Firewall quickstart approach applied to IPv6 - sensecheck and some questions

hi there, I am looking to set the IPv6 firewall following the approach taken in the quickstart for IPv4, but also adding the IPv6 requirements stated in this blueprint.

Questions:

  1. Is this the right approach? (that is, replicate ipv4 rules into ipv6)
  2. Are there any errors?
  3. Am I right thinking that the IPv6 prefix to define the ipv6-network-group is taken from ifconfig eth1 (that’s my LAN)? Or should I define it with set service router-advert interface eth1 prefix <prefix>::/64? (at the moment I have ::/64)

Here’s what I got:

set firewall group ipv6-network-group NET-INSIDE-v6 network <prefix>::/64

set firewall ipv6 name CONN_FILTER default-action return

set firewall ipv6 name CONN_FILTER rule 10 action accept
set firewall ipv6 name CONN_FILTER rule 10 state established enable
set firewall ipv6 name CONN_FILTER rule 10 state related enable

set firewall ipv6 name CONN_FILTER rule 15 action accept
set firewall ipv6 name CONN_FILTER rule 15 protocol icmpv6

set firewall ipv6 name CONN_FILTER rule 20 action drop
set firewall ipv6 name CONN_FILTER rule 20 state invalid enable

set firewall ipv6 forward filter rule 10 action jump
set firewall ipv6 forward filter rule 10 jump-target CONN_FILTER

set firewall ipv6 input filter rule 10 action jump
set firewall ipv6 input filter rule 10 jump-target CONN_FILTER

set firewall ipv6 name OUTSIDE-IN default-action drop

set firewall ipv6 forward filter rule 100 action jump
set firewall ipv6 forward filter rule 100 jump-target OUTSIDE-IN
set firewall ipv6 forward filter rule 100 inbound-interface interface-group WAN
set firewall ipv6 forward filter rule 100 destination group network-group NET-INSIDE-v6

set firewall ipv6 input filter default-action drop

set firewall ipv6 input filter rule 30 action accept
set firewall ipv6 input filter rule 30 destination port 546
set firewall ipv6 input filter rule 30 protocol udp
set firewall ipv6 input filter rule 30 source port 547

set firewall ipv6 input filter rule 50 action accept
set firewall ipv6 input filter rule 50 source address ::1/128
1 Like

One thing I noticed with these settings is that I can connect to my machine via IPv6 (port 80/443) from outside the LAN. Shouldn’t this be blocked unless otherwise stated?

I copied and tested your config, it seems to work ok for me. I checked for open ports using this website:
https:// port.tools/port-checker-ipv6/

Both ports 80 and 443 succeeds on the IPv6 machine where I have Caddy running. I also tested with some other ports of services running on my LAN machines, and they all appear as open.

Is this a bug? Shouldn’t these be inaccessible, otherwise specifically stated in VyOS? I’m on 1.5-rolling-202310180533

(I am testing using the tool you linked from my mobile disconnected to the Wi-Fi of the LAN)

Except for the output of:

show config commands | strip-private

it would also be handy with output of (replace any sensitive data with < REMOVED >):

