dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
8513
share rss forum feed


Sentinel
Premium
join:2001-02-07
Florida
kudos:1

Win7 firewall & Core Networking rules

Setting up a Windows 7 firewall and I'm trying to tighten it up a bit. I am trying to remove or disable any of the predefined rules that come already enabled in order make it a bit more secure. Problem is that I am not familiar at all with IPv6 so I could use a little help.

Below are the predefined rules for core networking that are enabled by default on my Windows 7 PC. I use this particular PC (a netbook) only to connect to my home LAN which is behind a typical home router and if I travel to a hotel, airport wifi hotspot or similar. Perhaps also a relatives home LAN while I'm visiting.

Since that is my usage I am guessing that my home LAN and any other family members LAN uses IPv4. We all use typical home routers that I am guessing use IPv4 on the LAN side.

1. If that is the case, then is it safe to disable all the rules below that pertain to IPv6?
2. Would all the IPv6 rules only be needed if I were to connect this PC directly to the internet?
3. I'm guessing that most wifi hotspots like hotels or airports or any small home LAN that is behind a router uses IPv4. If so then would I ever really need to allow any of these IPv6 rules?

Core Networking - inbound

1) Destination Unreachable (ICMPv6) [AET]
2) Destination Unreachable Fragmentation Needed (ICMPv4) [BET]
3) DHCP [BET]
4) DHCP IPv6 (DHCPv6) [BET]
5) IGMP [BET]
6) TPHTTPS (TCP) - To alow IPHTTPS tunneling technology to provide connectivity across HTTP proxies & firewalls. [BET]
7) IPv6 {Inbound rule required to permit IPv6 traffic for ISATAP (intra-site automatic tunnel addressing protocol) and 6 to 4 tunneling services} [BET]
8) Multicast Listener Done (ICMPv6) [BET]
9) Multicast Listener Query (ICMPv6) [BET]
10) Multicast Listener Report (ICMPv6) [BET]
11) Multicast Listener Report v2 (ICMPv6) [BET]
12) Neighbor Discovery Advertisement (ICMPv6) [AET]
13) Neighbor Discovery Solicitation (ICMPv6) [AET]
14) Packet Too Big (ICMPv6) [AET]
15) Parameter Problem (ICMPv6) [AET]
16) Router Advertisement (ICMPv6) [BET]
17) Router Solicitation (ICMPv6) [BET]
18) Teredo (UDP) - {Allows Teredo edge traversal. Provides address assignment & autotunneling for IPv6 traffic for IPv6/IPv4 host is located behind an IPv4 NAT} [BET]
19) Time Exceeded (ICMPv6) [AET]

[AET] = Allow Edge Traversal
[BET] = Block Edge Traversal

Core Networking - outbound

1) DNS (UDP)
2) DHCP
3) DHCP IPv6 (DHCPv6)
4) Group Policy (LSASS) [DOMAIN ONLY]
5) Group Policy (NP) [DOMAIN ONLY]
6) Group Policy (TCP) [DOMAIN ONLY]
7) IGMP
8) TPHTTPS (TCP)
9) IPv6
10) Multicast Listener Done (ICMPv6)
11) Multicast Listener Query (ICMPv6)
12) Multicast Listener Report (ICMPv6)
13) Multicast Listener Report v2 (ICMPv6)
14) Neighbor Discovery Advertisement (ICMPv6)
15) Neighbor Discovery Solicitation (ICMPv6)
16) Packet Too Big (ICMPv6)
17) Parameter Problem (ICMPv6)
18) Router Advertisement (ICMPv6)
19) Router Solicitation (ICMPv6)
20) Teredo (UDP)
21) Time Exceeded (ICMPv6)



Sentinel
Premium
join:2001-02-07
Florida
kudos:1

Wow. Nobody knows anything about this? Nobody knows if I can disable the IPv6 stuff if I am behind a typical home router?



tschmidt
Premium,MVM
join:2000-11-12
Milford, NH
kudos:9

1 recommendation

reply to Sentinel

If your ISP does not support IPv6 then there can be no IPv6 traffic. Does not matter if you enable it or no.

