IPv6 Firewall Cisco IOS ACL based

From Teknologisk videncenter
Revision as of 11:41, 21 May 2014 by Heth (talk | contribs) (added Category:IPv6 Security using HotCat)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
IPv6 Firewall example

IPv6 firewall example using access lists.

Access-lists as firewall

One of the fundamental problems with ACLs is the fact that they do not maintain state information about the traffic flows. ACLs do not observe what host on which interface initiated the conversation or which end of the conversation is the client and which end is the server. Standard ACLs do not have any concept of TCP SYN, SYN ACK, ACK, or FIN flags and their influence on a TCP establishment and connection. Therefore, ACLs tend to be less granular than policies that are configured on a fully stateful packet-filtering firewall. ACLs might be fast but they are not extremely precise.

Internet inbound trafic

ipv6 access-list Internet-Inbound
 remark Deny loopback address
 deny ipv6 ::1/128 any
 remark Deny IPv4-compatible addresses
 deny ipv6 0::/96 any
 remark Deny IPv4-mapped addresses (obsolete)
 deny ipv6 ::ffff:0.0.0.0/96 any
 remark Deny auto tunneled packets w/compatible addresses (RFC 4291)
 deny ipv6 ::0.0.0.0/96 any
 remark Deny other compatible addresses
 deny ipv6 ::224.0.0.0/100 any log
 deny ipv6 ::127.0.0.0/104 any log
 deny ipv6 ::0.0.0.0/104 any log
 deny ipv6 ::255.0.0.0/104 any log
 remark Deny false 6to4 packets
 deny ipv6 2002:e000::/20 any log
 deny ipv6 2002:7f00::/24 any log
 deny ipv6 2002:0000::/24 any log
 deny ipv6 2002:ff00::/24 any log
 deny ipv6 2002:0a00::/24 any log
 deny ipv6 2002:ac10::/28 any log
 deny ipv6 2002:c0a8::/32 any log
 remark Permit good NDP messages since we deny and log at the end
 permit icmp fe80::/10 any nd-na
 permit icmp fe80::/10 any nd-ns
 remark Deny Link-Local communications
 deny ipv6 fe80::/10 any
 remark Deny Site-Local (deprecated)
 deny ipv6 fec0::/10 any
 remark Deny Unique-Local packets
 deny ipv6 fc00::/7 any
 remark Deny multicast packets
 deny ipv6 ff00::/8 any
 remark Deny Documentation Address
 deny ipv6 2001:db8::/32 any
 remark Deny 6Bone addresses (deprecated)
 deny ipv6 3ffe::/16 any
 remark Deny RH0 packets
 deny ipv6 any any routing-type 0 log
 remark Deny our own addresses coming inbound
 deny ipv6 2001:db8:11::/48 any log
 remark permit BGP to and from our EBGP neighbor
 permit tcp host 2001:db8:4::1 host 2001:db8:4::2 eq bgp
 permit tcp host 2001:db8:4::1 eq bgp host 2001:db8:4::2
 remark Permit traffic to our web server
 permit tcp any host 2001:db8:11::100 eq www
 remark Permit our returned traffic from internal clients
 permit tcp any 2001:db8:11::/48 range 1024 65535
 permit udp any 2001:db8:11::/48 range 1024 65535
 remark Permit inbound DNS responses to our internal caching DNS server
 permit udp any eq domain host 2001:db8:11:30:20c:29ff:fe5d:982a
 remark Permit good ICMPv6 message types
 permit icmp any 2001:db8:11::/48 destination-unreachable
 permit icmp any 2001:db8:11::/48 packet-too-big
 permit icmp any 2001:db8:11::/48 time-exceeded
 permit icmp any 2001:db8:11::/48 parameter-problem
 permit icmp any 2001:db8:11::/48 echo-reply
 remark Permit our ISP to ping our external interface
 permit icmp host 2001:db8:4::1 host 2001:db8:4::2 echo-request
 remark Deny everything else and log it
 deny ipv6 any any log

Internet outbound trafic

ipv6 access-list Internet-Outbound
 remark Deny loopback address
 deny ipv6 any ::1/128
 remark Deny IPv4-compatible addresses
 deny ipv6 any 0::/96
 remark Deny IPv4-mapped addresses (obsolete)
 deny ipv6 any ::ffff:0.0.0.0/96
 remark Deny auto tunneled packets w/compatible addresses (RFC 4291)
 deny ipv6 any ::0.0.0.0/96
 remark Deny other compatible addresses
 deny ipv6 any ::224.0.0.0/100 log
 deny ipv6 any ::127.0.0.0/104 log
 deny ipv6 any ::0.0.0.0/104 log
 deny ipv6 any ::255.0.0.0/104 log
 remark Deny false 6to4 packets
 deny ipv6 any 2002:e000::/20 log
 deny ipv6 any 2002:7f00::/24 log
 deny ipv6 any 2002:0000::/24 log
 deny ipv6 any 2002:ff00::/24 log
 deny ipv6 any 2002:0a00::/24 log
 deny ipv6 any 2002:ac10::/28 log
 deny ipv6 any 2002:c0a8::/32 log
 remark Permit good NDP messages since we deny and log at the end
 permit icmp fe80::/10 any nd-na
 permit icmp fe80::/10 any nd-ns
 remark Deny Link-Local communications
 deny ipv6 any fe80::/10
 remark Deny Site-Local (deprecated)
 deny ipv6 any fec0::/10
 remark Deny Unique-Local packets
 deny ipv6 any fc00::/7
 remark Deny multicast packets
 deny ipv6 any ff00::/8
 remark Deny Documentation Address
 deny ipv6 any 2001:db8::/32
 remark Deny 6Bone addresses (deprecated)
 deny ipv6 any 3ffe::/16
 remark Deny RH0 packets
 deny ipv6 any any routing-type 0 log
 remark Permit outbound DNS requests from our internal caching DNS server
 permit udp host 2001:db8:11:30:20c:29ff:fe5d:982a any eq domain
 remark Permit good ICMPv6 message types
 permit icmp 2001:db8:11::/48 any destination-unreachable
 permit icmp 2001:db8:11::/48 any packet-too-big
 permit icmp 2001:db8:11::/48 any time-exceeded
 permit icmp 2001:db8:11::/48 any parameter-problem
 permit icmp 2001:db8:11::/48 any echo-reply
 remark Permit our own addresses going outbound
 permit ipv6 2001:db8:11::/48 any
 remark Deny everything else and log it
 deny ipv6 any any log

Applying the access lists

interface FastEthernet 0/0
 description Link to IPv6 Internet
 ipv6 address 2001:db8:4::2/64
 ipv6 nd dad attempts 0
 ipv6 traffic-filter Internet-Inbound in
interface FastEthernet 0/1
 description Link to internal IPv6 network
 ipv6 address 2001:db8:11::1/64
 ipv6 nd dad attempts 0
 ipv6 traffic-filter Internet-Outbound in