sudo nft -s list ruleset > /config/nft_231024.txt

There you go - many thanks for following up

show config commands | strip-private

set container name adguardhome allow-host-networks
set container name adguardhome cap-add 'net-bind-service'
set container name adguardhome image 'docker.io/adguard/adguardhome:latest'
set container name adguardhome restart 'always'
set container name adguardhome volume adguardhome-conf destination '/opt/adguardhome/conf'
set container name adguardhome volume adguardhome-conf source '/config/adguardhome/conf'
set container name adguardhome volume adguardhome-hosts destination '/etc/hosts'
set container name adguardhome volume adguardhome-hosts mode 'ro'
set container name adguardhome volume adguardhome-hosts source '/etc/hosts'
set container name adguardhome volume adguardhome-work destination '/opt/adguardhome/work'
set container name adguardhome volume adguardhome-work source '/config/adguardhome/work'
set firewall group address-group ROUTE-IPs address 'xxx.xxx.64.0-xxx.xxx.79.255'
set firewall group interface-group LAN interface 'eth1'
set firewall group interface-group WAN interface 'eth0'
set firewall group ipv6-address-group ROUTE-IPs address 'xxxx:xxxx:dc00::1726:bce1'
set firewall group ipv6-network-group NET-INSIDE-v6 network 'xxxx:xxxx:c40b:1::/64'
set firewall group network-group NET-INSIDE-v4 network 'xxx.xxx.0.0/24'
set firewall ipv4 forward filter rule 10 action 'jump'
set firewall ipv4 forward filter rule 10 jump-target 'BASIC-FILTER'
set firewall ipv4 forward filter rule 100 action 'jump'
set firewall ipv4 forward filter rule 100 destination group network-group 'NET-INSIDE-v4'
set firewall ipv4 forward filter rule 100 inbound-interface interface-group 'WAN'
set firewall ipv4 forward filter rule 100 jump-target 'OUTSIDE-IN'
set firewall ipv4 input filter default-action 'drop'
set firewall ipv4 input filter rule 10 action 'jump'
set firewall ipv4 input filter rule 10 jump-target 'BASIC-FILTER'
set firewall ipv4 input filter rule 20 action 'jump'
set firewall ipv4 input filter rule 20 destination port '22'
set firewall ipv4 input filter rule 20 jump-target 'VyOS-MANAGEMENT'
set firewall ipv4 input filter rule 20 protocol 'tcp'
set firewall ipv4 input filter rule 25 action 'jump'
set firewall ipv4 input filter rule 25 destination port '8585'
set firewall ipv4 input filter rule 25 jump-target 'ADGUARD-WEB'
set firewall ipv4 input filter rule 25 protocol 'tcp'
set firewall ipv4 input filter rule 30 action 'accept'
set firewall ipv4 input filter rule 30 icmp type-name 'echo-request'
set firewall ipv4 input filter rule 30 protocol 'icmp'
set firewall ipv4 input filter rule 30 state new 'enable'
set firewall ipv4 input filter rule 40 action 'accept'
set firewall ipv4 input filter rule 40 destination port '53'
set firewall ipv4 input filter rule 40 protocol 'tcp_udp'
set firewall ipv4 input filter rule 40 source group network-group 'NET-INSIDE-v4'
set firewall ipv4 input filter rule 50 action 'accept'
set firewall ipv4 input filter rule 50 source address 'xxx.xxx.0.0/8'
set firewall ipv4 name ADGUARD-WEB default-action 'return'
set firewall ipv4 name ADGUARD-WEB rule 15 action 'accept'
set firewall ipv4 name ADGUARD-WEB rule 15 inbound-interface interface-group 'LAN'
set firewall ipv4 name BASIC-FILTER default-action 'return'
set firewall ipv4 name BASIC-FILTER rule 10 action 'accept'
set firewall ipv4 name BASIC-FILTER rule 10 state established 'enable'
set firewall ipv4 name BASIC-FILTER rule 10 state related 'enable'
set firewall ipv4 name BASIC-FILTER rule 20 action 'drop'
set firewall ipv4 name BASIC-FILTER rule 20 state invalid 'enable'
set firewall ipv4 name OUTSIDE-IN default-action 'drop'
set firewall ipv4 name VyOS-MANAGEMENT default-action 'return'
set firewall ipv4 name VyOS-MANAGEMENT rule 15 action 'accept'
set firewall ipv4 name VyOS-MANAGEMENT rule 15 inbound-interface interface-group 'LAN'
set firewall ipv4 name VyOS-MANAGEMENT rule 20 action 'drop'
set firewall ipv4 name VyOS-MANAGEMENT rule 20 inbound-interface interface-group 'WAN'
set firewall ipv4 name VyOS-MANAGEMENT rule 20 recent count '4'
set firewall ipv4 name VyOS-MANAGEMENT rule 20 recent time 'minute'
set firewall ipv4 name VyOS-MANAGEMENT rule 20 state new 'enable'
set firewall ipv4 name VyOS-MANAGEMENT rule 21 action 'accept'
set firewall ipv4 name VyOS-MANAGEMENT rule 21 inbound-interface interface-group 'WAN'
set firewall ipv4 name VyOS-MANAGEMENT rule 21 state new 'enable'
set firewall ipv6 forward filter rule 10 action 'jump'
set firewall ipv6 forward filter rule 10 jump-target 'BASIC-FILTER'
set firewall ipv6 forward filter rule 100 action 'jump'
set firewall ipv6 forward filter rule 100 destination group network-group 'NET-INSIDE-v6'
set firewall ipv6 forward filter rule 100 inbound-interface interface-group 'WAN'
set firewall ipv6 forward filter rule 100 jump-target 'OUTSIDE-IN'
set firewall ipv6 input filter default-action 'drop'
set firewall ipv6 input filter rule 10 action 'jump'
set firewall ipv6 input filter rule 10 jump-target 'BASIC-FILTER'
set firewall ipv6 input filter rule 30 action 'accept'
