Virtua IT, d.o.o.
Kotnikova ulica 35
1000 Ljubljana
Slovenija

T: +386 590 91780
E: info@virtua-it.si

Novi internetni protokol je tu, kot sem že omenjal bo prinesel tudi cel kup težav. Prva je gotovo varnost omrežji.Seveda ne trdim, da je Ipv6 kaj bolj nevaren od obstoječega Ipv4, gre le za to, da ni več t.i. NAT mehanizma, ki je interne IP naslove zakril za požarnim zidom in s tem uvedel neko logično pregrado. Dobra praksa je seveda bila, da poleg samega NAT pravila dodamo tudi potrebne filtre, vendar tega v glavnem v praksi nismo kaj dosti počeli.

Od uvedbe Ipv6 sem iskal primerno konfuguracijo za požarni zid na svojem Mikrotik usmerjevalniku in sem jo zgleda danes našel. Lepota je v tem, da je zelo razdelana in natančna. Precejšen del je namenjen ICMP protokolu, ki bo verjetno glavna tema varnosti pri Ipv6, saj ga ne smemo več blokirati. zato je smiselno vsaj videti, kaj se tam dogaja in zadeve do neke mere regulirati.

Kratka navodila
Nastavite le prve tri globalne spremenljivke, da bodo ustrezale vašemu ipv6 omrežju. Prva označuje Ipv4 2 Ipv6 tunel, razen če imate Ipv6 že kar na priključtu ponudnika – v tem primeru vnesite ta priključek, druga določa vaš subnet, pretja pa priključek (ali bridge), kjer so interni uporabniki.

Svoj brezplačni Ipv6 tunel lahko naredite na http://tunnelbroker.net . Mikrotik je med podprtimi usmerjevalniki, tako da vam bodo kar generirali kodo, ki jo potem prilepite v svoj usmerjevalnik. Moralo bi delovati kar takoj, mene je malce hecal network discovery, zna biti, da je v aktualni verziji že popravljeno.

    :global wan sit1
    :global locals 2001:xx:xx:xx::/64
    :global lan UporabnikiIpv6

    /ipv6 firewall address-list{
    add address=$locals comment=”" disabled=no list=local
    }

