SEI Insights

CERT/CC Blog

Vulnerability Insights

Filtering ICMPv6 Using Host-Based Firewalls

Posted on by in

Hey, it's Ryan. This blog entry contains some quick recommendations about filtering certain ICMPv6 types using two host-based firewalls--Linux ip6tables and Microsoft Vista's advfirewall. If you have suggestions or other ideas, let me know.

ICMPv6 is a protocol that is an integral part of IPv6. ICMPv6 is defined in RFC 4443, and additional functionality is described in later RFCs. IANA maintains a list of ICMPv6 types with links to the corresponding RFCs. It's not easy to have a functioning IPv6-enabled network without allowing some ICMPv6 types, so below are some examples of how to filter ICMPv6 on hosts using ip6tables and the Vista firewall.

Consider these three disclaimers before reading further:

  1. Don't use any of these rules in production without testing.
  2. These rules may or may not apply to link local addresses. Proceed with caution.
  3. The examples in this entry are not complete. More complete rules are available.
  4. The ICMPv6 types listed below can be represented by either rules or type codes.

When it comes to building rules, RFC 4890, "Recommendations for Filtering ICMPv6 Messages in Firewalls," has done most of the hard work for us. Looking at section 4.4 and its subsections (we're focusing on host-based firewalls), various ICMPv6 types are assigned to four categories:

  1. Traffic That Must Not Be Dropped:
    Types 1,2,3,4,128,129,130,131,132,143,148,149,151,152,153,133,134,135,136,141,142
  2. Traffic That Normally Should Not Be Dropped:
    Types Type 3 - Code 1, Type 4 - Code 0
  3. Traffic That Will Be Dropped Anyway -- No Special Attention Needed:
    Types 138,144,145,146,147
  4. Traffic for Which a Policy Should Be Defined:
    Types 137,139,140,5-99,102,126

The following example rules do not attempt to cover all the advice in RFC 4890. Instead, we'll get you started with some rules that take advantage of some of the new features offered by IPv6.

First, let's set a default deny policy:

ip6tables -P INPUT -j DROP

ip6tables -P OUTPUT -j DROP

The "Traffic That Must Not Be Dropped" section lists echo request (128) and echo response (129). An attacker could use echo requests (pings) as a DoS attack vector, so we might want to block or limit these requests. Since we're talking about host-based firewalls, we can't stop echo requests from reaching us, but we can limit how many of them we respond to:

ip6tables -A INPUT -p icmpv6 --icmpv6-type 128 -m limit --limit 900/min -j ACCEPT

ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 129 -m limit --limit 900/min -j ACCEPT

If our host uses DHCPv6 or we manually assign an IPv6 address and gateway, we don't need stateless auto-configuration. We can drop router advertisements and block router solicitations.

You could disable the processing of router advertisements in the kernel using sysctl, and this traffic is dropped by the default policy. For practice, let's reject instead of drop (note that these rules violate RFC 4890 and will break stateless autoconfig):

ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 133 -j REJECT

ip6tables -A INPUT -p icmpv6 --icmpv6-type 134 -j REJECT

The default setting of the hop limit field is usually set to 255 and gets decremented by one every time a router forwards a packet. Assuming the router works correctly, this next rule will only allow echo request and echo response messages to and from nodes on the local Ethernet segment. Using the hop limit value, we can allow certain types of traffic only from other nodes connected to the same router.

You can adjust the rate to be anything that you think is reasonable. If you only want to use echo request and echo response with nearby nodes, the hl (hop limit) module can be useful. These rules restrict echo request and reply to packets that have 255 as the hop limit:

ip6tables -A INPUT -p icmpv6 --icmpv6-type 128 -m limit --limit 900/min -m hl --hl-eq 255 -j ACCEPT

ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 129 -m limit --limit 900/min -m hl --hl-eq 255 -j ACCEPT

ip6tables -A INPUT -p icmpv6 --icmpv6-type 128 -m limit --limit 900/min -m hl --hl-lt 255 -j DROP

ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 129 -m limit --limit 900/min -m hl --hl-let 255 -j DROP

By default, the Windows Firewall in Vista (and Server 2008) drops inbound packets and allows outbound packets. Let's work on filtering rules for the "Traffic for Which a Policy Should Be Defined" section of RFC 4890.

Use the following command to block router redirects (type 137):

netsh advfirewall firewall add rule name "block icmpv6 type 137" dir=in action=block protocol=icmpv6:137,any

Although blocking router redirects on untrusted networks is probably a good idea, the default state of the Vista firewall doesn't explicitly allow that ICMPv6 type inbound, so we haven't done anything. Let's try something a little more advanced. This next rule allows ICMPv6 redirect messages, but only if the computer is using the "domain" profile. We could get similar functionality with ip6tables, but only if Networkmanager scripts are used (we might talk about this in a future blog entry).

netsh advfirewall firewall add rule name "allow icmpv6 type 137 for the domain profile" dir=in action=allow protocol=icmpv6:137,any profile=domain

This rule implies that the computer is logged into a domain controller and has authenticated via Active Directory. Microsoft offers more information about the profiles.

Administrators may worry about bandwidth on some links more than others. The following rule allows inbound echo requests on wired connections only:

netsh advfirewall firewall add rule name "allow icmpv6 type 128 when wired" dir=in action=allow protocol=icmpv6:128,any inerfacetype=lan

The Vista firewall includes the ability to allow (or deny) connections that are authenticated by IPsec. The security= directive can also require that connections are authenticated (authenticate) or authenticated and encrypted (authenc):

netsh advfirewall firewall add rule name "allow icmpv6 type 128 when wired" dir=in action=allow protocol=icmpv6:128,any security=authenticate

netsh advfirewall firewall add rule name "allow icmpv6 type 128 when wired" dir=in action=allow protocol=icmpv6:128,any security=authenc

If you'd like to learn more about configuring the Vista firewall by using netsh commands, see the Microsoft Technet article "Netsh Commands for Windows Firewall with Advanced Security." The ip6tables documentation is in their man page.

If you're interested in ip6tables rules, we have a more complete list that includes rules not mentioned in this blog entry.

About the Author