If you do not want to use it go to network properties and uncheck support for IPv6.

/tom


supergeeky

join:2003-05-09
United State
kudos:3
reply to Sentinel

I agree with tschmidt, if your ISP does not offer an IPv6 address, you won't be seeing any IPv6 traffic - that however doesn't mean they won't enable it in the future. I feel just un-checking IPv6 under the NIC properties is not enough, Windows is still using it...

There are several registry keys to really disable it: »support.microsoft.com/kb/929852

I often use the 0xffffffff approach



Sentinel
Premium
join:2001-02-07
Florida
kudos:1
reply to tschmidt

Hang on here. I am not getting something. Please explain to me why it matters if my ISP uses IPv6 or not when I am on a home LAN behind a router? Doesn't that mean that all the traffic (IPv6 or not) stops at my router and gets turned into IPv4 traffic if that is all my home router can handle on the LAN side?

I was thinking that if I never plug this PC directly into the internet (in other words I never plug it directly into my ISP modem with no router and thus get an IP address from the ISP) then it will never utilize or need any IPv6 support because my router (on the LAN side at least) is only doing things via IPv4. The traffic on my LAN is all IPv4 right?
My thought was that I wold only need IPv6 support if I plugged this PC directly into the ISPs modem.


supergeeky

join:2003-05-09
United State
kudos:3
reply to Sentinel

I doubt very much your hardware router does IPv4 to IPv6 translation.

If your ISP does not give you an IPv4 and an IPv6 address, then your hardware router is not routing IPv6 packets, and thus IPv6 will never touch your machine from the Internet. The only time any of the IPv6 rules in the Windows firewall would get used is if you had other IPv6 clients on the LAN.

Chances are your hardware router doesn't even support IPv6... what model is it?

You might like this article which explains how the two might co-exist: »www.zdnet.com/blog/networking/fi···xist/244



tschmidt
Premium,MVM
join:2000-11-12
Milford, NH
kudos:9
Reviews:
·G4 Communications
·Fairpoint Commun..
·Hollis Hosting
reply to Sentinel

IPv4 and IPv6 are incompatible with each other. There are several translations methods but it varies by ISP.

If your ISP does not support IPv6 it does not make any sense to use it locally (with some exceptions) since you will not be able to connect to IPv6 sites on the Internet.

As supergeeky See Profile posted it is unlikely that your router even supports IPv6. Support for IPv6 for home LANs is still pretty early and judging by the compatibility testing done at UNH implementations are not very good.

If you want to play with IPv6 check to see if your ISP supports it. If they support it find out how, there are different ways for ISP to support IPv4 and IPv6.

/tom



Sentinel
Premium
join:2001-02-07
Florida
kudos:1

No no. Don't get me wrong. I don't necessarily want anything to do with IPv6. My point is that if my router does not support or do anything with IPv6 and my entire LAN (all my PCs and stuff) is behind that router, then I don't need any of those firewall rules that are directly related to IPv6 stuff so therefore I can safely disable those rules without any fear of hurting anything.

Am I right here?

PS:
The IP address that my modem gets from my ISP does not appear to be IPv6. It looks like and old fashioned xxx.xxx.xxx.xxx type IP address so I thing that my ISP supports any IPv6 stuff either. This, I would think, would strengthen the argument FOR disabling all the firewall rules that deal with IPv6 as they are likely not needed and won't do anything anyways.



tschmidt
Premium,MVM
join:2000-11-12
Milford, NH
kudos:9
Reviews:
·G4 Communications
·Fairpoint Commun..
·Hollis Hosting

1 edit

If IPv6 is not supported then IPv6 firewall rules are irrelevant.

To utilize IPv6 it must be supported by your ISP and router. So just becaue your router only has a IPv4 address does not necessarily mean your ISP does not support IPv6.

/Tom



Sentinel
Premium
join:2001-02-07
Florida
kudos:1

said by tschmidt:

If IPv6 is not supported then IPv6 firewall rules are irrelevant.

