[mythtv] Proposed change to Network Communications

Stephen Worthington stephen_agent at jsw.gen.nz
Sat Mar 11 02:27:33 UTC 2017 

On Fri, 10 Mar 2017 22:32:25 +0000, you wrote:

>On 11 March 2017 3:37:55 AM <mythtv at phipps-hutton.freeserve.co.uk> wrote:
>
>>
>> Quoting Peter Bennett <pgbennett at comcast.net>:
>>
>>> Yep - I realized when I bought a new router that supports IPV6 and
>>> connected it to Comcast. All of a sudden the entire world can ssh
>>> into my PC via IPV6 and there is nothing I can set in the router to
>>> prevent it. On the other hand, I have had certain IPV4 ports open
>>> for years anyway so I can access my systems when away from home.
>>>
>>
>> I don't mean to sound snarky but maybe you should have bought a router
>> that includes a firewall.
>>
>> Cheers,
>> Tim.
>>
>>
>>
>I don't want to sound snarky either it's a genuine question, but why get a 
>router with firewall? I'm not ipv6 yet but I am trying to get there - one 
>of my fundamental design parameters I have been working to on my network is 
>that every device handles it's own firewalling.
>
>Im still trying to get my head around why ISP's are implementing IPv6 
>firewalls and how that can work in practice.
>
>Is the theory that everything is some sort of UPnP equivalent capable?
>
>My current IPv4 ISP provider doesn't even do a full firewall, they block 
>SMTP port 25 and a couple of others with an opt in / out option but that is it.
>
>I thought it was simple - once you went IPv6 you were world accessible so 
>your individual devices better be ready. If your device can't handle Ipv6 
>world access then only option is to put it behind an IPv6 to IPv4 gateway 
>and NAT pseudo protection. Is this wrong?

Yes, that is all wrong.

Your ISP does not do firewalling for you.  Some block certain ports
such as 25 to prevent problems happening to THEM, not to you.  If one
of their customers has their SMTP server misconfigured on port 25 to
allow open relaying of emails, within a few hours it will be in use
for sending millions of spam emails.  Shortly after that, the spam
blocker sites will notice this and will start blocking the IP address,
usually by blocking the entire IP address range it is part of.  That
means that other innocent customers of the same ISP will have their
emails blocked, and if the ISP's main email servers are on the same
address range, all the emails from them will be blocked too.  This
causes your ISP huge problems, so some block port 25 to prevent this,
and just unblock it on request by a customer who needs to use it.  But
this blocking is not a firewall - all the packets on all the other
unblocked ports will be delivered to your network, and unless it has a
firewall that prevents it, those packets will be delivered to your
network.

It is up to you to have a firewall on your network to prevent bad
things from happening to your devices.  With IPv4, having to use NAT
to provide you with addresses for your network provides a good basic
firewall, as an otherwise unconfigured NAT router blocks all incoming
packets that are not as response to outgoing packets.  That is
sufficient firewalling for most simple home users.  You can then add
rules to a NAT firewall to allow in traffic on some specific ports and
send it to specific IPv4 addresses on your network, if you need that.
Or you can add other rules to block specific ports or addresses or
other more complicated things.  But simply having NAT between your
network and the outside world provides a very great deal of
protection.

With IPv6, you are not using NAT and do not have that same basic
firewalling unless your router has firewall rules to do it, and for
some strange reason, almost all the routers I have seen that do IPv6
do not have such rules in their factory default config.  So all
incoming packets (including those not as a response to outgoing
packets) are allowed through to all the devices on your network, which
would then need to do their own security.  This is bad - there are
lots of problems with various devices and software that allow hackers
to do bad things, such as installing ransmomware on your Windows PCs
or making your TV spy on you with its microphone.  The same buggy or
broken software on your devices that allows hackers to attack them
will likely in an IPv6 enabled situation just be sitting there
completely open to attack.  And some software is very vulnerable
simply by the way it works.  The classic example with MythTV is
MythWeb, which would allow a malicious person with access to delete
all your recordings and recording rules, for example.  And there are
scans that are used for finding open devices and ports that will do
bad things to MythWeb by just scanning it, without any malicious
intent.

The rules for an IPv6 firewall that works similarly to what using NAT
on IPv4 does are quite simple.  On my Linux based Ubiquiti Edgerouter
Lite, you need three rules.  Here they are:

set firewall ipv6-name RB-Outside-Local-v6 rule 100 action accept
set firewall ipv6-name RB-Outside-Local-v6 rule 100 state established
enable
set firewall ipv6-name RB-Outside-Local-v6 rule 100 state related
enable
set firewall ipv6-name RB-Outside-Local-v6 rule 200 action drop
set firewall ipv6-name RB-Outside-Local-v6 rule 200 state invalid
enable
set firewall ipv6-name RB-Outside-Local-v6 rule 300 action accept
set firewall ipv6-name RB-Outside-Local-v6 rule 300 protocol icmpv6

The 100 rule allows entry of packets for established connections,
where the router has an entry in its tables showing an outgoing
connection has been made.  Also allowed are any packets related to
that connection.  The 200 rule drops all incoming packets that are
malformed or invalid.  The 300 rule allows in ICMPv6 packets.  There
are a number of ICMPv6 packets that have to be received for IPv6 to
work.  The firewall needs to also be set to in the mode where it drops
all packets that do not match any rule.  Those three rules are
directly translated into rules in the underlying standard Linux
firewall software, and can be used on any modern Linux system to do
the necessary IPv6 firewalling.

Instead of having one firewall on your router, you can have protection
on each individual device, if you can do that.  But there are many
devices that you can not put a firewall on and do not have any
protection, such as TVs or WiFi controlled light bulbs, so normally it
is simply not possible to protect everything individually.  And it is
a huge amount of work to use individual firewalls on each device,
rather than one firewall on your router.

More information about the mythtv-dev mailing list