IPv6 firewalling on Cisco IOS

In a previous post I explained how to get native IPv6 working on a Cisco 877 ADSL modem/router.

In this post I'm going to try and setup the most simple firewall for IPV6 based on the example from SIXXS. Remember, if you're going to start using IPv6 properly all your devices are reachable from the internet by default. This is usually a bad idea, so we need a firewall.

I'm going to assume you're not running any servers at home, you just want all traffic from the outside blocked. You also want traffic from your local network to be able to reach the Internet via IPv6 and receive answers back. But no more.

First we create an accesslist that blocks all unwanted traffic, but allows enough of the ICMP protocol for the Internet to function as intended. Real networks don't block all of the incoming ICMP traffic.

ipv6 access-list ipv6-internet-in
  remark Prevent spoofing
  deny ipv6 2A02:120:100F::/48 any log
  remark prevent ingress of all addresses except global unicast and multicast
  deny ipv6 ::/3 any log
  deny ipv6 8000::/2 any log
  deny ipv6 C000::/3 any log
  deny ipv6 E000::/4 any log
  deny ipv6 F000::/5 any log
  deny ipv6 F800::/6 any log
  deny ipv6 FC00::/7 any log
  deny ipv6 FE00::/8 any log
  permit icmp any any time-exceeded
  permit icmp any any packet-too-big
  permit icmp any any echo-request
  permit icmp any any echo-reply
  deny ipv6 any any log
  !

Next it's time to allow outgoing traffic to poke holes on the incoming side.

ipv6 inspect name cbac-ipv6 tcp
ipv6 inspect name cbac-ipv6 udp
ipv6 inspect name cbac-ipv6 icmp
ipv6 inspect name cbac-ipv6 ftp

Finally we bind all that to the Dialer0 interface we used in the previous post and have a functioning firewall.

interface Dialer0
  ipv6 traffic-filter ipv6-internet-in in
  ipv6 inspect cbac-ipv6 out

Don't forget to block IPv6 access to the console on your router!

ipv6 access-list ipv6-ssh-lockdown
  deny ipv6 any any log

line vty 0 4
  ipv6 access-class ipv6-ssh-lockdown in

And that's it! Finding an example that is as basic as this took me quite a while. With some stops and starts and some IPv6-less days of working without me noticing. If you want to run a webserver or mail server or something else on IPv6, you need to add the appropriate lines in the "ipv6-internet-in" ipv6 accesslist. I'm leaving how to do that as an exercise for the reader ;-)