Posted: Wed Jan 11, 2017 23:23 Post subject: Default ipv6 firewall rules and security
When reading through the ipv6 tutorial wiki https://www.dd-wrt.com/wiki/index.php/IPv6, it mentions that unless the router (or every client) has a firewall to handle ipv6 packets your clients would be directly exposed to the internet. My question is, with a recent dd-wrt image, do I have to do any extra configuration in order to be secure? I would expect that when enabling ipv6 through the GUI, secure default rules are put in place. If there is any extra configuration, where would be a good place to learn? Thanks
Unfortunately, a lot of that info is out of date. IPv6 was not fully implemented back when that info was written. Particularly the mentioning of build 14929.
You can find the default v6 firewall rules that are applied here:
Add ?rev=##### (replace with a valid SVN commit to show the exact version in your build)
These rules will be automatically used depending on what you select for your IPv6 setup, note the nvram_match conditions (e.g. native vs tunnel). So no, you don't need to do any extra configuration, unless you have specific requirements. Default ip6tables rules were added to the more recent builds, the older builds required you to add your own firewall rules, until IPv6 was properly implemented, but this has been the case for a while now.
If you are concerned you can use nmap to test IPv6 port visibility, or alternatively, a service like the below, to test if any of your IPv6 ports are open to the WAN side.
By default, DD-WRT will not expose any incoming IPv6 ports to any services behind your router providing the firewall is active, you have to write your own ip6tables rules with the FORWARD chain to essentially open ports.
Example rule (HTTP web server running on a specific v6 host):
