nanog mailing list archives

Re: NAT firewall for IPv6?

From: Lee <ler762 () gmail com>
Date: Tue, 5 Jul 2016 13:31:48 -0400

On 7/5/16, Naslund, Steve <SNaslund () medline com> wrote:

Did you get the impression that this person asking for help was going to be
able to set that up?


Yes, I think the OP could create & apply the acl.  Which is why I said
it could break their network & suggested they get Cisco tech support
on the phone to figure out how to safely turn off IPv6.

I'm also giving them the benefit of the doubt that IPv6 really is the
malware infection vector.

 I didn't (if he was he would probably already know
what an ACL is).  I do not know if the Catalyst he is looking at is his or
his service providers edge devices (or maybe the consultants didn't give
them access to that either),  I don't know that that Catalyst is the primary
router for their network (could be an L2 switch behind the firewall).  I
also doubt the problem stems from ipv6 as much as it comes from having an
out of control firewall. Given what I am hearing about this network I am
kind of doubting that it is really ipv6 enabled in any case so your fix
prevents ipv6 traffic that is probably not even being routed in the first
place.  In my opinion not having control of your own firewall is the five
alarm emergency in that network right now.


Maybe I wasn't clear that the call to Cisco tech support should be a
parallel effort?

If the network is ipv6 enabled, blocking all ipv6 traffic at that router is
probably not a good idea without knowing more.


Which is why I suggested getting Cisco tech support involved.  A
mailing list is not where they should be going for help right now.

Best Regards,
Lee

...  If it is not ipv6 enabled
then it will have no effect on the reported issue (malware).


Steven Naslund
Chicago IL

Right.  But how long is it going to take to secure the Palo Alto firewall?
If the central Cisco Catalyst really is an IPv6 router, doing a conf t
ipv6 access-list denyIPv6
 deny ipv6 any any

interface [whatever connects to the ISP]
ipv6 traffic-filter denyIPv6 in
ipv6 traffic-filter denyIPv6 out
end
would be a quick fix for the firewall not doing any ipv6 filtering.
It could also break ipv6 enabled web sites or even internal connectivity,
so it'd be better to get someone on the phone w/ Cisco tech support and
have Cisco figure out the best way to block IPv6 for you.

True.  But they're in "stop the bleeding" mode and disabling ipv6 is just a
temp work-around until the firewall is fixed.

Current thread:

NAT firewall for IPv6? Edgar Carver (Jul 05)
- Re: NAT firewall for IPv6? Spencer Ryan (Jul 05)
- RE: NAT firewall for IPv6? Naslund, Steve (Jul 05)
  - Re: NAT firewall for IPv6? Lee (Jul 05)
    - RE: NAT firewall for IPv6? Naslund, Steve (Jul 05)
    - Re: NAT firewall for IPv6? Lee (Jul 05)
    - Re: NAT firewall for IPv6? Baldur Norddahl (Jul 05)
    - Re: NAT firewall for IPv6? A . L . M . Buxey (Jul 05)
    - Re: NAT firewall for IPv6? Jason R (Jul 06)
- RE: NAT firewall for IPv6? Naslund, Steve (Jul 05)
  - Re: NAT firewall for IPv6? Dovid Bender (Jul 05)
- Re: NAT firewall for IPv6? Valdis . Kletnieks (Jul 05)
  - Re: NAT firewall for IPv6? Bruce Curtis (Jul 05)
  - RE: NAT firewall for IPv6? Naslund, Steve (Jul 05)
- Re: NAT firewall for IPv6? Brielle Bruns (Jul 05)
- Re: NAT firewall for IPv6? A . L . M . Buxey (Jul 05)

(Thread continues...)