wan_dest_DROP contains the following rules with zero packet counts:

DROP       all      *      eth1.4  ::/0                 ::/0                 /* !fw3 */
DROP       all      *      6in4-wan6  ::/0                 ::/0                 /* !fw3 */

(eth1.4 is my WAN.)

Apparently only packets that otherwise would loop back to WAN are dropped. But in luci you get the impression that all incoming traffic from WAN is dropped. (It says wan->[DROP].)

Try setting your global forwarding policy to default DROP. I agree there seems to be a bug here actually.

I was just coming back to report that I did so and it mostly solves the issue. The only port not showing stealth with these settings is 500. Any idea why this would be?

there are special UDP port 500 rules to deal with ipsec packets I think. You can turn off that rule under "Traffic rules" under the firewall page.

You can block Ping (Echo-Request); but as others said - that some ICMP needs to be negotiated for proper operation of IPv6.

Yes I see the rule now, sorry. I’m really in the dark when it comes to IPv6. I know it contains some built in security over and above IPv4 but don’t really understand it. Would disabling this rule allowing port 500 cause any security issues?

I guess it causes problem for xbox and other devices which use IPsec VPN.

Here we already have examples of people removing default rules and then complaining that some trivial things stop working.
Default OpenWrt firewall setup is secured enough and further traffic blocking may and highly probable will lead to connectivity issues.

1 Like

is this really a thing?