Firewall recent IPv6 filtering

astein58 · May 6, 2019, 2:24pm

We would like to use the router as firewall for our LAN network for IPv4 and IPv6.

We use recent rules to limit access to some ports.
It works good with IPv4 because we ban the source IP and it’s fine.

In the case of IPv6 the attacker can easily have access to a complet /64 subnet to do their attacks.
In this scenario ban the address is pointless.

We expect to be able to match source subnet instead of source address to limit new connections.
If the subnet size can be configurable it would be even better.

Thanks

rob · May 6, 2019, 2:35pm

do you see this?

vyos@vyos# set firewall ipv6-name test rule 10 source address
Possible completions:
   <h:h:h:h:h:h:h:h>
                IPv6 address to match
   <h:h:h:h:h:h:h:h/x>
                IPv6 prefix to match
   <h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>
                IPv6 range to match
   !<h:h:h:h:h:h:h:h>
                Match everything except the specified address
   !<h:h:h:h:h:h:h:h/x>
                Match everything except the specified prefix
   !<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>
                Match everything except the specified range

and set to interface with:

vyos@vyos# set interfaces ethernet eth0 firewall local ipv6-name
Possible completions:
   <text>       Local IPv6 firewall ruleset name for interface

astein58 · May 6, 2019, 3:28pm

I see it.

But the thing is, I don’t want to do it on a specific subnet.
I will make an example:

Let assume the attacker has this subnet: 2001:0db8::/64

Let assume the router has those configurations:

set firewall ipv6-name fromWAN rule 1000 action ‘drop’
set firewall ipv6-name fromWAN rule 1000 destination port ‘22’
set firewall ipv6-name fromWAN rule 1000 protocol ‘tcp’
set firewall ipv6-name fromWAN rule 1000 recent count ‘5’
set firewall ipv6-name fromWAN rule 1000 recent time ‘3600’

The attacker can use the address 2001:0db8::1 five times and then use 2001:0db8::2 five times again and so on.
In this scenario the rule has no way to stop the attack.

Let think about a new parameter:

set firewall ipv6-name fromWAN rule 1000 recent subnet ‘64’

Which would do the match and the ban at the /64 subnet and not at the address level.

With a rule like this, the protection would be much more similar to what you have with IPv4.

I don’t think what your are mentioning will change any thing to my problem.
Thank you for your help

hagbard · May 6, 2019, 4:19pm

Why not opening port 22 for just specific addresses, or via vpn only?

astein58 · May 6, 2019, 4:30pm

Because any one need to have access to it.
As a public service. And in the example I used SSH but it may be any other service which you want to limit new connections to.

And because I what to protect all my subnets.
Any internal computer which as IPv6 and SSH service can become a target.
The goal is to use the router to limit access to any internal computer which are not well configured and can lead to security holes.

hagbard · May 6, 2019, 4:35pm

‘Because any one need to have access to it.’

In that case you don’t need any rule at all.

astein58 · May 6, 2019, 4:51pm

Look at the example I gave.
I want to limit recent new connections to it:

set firewall ipv6-name fromWAN rule 1000 recent count ‘5’
set firewall ipv6-name fromWAN rule 1000 recent time ‘3600’

The recent parameter match packet if it comes from the same IP source more than 5 times during the last 3600 seconds.
I want to do the same thing but at the subnet level and not at the address level.

hagbard · May 6, 2019, 5:32pm

That would also mean, that I can lock anyones access to ssh if I’m in your subnet.

astein58 · May 6, 2019, 6:02pm

Yes exactly like it would if I’m using the same Nat gateway than an attacker.

It a little risk to take.
But it seems to me like a really raisonnable risk.

astein58 · May 8, 2019, 2:19pm

Hello, sorry to bothering you but do you see my point?
I really like the set recent rule to limit new connections. And using the router it can apply to all subnets.

The rule as it is, is fine for IPv4 but like I tried to explain for IPv6 it make almost no sense because of the bunch of addresses available.

Would it be an possible to think about something to fix this?

hagbard · May 9, 2019, 7:48pm

I get your point, but I think it would do more harm than good.

astein58 · May 10, 2019, 8:19am

I would like to better understand what you mean.
fail2ban is a very populaire security application reading logs to do a similar thing that I exposed.
This application is recommended in many many linux security documentation.

Most of the security community advice to limit failed access to services. This is pretty much what the rule I was talking about is made for.

Locking some hypothetical legal users is very common in security procedures.
During DDOS attack it is acceptable and not rare that some legal users are locked out by the service security.

I’m using this kind of rules in IPv4 for years with no drawback.
I don’t see why with IPv6 it would be more dangerous or harmful than with IPv4.

I mentioned fail2ban, it’s not an option for me because I want to do this filter on every the subnets.

Thank you for your knowledge and your feelings.

joshua · May 10, 2019, 3:25pm

The typical recommendation would be to deny all inbound services by default and then add protection where select hosts have been opened up globally. Hosts should also be isolated in segments based on accessibility to further contain any hosts that could potentially be compromised from outside exposure. Due the varying IPv6 deployment methods blocking a subnet may or may not do anything for you when malicious activity occurs. Some deployments do a direct allocation of IP’s out of a shared /64, some allocate /60’s - /48’s to segments and then sub-allocate to end devices, and some use PD with /64’s or larger. The varying nature is not something that can simply be solved for with a rate-limit rule. Furthermore you’re trying to use VyOS outside of it’s main design parameters, which at this time, is mainly a router such as a CSR or ISR. In this instance I would suggest a dedicated security appliance that can apply IP intelligence, signatures, and behavioral based analysis such as a dedicated IDS/IPS and/or distributed HIDS/HIPS.

Accomplishing a proper defense in-depth solution leveraging just VyOS is not going to be possible, but in-conjunction with other open source solutions VyOS can be an important piece. I would suggest looking at Netflow Collection, Log Aggregation, a network IPS/IDS such as Suricata, a solution such as fail2ban on important servers, and even a HIDS solution such as OSSEC.

astein58 · May 13, 2019, 9:36am

I agree with you on many points. And this is not a golden bullet which solve every problems.
It’s just a part of the solution. Almost any setup is different and needs different configuration.

The problem in this setup is that servers shows up and use random ports and goes down again. I can’t use typical setup.

But for me, router is a good place to put firewall. And a big part of the VyOS documentation is related to firewall.
So I think I’m not really out of the track using VyOS like this.

About the recent rule at some point people from Netfilter and the Linux kernel has think this kind of rule can be useful. And they implement it. It’s sign that this rule as some interest (definitely in IPv4).

The rule for IPv6 is the same as IPv4 but the implications are different.
I’m just thinking that to make this rule efficient it needs to be changed to match subnet and not only the address it self.

It looks like for you the rule is fine like this… OK

At this point this rule is just pointless for my point of view…

Have a good day