BACKGROUND:
My ISP has native (I think that’s the right term) IPv6. IPv6 functions with out-of-the-box OpenWRT. I would like to use IPv6 as long as it is safe and secure to do so. I assume the stock firewall settings are secure. However neither IPv4 nor IPv6 ports are stealthed.
I know there is some debate regarding stealthing ports, but I think it still makes the most sense for me to do this for my home router. If not however, I know next to nothing and I am willing to be convinced otherwise with explanation.
I have gotten my IPv4 ports stealthed already by dropping input and forward packets in the WAN zone and dropping ICMP pings in the traffic rules.
QUESTIONS: How do I stealth IPv6 ports? Are there any security concerns with the stock OpenWRT firewall settings on either the IPv6 or IPv4 side?
Can you explain what it is that your current firewall doesn't do that you want it to do? Is it that you want the firewall to DROP instead of REJECT packets? Just select DROP in the LuCi menu for the forwarding and/or input policy on WAN
Stealthing ipv6 completely would likely cause some problems as e.g. the path MTU needs to be negotiated with icmp6 as no packet fragmentation is allowed.
My current firewall settings allow an acknowledgment for port scans on IPv6. I do not want it to do this. I want my IPv6 ports to be stealth. They are not.
I have already set these settings in WAN. This does not seem to effect the IPv6 side.
I have noticed that the consumer routers with stock firmware that I have tried have these ports stealthed by default. It doesn’t seem to effect functionality but then again I didn't extensively test them. Is there something different between them and OpenWRT?
yes. the issue doesn't seem to be related to this rule. When I switched this rule when stealthing IPv4 it didn't seem to do the trick until I dropped the ICMP packets in the traffic rules.
The forward option in the zones only seem to be used for traffic that's looping back to the same zone. Is this intentional?
The global forward option is REJECT on my router, and in the WAN zone it's DROP. This results in the following ip6tables rule in the zone_wan_forward chain:
zone_wan_dest_DROP all * * ::/0 ::/0 /* !fw3 */
And zone_wan_dest_DROP contains the following rules with zero packet counts:
DROP all * eth1.4 ::/0 ::/0 /* !fw3 */
DROP all * 6in4-wan6 ::/0 ::/0 /* !fw3 */
(eth1.4 is my WAN.)
Apparently only packets that otherwise would loop back to WAN are dropped. But in luci you get the impression that all incoming traffic from WAN is dropped. (It says wan->[DROP].)
I was just coming back to report that I did so and it mostly solves the issue. The only port not showing stealth with these settings is 500. Any idea why this would be?
Yes I see the rule now, sorry. I’m really in the dark when it comes to IPv6. I know it contains some built in security over and above IPv4 but don’t really understand it. Would disabling this rule allowing port 500 cause any security issues?
Here we already have examples of people removing default rules and then complaining that some trivial things stop working.
Default OpenWrt firewall setup is secured enough and further traffic blocking may and highly probable will lead to connectivity issues.
Please note this thread is 4 years old...
But out of the box OpenWrt is pretty secure for both IPv4 and IPv6.
'Stealthing' ports is quite often a fools errand as either ISPs give differential responses whether an (IPv4) address is assigned to an endcustomer or not, or in the case of IPv6 the challenge is to guess a valid interface identifier for the targeted endpoint and getting past the OpenWrt firewall (for IPv6 by default ICMP is allowed, but access from the outside via TCP/UDP is not, and ICMP does not use ports at all so is orthogonal to the 'stealthing' question.
IMHO stealthing is a waste of time, as it only affects discoverability very slightly (if at all) but it gives an arguably undeserved feeling of enhanced security....
^ this. As far as I'm aware there's plenty of techniques available to bad actors to allow them to distinguish between valid IPs with 'stealthed' ports and non-valid IPs.