Juniper Firewalls and IPv6

A little firewall

I found an interesting side-effect of the Juniper firewalls when you introduce IPv6.  In hindsight it appears perfectly reasonable but if you are not aware of it in the first place you may have a much more permissive firewall than you thought.  My setup is such that my internet address changes every time I connect to an ISP. I have services “behind” the Juniper that I want to expose onto the Internet, in this case a mailserver.

Most of the documentation states to have a reasonably open firewall rule and a nat rule.

[edit security nat]
destination {
    pool mailserver-smtp {
        address 10.1.1.1/32 port 25;
    }
}

[edit security policies]
from-zone Internet to-zone Internal {
    policy Mailserver {
        match {
            source-address any;
            destination-address any;
            application smtp;
        }
        then {
             permit;
        }
   }
}

Pretty standard stuff and its documented in plenty of places. We cannot set a destination address because its dynamic, so set it to all.  My next step was, ok my mailserver is on IPv4 and IPv6, how do I let the IPv6 connections in?

Any means ANY

That’s where I noticed I had a problem, they could already get in. In fact anyone could get to the mailserver (good) and anything else that had an open SMTP port on my network and used IPv6 (bad). It seems that any destination address means ANY IPv4 or IPv6 address.  Both myself and the writers of the documentation hadn’t initially thought of what happens when you add IPv6.

The solution is to not let any destination, but any IPv4 and the specific mailserver destination. First create an addressbook entry for the IPv6 address of the mailserver.

[edit security address-book global]
address mailserver-ipv6 2001:Db8:1111:2222::100/128;

 

then adjust the rule

[edit security policies]
from-zone Internet to-zone Internal {
    policy Mailserver {
        match {
            source-address any;
            destination-address [ any-ipv4 mailserver-ipv6];
            application smtp;
        }
        then {
             permit;
        }
   }
}

That way there is access to the mailserver using either IPv4 or IPv6.  I’m also going to try to see if I adjust the rule so the destination only includes the mailserver address (both IPv4 and IPv6) even though the IPv4 is NATed and see if that works.

 


Comments

7 responses to “Juniper Firewalls and IPv6”

Leave a Reply

Your email address will not be published. Required fields are marked *