I tried out Hurricane Electric's IPV6 port scan on my side of the tunnel and here were the results:
Starting Nmap 5.00 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2014-03-28 19:06 PDT
Interesting ports on
(2001:XX:XX:XX::XX):
Not shown: 987 closed ports
PORT STATE SERVICE
25/tcp open smtp
53/tcp open domain
465/tcp open smtps
587/tcp open submission
4444/tcp filtered krb524
5432/tcp open postgresql
6666/tcp filtered irc
6667/tcp filtered irc
6668/tcp filtered irc
6669/tcp filtered irc
7000/tcp filtered afs3-fileserver
8080/tcp open http-proxy
9999/tcp filtered abyss
Nmap done: 1 IP address (1 host up) scanned in 12.36 seconds
I then went to the Internet and tried scanning from another IPV6 site thinking that I might get different results. That was not the case.
I then set up firewall rules to explicitly blocked IPV6 traffic to that tunnel address (taking into account that certain ICMP functionality was necessary) and unfortunately that didn't change the results.
I tried looking through the iptables rulesets to see where such protection should go to offer assistance but I ran out of time. To me this is a bug unless someone can convince me to the contrary. It seems that all of the ASG's services should be blocked by default from the Internet in some way.
Guest User!
You are not Sophos Staff.
