dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
22
share rss forum feed


NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to voiptalk

Re: [IPv6] Comcast IPv6 Address Assignment/Delegation

said by voiptalk:

On that D-Link DIR-655, you may want to verify that the IPv6 firewall ("IPv6 Simple Security" enabled) is working properly in FW 2.10.

I tested that router with 2.08 Beta01 and it worked properly .. all ports were blocked on a port scan. I upgraded to 2.10 and it was no longer working. Downgraded to 2.08 Beta01 and it functioned again. So, it looks like firewall is broken.

To run an IPv6 port scan: »ipv6.chappell-family.com/ipv6tcptest/

I had noticed some problems with the 2.10 IPv6 firewall too (including that the manual firewall rules don't seem to work as expected). I tried loading the older 2.07 firmware to see if its IPv6 firewall worked properly, but that required a factory default reset, and manually reentering the router config (a PITA since the 2.07 firmware's "reboot later" function did not seem to work properly), so I aborted that and went back to firmware version 2.10 (I started out at firmware release 2.10 because I followed Comcast's advice and did the automatic firmware update from the factory delivered version 2.00 before I configured it the first time). I had already disabled the DIR655 IPv6 firewall (at least until the next firmware release), and my own PEN testing (from outside my LAN) showed that my local firewall rules seem to be blocking all IPv6 inbound traffic except for the services that I have explicitly allowed.

And thanks for that external scan site; I will be putting that in my bookmarks for future use. That test did in fact find an open service that I had overlooked for one PC, and I have now fixed that (it was a service that required authentication, and also logged access attempts, so it was not a big risk, but I had not intended to leave it open to anything other than LAN/VPN access).
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

said by NetFixer:

And thanks for that external scan site; I will be putting that in my bookmarks for future use.

Here's another, nmap based for IPv6, very flexible, you can specify the IP to be scanned.

»nmapv6.packetsize.net/


NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

said by graysonf:

said by NetFixer:

And thanks for that external scan site; I will be putting that in my bookmarks for future use.

Here's another, nmap based for IPv6, very flexible, you can specify the IP to be scanned.

»nmapv6.packetsize.net/

Thanks, I just tried it and (as expected) the only open services are the ones that I have explicitly left exposed.

That site likes to live dangerously by allowing outsiders to scan other sites from their server.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

Well, like I said, very flexible

I didn't actually try it with IPs that were not mine. I limited it to my router and the machines connected to it.