No firewall for IPv6

[cmatsuoka]

Hi,

I have a bunch of services running on my AS6302T with ADM 3.5.0.R5D3 and I'm running into problems trying to keep most of them restricted to my local network (because I don't like the idea of exposing random SMB shares to the world, for example). There's a workaround at the end for Samba if anyone has the same problem, but all other services will have to be dealt with case-by-case. The workaround is fragile and can be overwritten when other configurations are changed, so if anyone has a better solution for this I'd be very happy to adopt it (and in the meantime I'll ask Asustor to see if they can implement full IPv6 netfilter support in ADM).

I investigated ADM Defender first, and created a test rule to block access to a TCP port. Testing it from a remote host looks ok in IPv4:

Code: Select all

$ nmap -sT -p 139 <IPv4 address>
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-21 15:53 -03
Nmap scan report for <hostname> (<IPv4 address>)
Host is up (0.00040s latency).

PORT    STATE    SERVICE
139/tcp filtered netbios-ssn
MAC Address: <mac address> (Asustek Computer)

Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds

However, if I try to access the same service using IPv6, I get:

Code: Select all

$ nmap -6 -sT -p 139 <IPv6 address> 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-21 16:14 -03
Nmap scan report for <IPv6 address>
Host is up (0.00051s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

which isn't very helpful. ADM Defender wouldn't help me much here, so I tried to use ip6tables directly. There was no ip6tables, so I installed one from entware and loaded the ip6_tables module. In the end, it seems that the ADM kernel doesn't have full ip6tables support:

Code: Select all

$ sudo ip6tables -L
ip6tables v1.4.21: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
$ find /lib/modules -name "ip6*"
/lib/modules/4.14.x/ip6_tables.ko
/lib/modules/4.14.x/ip6_udp_tunnel.ko
/lib/modules/4.14.x/ip6table_mangle.ko

So it seems to me that you can't really filter anything on IPv6, which is a bit worrying given that many providers are using it around the world.

My workaround for Samba: edit /usr/builtin/etc/samba/smb.conf and add "hosts allow = x.y.z." in the [Global] section (see the smb.conf(5) man page for the exact syntax). Then, if you try to connect from outside the specified network, you get something like:

Code: Select all

$ smbclient -L <IPv6 address>
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE

[Simonix]

Maybe you can restrict access from the internet on your router rather than the NAS itself? I understand this is more of a workaround though.

Once again an example of not well thought through design from Asustor. Just like the 'half' btrfs implementation.

[father.mande]

Hi,

I think you don't have the ip6table_filter.ko ... and perhaps some others (depends of usage)

If you can't get it or generate it, AND if your kernel is 4.14.x ... and if it's not urgent ... I can try to compile the modules for you ... BUT I suppose you can do it yourself.

Philippe.

[father.mande]

Hi,

OK ... I found 10 minutes ...
please find attach a tar gzip of large parts of external modules for ipv6 (including netfilter group) ... I don't sort it and assume you know when using it.
don't forgot to use modinfo to get dependency ... to load modules in the good order
untar (tar xzf file_name) this is a share then use insmod ...

ipv6_modules.tgz

Philippe.

[cmatsuoka]

Maybe you can restrict access from the internet on your router rather than the NAS itself? I understand this is more of a workaround though.

Once again an example of not well thought through design from Asustor. Just like the 'half' btrfs implementation.

I'm considering the option of using a Unifi Security Gateway before my switch to have complete control of IPv6 access to my network. The ISP-provided ONT doesn't give me any IPv6 filtering options that make sense, and I don't want to block access completely because I still want to access ssh and a few other ports from the outside.

Many ISPs are using IPv6, so there's hope that future versions of ADM could implement it a little better. (Support for LVM would be great too, so one could create LVs for shares and restrict their maximum size, or use LVM-based snapshots.)

[cmatsuoka]

OK ... I found 10 minutes ...
please find attach a tar gzip of large parts of external modules for ipv6 (including netfilter group) ... I don't sort it and assume you know when using it.
don't forgot to use modinfo to get dependency ... to load modules in the good order
untar (tar xzf file_name) this is a share then use insmod ...

Oh, that's unexpected good news! I was in the process of figuring out the correct kernel and symbol versions to build the modules myself but that saves a lot of work, thank you!

By the way, is the "4.14.x" source tree publicly available? I don't know if it's mostly upstream or if it contains patches from Asustor, or what actual 4.14 series kernel it's based on.

[father.mande]

Hi,

Oh, that's unexpected good news! I was in the process of figuring out the correct kernel and symbol versions to build the modules myself but that saves a lot of work, thank you!
By the way, is the "4.14.x" source tree publicly available? I don't know if it's mostly upstream or if it contains patches from Asustor, or what actual 4.14 series kernel it's based on.

Any 4.14.nnn can be used .. for my own it's 4.14.149
... the only patch to do is ... as you like :
Choice 1 : ... create a fake uname that return for uname -r : 4.14.149 and launch the normal uname for the others cases. (8 lines of shell script)
Choice 2 : ... patch the Makefile (3 patchs) to change (AND ACCEPT) .x (malformed kernel sublevel (not numeric like .x)) even source is made for .149 version

... the uname solution is temporary, when changing Makefile is permanent ... but the uname is also a solution for system tools (ex. strace) not supporting malformed (not numeric) kernel version like 4.14.x

Always better for you to have your own solution and build all yourself, just know that I have build more than 900 modules (including the same as Asustor), so if you want some more, before you will be ready to generate yourself, ask me .. I have not tested all ... just some I used ...

Philippe.
NB I used a simple chroot directly on my Asustor ... to generate modules ...