The long-waiting PfSense 2.1, one of my favourite open-source firewalls, was released in 15th September of 2013. Apart from the various other improvements and new features that it offers (see http://blog.pfsense.org/?p=712 for more details), PfSense 2.1, based on FreeBSD 8.3-RELEASE-p11, for first time supports out of the box the IPv6 protocol in a stable version.
After installing it and establishing as an IPv6 firewall for testing purposes and configuring it to work properly, I checked its IPv6 security features and specifically the Firewall IPv6 options that were available from its WebGUI. To my dissapointment, the options are mainly similar to the IPv4 ones, plus some more regarding ICMPv6 additional types (e.g. Router Advertisement, etc.). However, there were no options regarding blocking or allowing several IPv6 Extension Headers, like Fragmentation Header, Destination Option Header, etc. These headers are new in IPv6 and, apart from the new feautures they introduce, they also bring several new potential attack vectors (for discussion about such issues, please check my "Papers / Presentations" section. Hence, this lack of supported options (at least at the Web GUI), seems rather important to me from a security perspective. But let's be patient, as I said this is just the first stable release of Pfsense that supports IPv6.
On the contrary, I must admit that m0n0wall, the "big" brother of Pfsense (since Pfsense is a fork of m0n0wall) has much more available options regarding the support of IPv6 security features. Of course, it lacks some other features, but this is another story.
I intend to launch several tests against Pfsense and m0n0wall regarding the supported IPv6 security. So, stay tuned to see the results, if you are interested!
Write a comment