In a previous post I explained how to get native IPv6 working on a Cisco 877 ADSL modem/router.
In this post I'm going to try and setup the most simple firewall for IPV6 based on the example from SIXXS. Remember, if you're going to start using IPv6 properly all your devices are reachable from the internet by default. This is usually a bad idea, so we need a firewall.
I'm going to assume you're not running any servers at home, you just want all traffic from the outside blocked. You also want traffic from your local network to be able to reach the Internet via IPv6 and receive answers back. But no more.
First we create an accesslist that blocks all unwanted traffic, but allows enough of the ICMP protocol for the Internet to function as intended. Real networks don't block all of the incoming ICMP traffic.
ipv6 access-list ipv6-internet-in remark Prevent spoofing deny ipv6 2A02:120:100F::/48 any log remark prevent ingress of all addresses except global unicast and multicast deny ipv6 ::/3 any log deny ipv6 8000::/2 any log deny ipv6 C000::/3 any log deny ipv6 E000::/4 any log deny ipv6 F000::/5 any log deny ipv6 F800::/6 any log deny ipv6 FC00::/7 any log deny ipv6 FE00::/8 any log permit icmp any any time-exceeded permit icmp any any packet-too-big permit icmp any any echo-request permit icmp any any echo-reply deny ipv6 any any log !
Next it's time to allow outgoing traffic to poke holes on the incoming side.
ipv6 inspect name cbac-ipv6 tcp ipv6 inspect name cbac-ipv6 udp ipv6 inspect name cbac-ipv6 icmp ipv6 inspect name cbac-ipv6 ftp
Finally we bind all that to the Dialer0 interface we used in the previous post and have a functioning firewall.
Don't forget to block IPv6 access to the console on your router!
ipv6 access-list ipv6-ssh-lockdown deny ipv6 any any log line vty 0 4 ipv6 access-class ipv6-ssh-lockdown in
And that's it! Finding an example that is as basic as this took me quite a while. With some stops and starts and some IPv6-less days of working without me noticing. If you want to run a webserver or mail server or something else on IPv6, you need to add the appropriate lines in the "ipv6-internet-in" ipv6 accesslist. I'm leaving how to do that as an exercise for the reader ;-)