I understand. Thank you for that info but, I am speaking not of a "networking" point of view but from a security perspective. I am trying to remove or disable any rules that are not needed in order to tighten up the firewall. So if those rules are not needed I wold prefer to disable them.
said by tschmidt:

To utilize IPv6 it must be supported by your ISP and router. So just becaue your router only has a IPv4 address does not necessarily mean your ISP does not support IPv6.

So then I have 2 related questions if you don't mind:
1. How do I tell if my ISP uses IPv6?
2. Whether they do or not, isn't it irrelevant if my router does not handle it, and thus all the PCs behind it don't need it either?


tschmidt
Premium,MVM
join:2000-11-12
Milford, NH
kudos:9
Reviews:
·G4 Communications
·Fairpoint Commun..
·Hollis Hosting

said by Sentinel:

I am speaking not of a "networking" point of view but from a security perspective.

Perhaps I don't understand your question. If it is not being used then it doesn't matter. I don't know how else to explain it.

said by Sentinel:

1. How do I tell if my ISP uses IPv6?

Ask them.

said by Sentinel:

2. Whether they do or not, isn't it irrelevant if my router does not handle it, and thus all the PCs behind it don't need it either?

If you want to use IPv6 then your router must understand the protocol. Assuming your ISP supports IPv6 then the router needs to support IPv6 and so do the PCs on your LAN if you want to connect to IPv6 hosts on the Internet.

In a mixed IPv4/IPv6 environment there are different ways for the ISP to support IPv4 as they roll out IPv6. Remember the reason IPv6 has become so important is that we have used up all the IPv4 addresses. New user are not going to get Public IPv4 addresses, they are all gone, they are going to get private addresses from their ISP and the ISP will use NAT to map to routeable address. Similar to how home networks are set up today but on a much larger scale.

/tom

supergeeky

join:2003-05-09
United State
kudos:3

1 recommendation

reply to Sentinel

Think of it like this...

- since your ISP is not giving to an IPv6 address
- and your router doesn't handle IPv6
- then your Windows box cannot talk to the Internet using IPv6

therefore, the only time the IPv6 rules will ever get utilized is if another IPv6 machine possibly comes on the LAN

so, since you don't need IPv6 for anything, I'd disable it per the link above, and thus it's also safe to delete all the Windows firewall IPv6 based rules.



Sentinel
Premium
join:2001-02-07
Florida
kudos:1

That's what I figured and wanted to hear. Thank you.

It's not that if they are not in use then they will not be used. It's that if they are not being used then I would rather shut them down so that a nefarious person can not use them to perpetrate a malicious act From a security perspective you want the fewest rules possible that still allow the connectivity that you need.

I just wanted to make sure that disabling these rules would not hurt anything in my setup that is essential for proper operation.



dslcreature
Premium
join:2010-07-10
Seattle, WA
reply to supergeeky

said by supergeeky:

Think of it like this...

- since your ISP is not giving to an IPv6 address
- and your router doesn't handle IPv6
- then your Windows box cannot talk to the Internet using IPv6

therefore, the only time the IPv6 rules will ever get utilized is if another IPv6 machine possibly comes on the LAN

so, since you don't need IPv6 for anything, I'd disable it per the link above, and thus it's also safe to delete all the Windows firewall IPv6 based rules.

IPv6 tunnels are enabled by default on several versions of windows.

supergeeky

join:2003-05-09
United State
kudos:3

said by supergeeky:

There are several registry keys to really disable it: »support.microsoft.com/kb/929852

I often use the 0xffffffff approach

said by dslcreature:

IPv6 tunnels are enabled by default on several versions of windows.

Which is why I said "really disable it"


Sentinel
Premium
join:2001-02-07
Florida
kudos:1

Yes, I think what I am going to do is to remove IPv6 from the properties of the NIC first.
Then I will disable the rules in the list that I posted above that say that they are specifically for IPv6.

If I'm right this will have no effect on this PC on LAN and/or when I connect to hotel hotspots or other family members LANs when traveling.



Sentinel
Premium
join:2001-02-07
Florida
kudos:1

Odd. It seems that you are not allowed to uninstall IPv6.