Filtering out the bad guys

Two months ago, we published Everything you need to know about IPv6, telling you the following about firewalling IPv6 in relationship to the Network Address Translation that is common in today's IPv4 home routers:

If you have a router or home gateway that supports IPv6, make sure that it, too, filters IPv6. A stateful filter that allows outgoing connections and return traffic, but not incoming connections is closest to the IPv4 NAT filtering functionality.

This is in line with the recommendations in a document that the Internet Engineering Task Force's IPv6 Operations (v6ops) working group is developing:

To implement simple security for IPv6 in, for example, a DSL- or Cable Modem-connected home network, the broadband gateway/router should be equipped with stateful firewall capabilities. These should provide a default configuration where incoming traffic is limited to return traffic resulting from outgoing packets (sometimes known as reflective session state). There should also be an easy interface which allows users to create inbound 'pinholes' for specific purposes such as online-gaming.

Sound advice, right? Maybe.

About firewalls

First, let's review the purpose of firewalls. Although anyone who uses a computer in this day and age has some concept of what a firewall is, there are usually a lot of assumptions involved. That's a good thing, because if we were all talking about the same thing, we'd miss out on all those entertaining "which OS is more secure" discussions in the OpenForum.

The simplest form of a firewall is a packet filter. A packet filter looks at packets coming by and allows them through or not based on the content of fields in the packet headers, most notably the "protocol" field, which can be TCP, UDP, ICMP, or a lesser-known protocol.

TCP and UDP each have a source and a destination port number, and ICMP has a type and a code, allowing for finer-grained filtering. TCP also has a number of status bits that make it easy to allow only TCP sessions that are set up from the inside to the outside and not the other way around. Packet filters are useful if you know exactly what you want to let through. For instance, if you run a big DNS server, you can filter out everything except DNS-related packets.

Both routers and general purpose operating systems have implemented packet filters for some time. To accomplish more advanced filtering, routers and special-purpose firewall devices gained the capability to keep track of communication sessions started from the inside so they could allow the associated return packets through but reject everything else. These types of filters or firewalls are called stateful. Stateful filtering works much better than simply rejecting TCP packets that try to create new sessions.

On computers themselves, firewalls also became stateful, and PC-based firewalls take that notion a step further: they gained the ability to keep track of which application is trying to do what exactly over the network. Products like ZoneAlarm or Little Snitch are often called personal firewalls, and they protect as much against malicious programs on the inside that are trying to phone home as against evil packets coming in from the outside.

However, the kind of "firewall" present in most home routers doesn't fall into any of those categories. Since ISPs almost always only give their customers a single IP address, and home routers allow connecting multiple computers to the Internet, those home routers share the IP address that they obtain from the ISP with the computers on the local network using NAT. For example, the router gets address 82.192.90.30 and a computer on the local network has 10.0.0.2. When the computer requests a web page from a server, the packets will have source address 10.0.0.2, but the router translates this into 82.192.90.30. The return packets from the server go to the 82 address, but the router again translates the addresses so the packets end up at the computer holding address 10.0.0.2. But if a packet comes in addressed to the 82 address without an earlier outgoing packet, the home router doesn't know which of the internal computers should receive the packet, so none of them get it. This means that the functionality similar to a stateful firewall is a side effect of NAT.

With IPv6, things change...