Click here to log in.
Home
Security
Articles
Forum
Blog
Login
Contact

IPv6 firewall

As far as we know all Windows versions have standard firewall functionality built in. For the standard Windows firewall setup go to Windows firewall setup for IPv6.

Even though a firewall is built in standard in Windows operating systems we know many people would feel safer with additional third party firewall software. And of course system administrators managing IPv6 networks and servers on IPv6 networks might need additional configuration options or, especially for Windows XP and Windows Server 2003, an easier user interface.

Third party firewall software for IPv6 on Windows

A while ago, like the beginning of the year 2011, we have been investigating firewall software for IPv6 on Windows. As of that moment we didn't really find a suitable solution and as we did not find the time to pursue the issue we did not pursue finding suitable software for IPv6, even though we would want it for our Windows 2003 servers who are kind of open to the IPv6 network.

Today, November 19, 2011, we decided to check again, mainly because we were told there is still a lot of fear, anxiety and doubt (FUD) about IPv6 in the world which seems to be part of the reason for the slow progress in IPv6 implementation.

To our amazement we did not find a lot of pages on the internet about the issue. Searches for 'ipv6 firewall software for Windows' did not give any real results. We ended up in some standard overviews of firewall software, like the one on Wikipedia, but no real solutions. And even this page, which has not been updated for a long time and we think does not hold any real information on the subject, scores quite high.

Well, we decided just to install the two most common freeware firewall programs to improve our protection against attacks through the IPv6 network:

  • Comodo
  • ZoneAlarm

To our amazement neither of these, as far as we know, very common and well known third party firewall programs, seems to have any IPv6 support, at least we couldn't find it. They both don't even mention it!

Not a good result we think as one of our main concerns regarding IPv6 implementation, especially for home use, is the removal of the common NAT routers in between our home and the Internet, who give a natural protection to attacks from the outside world to computers in our home network.

IPv6 Firewall Configuration

To configure the IPv6 Internet Connection Firewall (ICF) provided with the Advanced Networking Pack for Windows XP, commands in the netsh firewall context must be use.

Note:IPv6 Internet Connection Firewall is only provided with the Advanced Networking Pack for Windows XP, a free download for computers running Windows XP with Service Pack 1. For computers running Windows XP with Service Pack 2, IPv6 Internet Connection Firewall has been replaced with the new Windows Firewall.

At the Windows command prompt, enter the netsh firewall context and type netsh -c firewall. From the netsh firewall> prompt, use the following commands for IPv6 ICF:

  • show

    It displays the IPv6 ICF configuration.

  • show globalport

    It displays the global ports. These are ports that are configured on all network adapters. It does not indicate whether any global ports are being ignored on any particular network adapter.

  • show adapter

    It displays the IPv6 ICF configuration information for a single network adapter.

    Usage: netsh firewall> show adapter [name]
    When you type: show adapter a list of all network adapters with IPv6 configured appears. Each item indicates whether filtering is enabled for that adapter.

    When the adapter name is added to the argument, you'll see a list of all the ports that are open containing the description, the port number, and the protocol and a list of all the Internet Control Message Protocol (ICMP) options and their states containing the description, ICMP type number, and state.

    • EffectivePort: This is a list of the actual ports that are open. This is a combination of global ports, per-adapter ports, and ignored ports.
    • OpenPort: This is a list of ports that are opened specifically for the network adapter.
    • IgnoredGlobalPort: This is a list of the global ports that are ignored on this network adapter.
  • show logging

    It displays the logging configuration information, including which logging options are enabled, the location of the log file, and the log file size.

  • set globalport

    It allows you to configure ports on all network adapters

  • set adapter

    It allows you to configure changes for individual network adapters. Usage: set adapter [name] [icmp type#=enable|disable] [port port#=enable|disable [name=name] [protocol=tcp|udp]] [ignoreglobalport port#=enable|disable] [name=name] [protocol=tcp|udp]] [filtering=enable|disable] This command can set ICMP options, create or remove port policy, and enable or disable IPv6 filtering for a single connection.

    • icmp Makes changes to the adapters ICMP configuration.
    • type# Specifies the ICMPv6 type number that is to be enabled/disabled.
    • port Makes changes to the adapter-specific list of open ports. Note that adapter-specific open ports are not affected by ignored global ports. For example, if TCP port 80 is set to enabled using the port command, subsequently using ignoreglobalport for TCP port 80 on the same adapter will have no effect. Inbound traffic to the adapter in question will continue to be allowed through TCP port 80).
    • ignoreglobalport Makes changes to the list of global ports that are to be ignored by this adapter. An ignored global port will override the global port setting, and disallow inbound traffic to the ignored port for the adapter in question.
    • port# Specifies the port number to be enabled or disabled, or the number of the global port that is to be ignored or allowed.
    • name Allows the user to provide a description of what the filter exception is for. An example is my Web server.
    • protocol Allows the user to specify whether TCP or UDP traffic is allowed. If no value is specified, TCP will be selected.
    • filtering Makes changes to the state of filtering on this adapter, such as whether the firewall is enabled or disabled for the adapter.
  • set logging

    It allows you to configure logging options.

    Use this command to specify where the file is written to on your hard disk, the size of the log file, and if dropped packets and/or successful connections are logged. The file size has an upper limit of 32,767 KB. The log file name that is specified is for the IPv6 ICF log file; the IPv4 log file is separate.

    Usage: set logging [filelocation=<location>][filesize=integer] [droppedpackets=enable|disable] [successfulconnections=enable|disable]

Top of Page

Some old content here.
© 2009-2011
Active Discovery Designs