IPv6 Firewall on CPEs - Default on or off

Tore Anderson tore at fud.no
Tue Dec 4 23:09:01 CET 2012 

* Bjørn Mork

> Tore Anderson <tore at fud.no> writes:
> 
>> The ISP I have at home, Get, gave me a CPE. A Cisco EPC3010, for what
>> it's worth. It contains no firewall, no NAT44, no "diode", no nothing.
>> Not for IPv4 nor for IPv6.
>>
>> I'm betting that most ordinary users regard it simply as an "internet
>> box". Just as the Swedish ETTH users regards their wall socket as the
>> "internet plug". If they have any expectation that their "internet box"
>> contains any firewall/NAT44/"diode" feature they're quite simply dead wrong.
> 
> This is getting a bit off topic...  But did you try running nmap both
> from inside and the outside?  I don't know what they do nowadays, but
> they did use to filter a few "Windows" port from the outside and in, and
> at least port 25/tcp from the inside and out. I assume they still do.

Yes, they do block a few specific ports. Did some (tcp-only) port scans
now, this is what shows up as filtered:

Inbound IPv4:
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Inbound IPv6:
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Outbound IPv4:
25/tcp   filtered smtp
135/tcp  filtered msrpc
136/tcp  filtered profile
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
646/tcp  filtered ldp
1025/tcp filtered NFS-or-IIS
2745/tcp filtered unknown
3127/tcp filtered unknown
6129/tcp filtered unknown

Outbound IPv6:
25/tcp  filtered smtp
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

That said, I believe this filtering is being done on their CMTSes. It's
certainly not in the CPE. So again, CPE or no CPE - it's irrelevant to
the IPv6 firewalling discussion, really.

> Don't know anything about user expectations (only about mine, and I have
> learned a long time ago that those do not match most users :-), but I do
> know that there are other entities expecting the 25/tcp filter.  I would
> be very surprised of that wasn't the same for IPv6.  

There were no IPv6 filters during their pilot, but it does appear that
they (mostly) replicated their existing IPv4 filters when turning on
IPv6 for everyone.

-- 
Tore Anderson

More information about the ipv6-ops mailing list