dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
59

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer to voiptalk

Premium Member

to voiptalk

Re: [IPv6] Comcast IPv6 Address Assignment/Delegation

said by voiptalk:

On that D-Link DIR-655, you may want to verify that the IPv6 firewall ("IPv6 Simple Security" enabled) is working properly in FW 2.10.

I tested that router with 2.08 Beta01 and it worked properly .. all ports were blocked on a port scan. I upgraded to 2.10 and it was no longer working. Downgraded to 2.08 Beta01 and it functioned again. So, it looks like firewall is broken.

To run an IPv6 port scan: »ipv6.chappell-family.com ··· tcptest/

I had noticed some problems with the 2.10 IPv6 firewall too (including that the manual firewall rules don't seem to work as expected). I tried loading the older 2.07 firmware to see if its IPv6 firewall worked properly, but that required a factory default reset, and manually reentering the router config (a PITA since the 2.07 firmware's "reboot later" function did not seem to work properly), so I aborted that and went back to firmware version 2.10 (I started out at firmware release 2.10 because I followed Comcast's advice and did the automatic firmware update from the factory delivered version 2.00 before I configured it the first time). I had already disabled the DIR655 IPv6 firewall (at least until the next firmware release), and my own PEN testing (from outside my LAN) showed that my local firewall rules seem to be blocking all IPv6 inbound traffic except for the services that I have explicitly allowed.

And thanks for that external scan site; I will be putting that in my bookmarks for future use. That test did in fact find an open service that I had overlooked for one PC, and I have now fixed that (it was a service that required authentication, and also logged access attempts, so it was not a big risk, but I had not intended to leave it open to anything other than LAN/VPN access).

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

said by NetFixer:

And thanks for that external scan site; I will be putting that in my bookmarks for future use.

Here's another, nmap based for IPv6, very flexible, you can specify the IP to be scanned.

»nmapv6.packetsize.net/

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer

Premium Member

said by graysonf:

said by NetFixer:

And thanks for that external scan site; I will be putting that in my bookmarks for future use.

Here's another, nmap based for IPv6, very flexible, you can specify the IP to be scanned.

»nmapv6.packetsize.net/

Thanks, I just tried it and (as expected) the only open services are the ones that I have explicitly left exposed.

That site likes to live dangerously by allowing outsiders to scan other sites from their server.

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

Well, like I said, very flexible

I didn't actually try it with IPs that were not mine. I limited it to my router and the machines connected to it.