Setup:
Version 9.260-8
From the IPv6 section, IPv6 is enabled, IPv6 comes in on eth3, two prefix advertisements setup for two different internal interfaces (eth2, eth0), auto renumbering turned on
From the interfaces section, eth3 is setup for DHCP (gets an IPv6 & IPv4 address), IPv6 Default Gateway checkbox enabled, eth2 (DMZ) static IP with an IPv6 /64 and an IPv4 /24 subnets assigned, eth0 (Internal) static IP with an IPv6 /64 and an IPv4 /24 subnets assigned, eth1 (WAN) is setup with static IPv4 external addresses, no IPv6, and has the IPv4 Default Gateway selected
Issue:
After a reboot, all internal hosts have access to the internet via IPv6. However, for inbound IPv6, all hosts are accessible from the internet and firewall rules are ineffective.
When looking at the IPv6 section, the "Connectivity" info shows "None". Taking a look at eth3 has the IPv6 Default GW box NOT selected. After selecting the IPv6 Default GW box, "Connectivity" info is now populated with the Native IPv6 address, subnet, and delegated prefix. Firewall rules work as expected and internal hosts are no longer accessible unloess allowed by a firewall rule.
This is a MAJOR security bug for IPv6 and and needs to either be fixed immediately or be relayed to all users using your product.
This check was prompted by the same diappearing default gw issue in 9.2 that I reported on the forums, and tried to report to support, that no one seemed to care about. I cannot confirm at this time that there is the same issue with the bypassing of the firewall rules before re-enabling the IPv6 default GW box on version 9.2. I will reload that version and post back.
Guest User!
You are not Sophos Staff.
