Firmware version: 9.310-11
I set up an IPv6 tunnel to Sixxs recently, as I was keen to play more with IPv6. The Tunnel has come up fine, and I have set up prefix advertisements (I get a routed subnet too). All my clients have a live IP, and can ping out quite happily; I have an Inside - Outside allow rule in the firewall to allow this.
However, I have a VPS (IPv6 capable) which I've been doing some ports scans back at my network to check things are good. If I scan my client IP, nmap returns nothing; a ping fails similarly. This what I'd expect as there's no incoming rules to allow such traffic, and the log concurs as it shows drops for the ICMP6 packets.
I noticed that the reported IP on the internet is that of the tunnel as I've enabled transparent web scanning, so of course it is originating traffic from the UTM's IP. I duly scanned that too, and it wasn't good:
me@myserver:~# nmap -F -6 aaaa:bbbb:1111:2222::2 --unprivileged
Starting Nmap 6.00 ( nmap.org ) at 2015-05-27 20:12 BST
Nmap scan report for mytunnel.sixxs.net (aaaa:bbbb:1111:2222::2)
Host is up (0.034s latency).
Not shown: 93 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
25/tcp open smtp
53/tcp open domain
465/tcp open smtps
587/tcp open submission
5432/tcp open postgresql
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds
Webadmin is set to only allow access from the Internal Network object. I've very few firewall rules that would allow this traffic (that I can see), and my efforts to add rules to block it have proven fruitless as it seems packets from the tunnel are dropped into the IP stack after the firewall! I even tried this rule at the top of the list, but no difference:
I'm going to have to turn off the tunnel for now as it's a massive security hole - not for my network, but for the UTM itself!
It's entirely possible I've made some massive schoolboy error on this, but can anybody provide any words of wisdom here?
This thread was automatically locked due to age.