    /ipv6 firewall filter {
    remove [find]
    }
    /ipv6 firewall filter {
    add action=accept chain=output comment=Multicast disabled=no dst-address=
    ff02::/16
    add action=drop chain=forward comment=Invalid connection-state=invalid 
    disabled=no
    add action=jump chain=forward comment=Forward-icmpv6 disabled=no jump-target=
    forward-icmp protocol=icmpv6
    add action=accept chain=forward comment=”forward established” 
    connection-state=established disabled=no
    add action=accept chain=forward comment=related connection-state=related 
    disabled=no
    add action=accept chain=forward comment=Forward-locals connection-state=new 
    disabled=no dst-address=2000::/3 dst-address-list=!local 
    out-interface=$wan src-address-list=local in-interface=$lan
    add action=accept chain=forward comment=Forward-Internet connection-state=new 
    disabled=no out-interface=$lan dst-address-list=local in-interface=$wan
    src-address=2000::/3 src-address-list=!local
    add action=log chain=forward comment=”" disabled=no log-prefix=”"
    add action=drop chain=forward comment=”" disabled=no
    add action=accept chain=input comment=Multicast disabled=no dst-address=
    ff02::/16 in-interface=$lan
    add action=jump chain=input comment=icmpv6 disabled=no jump-target=input-icmp 
    protocol=icmpv6
    add action=accept chain=input comment=Established connection-state=
    established disabled=no
    add action=drop chain=input comment=Invalid connection-state=invalid 
    disabled=no
    add action=accept chain=input comment=lan disabled=no in-interface=
    $lan src-address-list=local
    add action=jump chain=input comment=input-internet disabled=no in-interface=
    $wan jump-target=input-internet-v6 src-address-list=!local
    add action=log chain=input comment=”default log” disabled=no log-prefix=”"
    add action=drop chain=input comment=”default input drop” disabled=no
    add action=accept chain=input-icmp comment=”Destination Unreachable RFC4443″ 
    disabled=no icmp-options=1:0 protocol=icmpv6
    add action=accept chain=input-icmp comment=”Packet Too big RFC4443″ disabled=
    no icmp-options=2:0 protocol=icmpv6
    add action=accept chain=input-icmp comment=”Echo request RFC4443″ disabled=no 
    icmp-options=128:0 protocol=icmpv6
    add action=accept chain=input-icmp comment=”Echo Reply RFC4443″ disabled=no 
    icmp-options=129:0-255 protocol=icmpv6
    add action=accept chain=input-internet-v6 comment=”" disabled=no
    add action=accept chain=input-icmp comment=”Neighbor Advertisement RFC4861″ 
    disabled=no icmp-options=136:0-255 protocol=icmpv6
    add action=accept chain=input-icmp comment=”Neighbor Solicitation RFC4861″ 
    disabled=no icmp-options=135:0-255 protocol=icmpv6
    add action=accept chain=input-icmp comment=”Parameter Problem RFC4443″ 
    disabled=no icmp-options=4:0 protocol=icmpv6
    add action=log chain=input-icmp comment=”" disabled=no log-prefix=”"
    add action=drop chain=input-icmp comment=”Default drop” disabled=no
    add action=jump chain=output comment=Output-icmpv6 disabled=no jump-target=
    output-icmp protocol=icmpv6
    add action=log chain=output comment=”" disabled=no log-prefix=”"
    add action=accept chain=output-icmp comment=”Destination Unreachable RFC4443″ 
    disabled=no icmp-options=1:0 protocol=icmpv6
    add action=accept chain=output-icmp comment=”Packet Too big RFC4443″ 
    disabled=no icmp-options=2:0 protocol=icmpv6
    add action=accept chain=output-icmp comment=”Echo request RFC4443″ disabled=
    no icmp-options=128:0 protocol=icmpv6
    add action=accept chain=output-icmp comment=”Echo Reply RFC4443″ disabled=no 
    icmp-options=129:0-255 protocol=icmpv6
    add action=accept chain=output-icmp comment=”Neighbor Advertisement RFC4861″ 
    disabled=no icmp-options=136:0-255 protocol=icmpv6
    add action=accept chain=output-icmp comment=”Neighbor Solicitation RFC4861″ 
    disabled=no icmp-options=135:0-255 protocol=icmpv6
    add action=accept chain=output-icmp comment=”Parameter Problem RFC4443″ 
    disabled=no icmp-options=4:0 protocol=icmpv6
    add action=drop chain=output-icmp comment=”" disabled=no
    add action=accept chain=forward-icmp comment=”Echo Reply RFC4443″ disabled=no 
    icmp-options=129:0-255 protocol=icmpv6
    add action=accept chain=forward-icmp comment=
    “Destination Unreachable RFC4443″ disabled=no icmp-options=1:0 protocol=
    icmpv6
    add action=accept chain=forward-icmp comment=”Packet Too big RFC4443″ 
    disabled=no icmp-options=2:0 protocol=icmpv6
    add action=accept chain=forward-icmp comment=”Echo request RFC4443″ disabled=
    no icmp-options=128:0 protocol=icmpv6
    add action=accept chain=forward-icmp comment=”Neighbor Advertisement RFC4861″ 
    disabled=yes icmp-options=136:0-255 protocol=icmpv6
    add action=accept chain=forward-icmp comment=”Neighbor Solicitation RFC4861″ 
    disabled=yes icmp-options=135:0-255 protocol=icmpv6
    add action=accept chain=forward-icmp comment=”Parameter Problem RFC4443″ 
    disabled=no icmp-options=4:0 protocol=icmpv6
    add action=log chain=forward-icmp comment=”" disabled=no log-prefix=”"
    add action=drop chain=forward-icmp comment=”Default Drop” disabled=no
    }

Spletno mesto uporablja piškotke zaradi boljše uporabniške izkušnje. Z uporabo naše spletne strani potrjujete, da se z njihovo uporabo strinjate. Več o tem.

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close