> Firewall rules work exactly the same in IPv6 land as they do in IPv4 land.
Yes, rules do work exactly the same, but with IPv4, you just let all the connections out through, and let just the established and connected ones back.
> Indeed you shouldn't block ICMPv6, but that is not really making anything "more complex".
But it is... you need a bunch of new rules to pass through, limit or block a bunch of ICMPv6 messages.. there's a whole RFC just for that - https://datatracker.ietf.org/doc/html/rfc4890
> Is there a proven set of routers that go through the trouble of supporting IPv6 routing but not include a firewall?
Yeah, a bunch of ISP CPEs have just a single checkmark "IPv6 firewall" on/off, and some older ones not even that (i'm talking about old sagem and innbox equipment i came in contact with, not sure about other telcos and the shity cpes they give out to the customers).
> Yes, rules do work exactly the same, but with IPv4, you just let all the connections out through, and let just the established and connected ones back.
The same is typically true of IPv6 for default configurations. You aren’t required to allow IPv6 hosts to accept unsolicited incoming traffic.
> But it is... you need a bunch of new rules to pass through, limit or block a bunch of ICMPv6 messages.. there's a whole RFC just for that - https://datatracker.ietf.org/doc/html/rfc4890
With the exception of home agent, mobility and other IPv6-specific messages, many of these recommendations also hold true for IPv4. It’s just that nobody really bothers to think that deeply about it, block all ICMP and then are shocked_pikachu_face when Path MTU discovery etc don’t work.
> Yes, rules do work exactly the same, but with IPv4, you just let all the connections out through, and let just the established and connected ones back
Yeah and? How do you think IPv6 works, it’s exactly the same.
My router’s firewall’s ipv6 section help: “All outbound traffic coming from IPv6 hosts on your LAN is allowed, as well as related inbound traffic. Any other inbound traffic must be specifically allowed here.”
People keep saying "the sky is falling, with ip6 all the hosts are open to the internet" but not really it is usually one rule.
on openbsd pf
block outside connections from initiating connections to your hosts
block in on $external_if from any to $ip6_network
on ip4, if the world was just you would have the same rule(in ip4). however the world is not just and you usually only get one address so you have to pull some shenanigans to spoof that address across all your hosts
match out on $external_if from $internal_net to any nat-to $external_if
Really we all have a sort of Stockholm syndrome and think yes, this is normal, this is correct and being able to end to end address a host is weird and wrong.
But it is not, because you have to let ICMP pass through, for IPv6 to work (eg. for path MTU discovery to work (no more "classic" fragmentation in ipv6)).
So it's one rule to block incoming traffic, and a bunch of rules to properly allow ICMPv6 to pass through to the internal network (look at the RFC linked above)
This is not true. Firewall rules work exactly the same in IPv6 land as they do in IPv4 land.
> you need to pass a bunch of ICMPv6 through, to make it work
Indeed you shouldn't block ICMPv6, but that is not really making anything "more complex".
> some residential routers have very bad or even zero firewall support for ipv6
Is there a proven set of routers that go through the trouble of supporting IPv6 routing but not include a firewall?