set firewall ipv6 input filter rule 30 destination port '546'
set firewall ipv6 input filter rule 30 protocol 'udp'
set firewall ipv6 input filter rule 30 source port '547'
set firewall ipv6 input filter rule 50 action 'accept'
set firewall ipv6 input filter rule 50 source address '::1/128'
set firewall ipv6 name BASIC-FILTER default-action 'return'
set firewall ipv6 name BASIC-FILTER rule 10 action 'accept'
set firewall ipv6 name BASIC-FILTER rule 10 state established 'enable'
set firewall ipv6 name BASIC-FILTER rule 10 state related 'enable'
set firewall ipv6 name BASIC-FILTER rule 15 action 'accept'
set firewall ipv6 name BASIC-FILTER rule 15 protocol 'icmpv6'
set firewall ipv6 name BASIC-FILTER rule 20 action 'drop'
set firewall ipv6 name BASIC-FILTER rule 20 state invalid 'enable'
set firewall ipv6 name OUTSIDE-IN default-action 'drop'
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 address 'dhcpv6'
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth0 dhcpv6-options pd 0 interface eth1 sla-id '1'
set interfaces ethernet eth0 dhcpv6-options pd 0 length '56'
set interfaces ethernet eth0 hw-id 'xx:xx:xx:xx:xx:02'
set interfaces ethernet eth1 address 'xxx.xxx.0.1/24'
set interfaces ethernet eth1 address 'xxxx:xxxx:c40b:1::1/64'
set interfaces ethernet eth1 description 'LAN'
set interfaces ethernet eth1 dhcpv6-options
set interfaces ethernet eth1 hw-id 'xx:xx:xx:xx:xx:03'
set interfaces ethernet eth1 ipv6 address autoconf
set interfaces ethernet eth2 hw-id 'xx:xx:xx:xx:xx:04'
set interfaces ethernet eth3 hw-id 'xx:xx:xx:xx:xx:05'
set interfaces loopback lo
set interfaces wireguard wg0 address 'xxx.xxx.0.3/24'
set interfaces wireguard wg0 address 'xxxx:xxxx:df0a::3/64'
set interfaces wireguard wg0 peer to-Wg address 'xxx.xxx.6.76'
set interfaces wireguard wg0 peer to-Wg allowed-ips 'xxx.xxx.0.0/0'
set interfaces wireguard wg0 peer to-Wg allowed-ips '::/0'
set interfaces wireguard wg0 peer to-Wg port '51820'
set interfaces wireguard wg0 peer to-Wg public-key 'xxx'
set interfaces wireguard wg0 private-key xxxxxx
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address 'xxx.xxx.0.0/24'
set nat source rule 100 translation address 'masquerade'
set nat source rule 200 outbound-interface 'wg0'
set nat source rule 200 translation address 'masquerade'
set nat66 source rule 100 outbound-interface 'eth0'
set nat66 source rule 100 source prefix 'xxxx:xxxx::/64'
set nat66 source rule 100 translation address 'masquerade'
set policy route ROUTE-IPs-to-Wg interface 'eth1'
set policy route ROUTE-IPs-to-Wg rule 200 destination group address-group 'ROUTE-IPs'
set policy route ROUTE-IPs-to-Wg rule 200 set table '200'
set policy route6 ROUTE-IPs-to-Wg interface 'eth1'
set policy route6 ROUTE-IPs-to-Wg rule 200 destination group address-group 'ROUTE-IPs'
set policy route6 ROUTE-IPs-to-Wg rule 200 set table '200'
set protocols static table 200 route xxx.xxx.0.0/0 interface wg0
set protocols static table 200 route6 ::/0 interface wg0
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.0.0/24 default-router 'xxx.xxx.0.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.0.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.0.0/24 name-server 'xxx.xxx.0.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.0.0/24 range 0 start 'xxx.xxx.0.50'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.0.0/24 range 0 stop 'xxx.xxx.0.125'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.0.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.0.59'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.0.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:b2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.0.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.0.53'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.0.0/24 static-mapping xxxxxx mac-address 'xx:xx:xx:xx:xx:8a'
set service dhcpv6-server shared-network-name xxxxxx subnet xxxx:xxxx:c40b:1::/64 static-mapping xxxxxx identifier 'xx:xx:xx:xx:xx:9d:xx:xx:xx:xx:xx:0c:61:8a'
set service dhcpv6-server shared-network-name xxxxxx subnet xxxx:xxxx:c40b:1::/64 static-mapping xxxxxx ipv6-address 'xxxx:xxxx:c40b:1:c1a:70c5:e90:e387'
set service ntp allow-client xxxxxx 'xxx.xxx.0.0/0'
set service ntp allow-client xxxxxx '::/0'
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service router-advert interface eth1 other-config-flag
set service router-advert interface eth1 prefix ::/64
set service router-advert interface eth1 prefix xxxx:xxxx:c40b:1::/64
set service ssh disable-password-authentication
set service ssh port '22'
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system domain-name xxxxxx
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication public-keys [email protected] key xxxxxx
set system login user xxxxxx authentication public-keys [email protected] type 'ssh-ed25519'
set system name-server 'xxx.xxx.0.1'
set system syslog global facility all level 'info'
set system syslog global facility local7 level 'debug'
set system time-zone 'Europe/London'

And output of sudo nft -s list ruleset > /config/nft_231024.txt:

nft_231024.txt (12.5 KB)