CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: How to block IPv6 traffic through the firewall?

  1. #1
    Join Date
    2006-05-24
    Posts
    42
    Rep Power
    0

    Default How to block IPv6 traffic through the firewall?

    I see IPv6 traffic passing through our firewalls from our internal hosts. My PC is doing that also for some reason and I tried to turn IPv6 off but it stills sends out IPv6 traffic to the internet. How can I deny IPv6 traffic through the firewall? Plus how can I determine if any IPv6 traffic is being encapsulated in IPv4 packets and block that also? Any help is appreciated.

    Thanks.

  2. #2
    Join Date
    2010-11-11
    Posts
    57
    Rep Power
    9

    Default Re: How to block IPv6 traffic through the firewall?

    Quote Originally Posted by cpguy View Post
    I see IPv6 traffic passing through our firewalls from our internal hosts. My PC is doing that also for some reason and I tried to turn IPv6 off but it stills sends out IPv6 traffic to the internet. How can I deny IPv6 traffic through the firewall? Plus how can I determine if any IPv6 traffic is being encapsulated in IPv4 packets and block that also? Any help is appreciated.

    Thanks.
    Hi,
    i guess your CP firewall isn't configured for ipv6. If it is however it would route the ipv6 traffic and you could block the traffic with a rule at the gateway, otherwise the ipv6 traffic will not reach the firewall, as neighbor discovery will not work.
    My guess is, that you are seeing teredo traffic from Microsoft Windows clients that build an outbount connection to their teredo tunnel endpoints. My advise would be to block of teredo traffic in the firewall. For this to work block UDP port 3544.

    Christoph

  3. #3
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    14

    Default Re: How to block IPv6 traffic through the firewall?

    why do you believe IPv6 is passing through your firewall?

  4. #4
    Join Date
    2009-08-07
    Posts
    9
    Rep Power
    0

    Default Re: How to block IPv6 traffic through the firewall?

    This, on the whole, is interesting. I heard that in IPv4 encapsulated IPv6 packets could reach internal systems, and the answer to that would be to block the protocol type 41 in IPv4 communication.

    Anyone's done that before? :)

    Edit: @OP: I don't see how your CP firewall should be forwarding IPv6 traffic. After all, the question you should ask when working with CP firewalls isn't "how do I keep my box from IPv6-ing?" but rather "how do I get my fw to forward IPv6?!"
    Unless one of your guys explicitly (and painfully) enabled IPv6 on your firewalls, there's no way(?) your boxes are handling IPv6 traffic. If they actually did enable IPv6, then you can also add IPv6 objects and therefore modify your rulebase accordingly.
    Last edited by Battou; 2011-09-29 at 04:30.

Similar Threads

  1. Block a client behind firewall
    By giu28 in forum Authentication
    Replies: 4
    Last Post: 2009-10-20, 10:05
  2. Allow 'ipv6-crypt-traffic' ?
    By AllanKjśr in forum Check Point UTM-1 Appliances
    Replies: 3
    Last Post: 2008-12-31, 13:15
  3. Which Rule would block this traffic?
    By scucci in forum SmartView Tracker
    Replies: 1
    Last Post: 2008-11-07, 18:17
  4. Block traffic forwarded to another proxy
    By Andronitus in forum Miscellaneous
    Replies: 2
    Last Post: 2008-04-14, 04:08
  5. Block HTTPS traffic for particular group
    By sridharraj80 in forum Check Point SecurePlatform (SPLAT)
    Replies: 5
    Last Post: 2007-02-13, 05:06

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •