Is the Windows Firewall mode “Private” obsolete with IPv6 for home users?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












Home users are generally expected to set the Windows Firewall to the Private profile when they are connected to their home network. The most common setup is being connected to the ISP provided router.



If the ISP provides IPv6 connectivity the connected computer will have a globally routable IPv6 address. This means that all it's ports and applications are directly exposed to the internet. With IPv4 there's usually NAT in between which acts as a firewall.



The security of this depends on what applications are running and what ports are open. In typical configurations there might be a few things accessible. At the very least there will be the Windows file sharing the RPC communication ports. These functionalities have been affected by security issues in the past.



Some routers (including mine) has an "IPv6 firewall" which simply drops all inbound IPv6 traffic. But if I actually want to open at least one inbound port for some application (such as Remote Desktop) then I have no choice but to expose everything to everyone.



Does this not mean that an IPv6-enabled computer must pick the Public profile because anyone (not just trusted devices) can connect?






networking ipv6 isp







share|improve this question























  • NAT is not a firewall. A firewall is a firewall. Virtually all currently sold home routers which support IPv6 also firewall IPv6. That an address is routable does not mean it is reachable. Of course, many home routers have a completely garbage IPv6 firewall, such as yours. Consider replacing the firmware, if you can. Third party firmware has much better support.
    – Michael Hampton
    6 mins ago















up vote
1
down vote

favorite












Home users are generally expected to set the Windows Firewall to the Private profile when they are connected to their home network. The most common setup is being connected to the ISP provided router.



If the ISP provides IPv6 connectivity the connected computer will have a globally routable IPv6 address. This means that all it's ports and applications are directly exposed to the internet. With IPv4 there's usually NAT in between which acts as a firewall.



The security of this depends on what applications are running and what ports are open. In typical configurations there might be a few things accessible. At the very least there will be the Windows file sharing the RPC communication ports. These functionalities have been affected by security issues in the past.



Some routers (including mine) has an "IPv6 firewall" which simply drops all inbound IPv6 traffic. But if I actually want to open at least one inbound port for some application (such as Remote Desktop) then I have no choice but to expose everything to everyone.



Does this not mean that an IPv6-enabled computer must pick the Public profile because anyone (not just trusted devices) can connect?






networking ipv6 isp







share|improve this question























  • NAT is not a firewall. A firewall is a firewall. Virtually all currently sold home routers which support IPv6 also firewall IPv6. That an address is routable does not mean it is reachable. Of course, many home routers have a completely garbage IPv6 firewall, such as yours. Consider replacing the firmware, if you can. Third party firmware has much better support.
    – Michael Hampton
    6 mins ago













up vote
1
down vote

favorite









up vote
1
down vote

favorite











Home users are generally expected to set the Windows Firewall to the Private profile when they are connected to their home network. The most common setup is being connected to the ISP provided router.



If the ISP provides IPv6 connectivity the connected computer will have a globally routable IPv6 address. This means that all it's ports and applications are directly exposed to the internet. With IPv4 there's usually NAT in between which acts as a firewall.



The security of this depends on what applications are running and what ports are open. In typical configurations there might be a few things accessible. At the very least there will be the Windows file sharing the RPC communication ports. These functionalities have been affected by security issues in the past.



Some routers (including mine) has an "IPv6 firewall" which simply drops all inbound IPv6 traffic. But if I actually want to open at least one inbound port for some application (such as Remote Desktop) then I have no choice but to expose everything to everyone.



Does this not mean that an IPv6-enabled computer must pick the Public profile because anyone (not just trusted devices) can connect?






networking ipv6 isp







share|improve this question















Home users are generally expected to set the Windows Firewall to the Private profile when they are connected to their home network. The most common setup is being connected to the ISP provided router.



If the ISP provides IPv6 connectivity the connected computer will have a globally routable IPv6 address. This means that all it's ports and applications are directly exposed to the internet. With IPv4 there's usually NAT in between which acts as a firewall.



The security of this depends on what applications are running and what ports are open. In typical configurations there might be a few things accessible. At the very least there will be the Windows file sharing the RPC communication ports. These functionalities have been affected by security issues in the past.



Some routers (including mine) has an "IPv6 firewall" which simply drops all inbound IPv6 traffic. But if I actually want to open at least one inbound port for some application (such as Remote Desktop) then I have no choice but to expose everything to everyone.



Does this not mean that an IPv6-enabled computer must pick the Public profile because anyone (not just trusted devices) can connect?






networking ipv6 isp




networking ipv6 isp






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 3 hours ago

























asked 3 hours ago









boot4life

29148




29148











  • NAT is not a firewall. A firewall is a firewall. Virtually all currently sold home routers which support IPv6 also firewall IPv6. That an address is routable does not mean it is reachable. Of course, many home routers have a completely garbage IPv6 firewall, such as yours. Consider replacing the firmware, if you can. Third party firmware has much better support.
    – Michael Hampton
    6 mins ago

















  • NAT is not a firewall. A firewall is a firewall. Virtually all currently sold home routers which support IPv6 also firewall IPv6. That an address is routable does not mean it is reachable. Of course, many home routers have a completely garbage IPv6 firewall, such as yours. Consider replacing the firmware, if you can. Third party firmware has much better support.
    – Michael Hampton
    6 mins ago
















NAT is not a firewall. A firewall is a firewall. Virtually all currently sold home routers which support IPv6 also firewall IPv6. That an address is routable does not mean it is reachable. Of course, many home routers have a completely garbage IPv6 firewall, such as yours. Consider replacing the firmware, if you can. Third party firmware has much better support.
– Michael Hampton
6 mins ago





NAT is not a firewall. A firewall is a firewall. Virtually all currently sold home routers which support IPv6 also firewall IPv6. That an address is routable does not mean it is reachable. Of course, many home routers have a completely garbage IPv6 firewall, such as yours. Consider replacing the firmware, if you can. Third party firmware has much better support.
– Michael Hampton
6 mins ago











1 Answer
1






active

oldest

votes

















up vote
4
down vote













No. Neither the Windows firewall nor a competent router's firewall is "all or nothing".




Home users are generally expected to set the Windows Firewall to the Private profile when they are connected to their home network




The "Private" mode doesn't actually allow all connections from everywhere: most of the default rules are limited to "This subnet" only, which for IPv6 means that even in this mode, only other hosts within the same /64 (e.g. just your home hetwork) will be accepted. Foreign connections remain blocked.



(Note also that the built-in Windows Firewall knows about higher layers than just TCP ports: it can also restrict access to individual RPC services even if they're running on a shared port. This also means that SMB file-sharing access doesn't necessarily automatically grant RPC-over-SMB access.)



There are exceptions to "same subnet" being default (e.g. Remote Desktop is wide open as MS trusts NLA), but those are easy to change via wf.msc.



Which brings to the second reason: even if the profile had bad defaults, just having two customizable profiles is in itself a feature useful by many advanced users (who would still be able to configure at least custom rules for different security levels).




With IPv4 there's usually NAT in between which acts as a firewall.




NAT doesn't act as a firewall; it is used in addition to a firewall. Yes, you could say that it provides an extra layer against distant attackers – due to private LAN addresses being unroutable on the Internet – but that has nothing to do with actual packet filtering that a firewall does.



If you have just NAT but no other form of packet filtering, then your immediate WAN neighbours still have ways of reaching inside your LAN with just an ip route add.




Some routers (including mine) has an "IPv6 firewall" which simply drops all inbound IPv6 traffic. But if I actually want to open at least one inbound port for some application (such as Remote Desktop) then I have no choice but to expose everything to everyone.




That's a significant omission in your router's firmware then. If its firewall supports custom "allow-specific, deny-all" rules for incoming IPv4, there is no reason it cannot support the same for IPv6.



In both IPv4 and IPv6, it is trivial for a router to implement a firewall that passes through inbound connections to a specific host only, and/or to a specific port only. Most home routers don't even implement their own; they ship standard Linux iptables, so they have no excuse.



If you're completely sure your router doesn't offer custom IPv6 rules (they might be named "virtual server" or "port forwarding" despite not involving DNAT), check if there is a firmware update available.






share|improve this answer






















  • Thank you for that detailed answer. The default firewall rules often being for local subnet only is a very good point. I verified this on my machine by testing all TCP ports from another local computer and the using an only IPv6 TCP port checker on those findings. All were closed except those that I explicitly opened.
    – boot4life
    48 mins ago










  • This is a good point about IPv6 firewall allow rules: The configuration option to allow specific IPv6 traffic through is generally not named "port forwarding" because that's not what it is. I've seen several other names used, so it may be hard to find. Knowing the specific router model may help.
    – Michael Hampton
    3 mins ago











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "3"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1368212%2fis-the-windows-firewall-mode-private-obsolete-with-ipv6-for-home-users%23new-answer', 'question_page');

);

Post as a guest

















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
4
down vote













No. Neither the Windows firewall nor a competent router's firewall is "all or nothing".




Home users are generally expected to set the Windows Firewall to the Private profile when they are connected to their home network




The "Private" mode doesn't actually allow all connections from everywhere: most of the default rules are limited to "This subnet" only, which for IPv6 means that even in this mode, only other hosts within the same /64 (e.g. just your home hetwork) will be accepted. Foreign connections remain blocked.



(Note also that the built-in Windows Firewall knows about higher layers than just TCP ports: it can also restrict access to individual RPC services even if they're running on a shared port. This also means that SMB file-sharing access doesn't necessarily automatically grant RPC-over-SMB access.)



There are exceptions to "same subnet" being default (e.g. Remote Desktop is wide open as MS trusts NLA), but those are easy to change via wf.msc.



Which brings to the second reason: even if the profile had bad defaults, just having two customizable profiles is in itself a feature useful by many advanced users (who would still be able to configure at least custom rules for different security levels).




With IPv4 there's usually NAT in between which acts as a firewall.




NAT doesn't act as a firewall; it is used in addition to a firewall. Yes, you could say that it provides an extra layer against distant attackers – due to private LAN addresses being unroutable on the Internet – but that has nothing to do with actual packet filtering that a firewall does.



If you have just NAT but no other form of packet filtering, then your immediate WAN neighbours still have ways of reaching inside your LAN with just an ip route add.




Some routers (including mine) has an "IPv6 firewall" which simply drops all inbound IPv6 traffic. But if I actually want to open at least one inbound port for some application (such as Remote Desktop) then I have no choice but to expose everything to everyone.




That's a significant omission in your router's firmware then. If its firewall supports custom "allow-specific, deny-all" rules for incoming IPv4, there is no reason it cannot support the same for IPv6.



In both IPv4 and IPv6, it is trivial for a router to implement a firewall that passes through inbound connections to a specific host only, and/or to a specific port only. Most home routers don't even implement their own; they ship standard Linux iptables, so they have no excuse.



If you're completely sure your router doesn't offer custom IPv6 rules (they might be named "virtual server" or "port forwarding" despite not involving DNAT), check if there is a firmware update available.






share|improve this answer






















  • Thank you for that detailed answer. The default firewall rules often being for local subnet only is a very good point. I verified this on my machine by testing all TCP ports from another local computer and the using an only IPv6 TCP port checker on those findings. All were closed except those that I explicitly opened.
    – boot4life
    48 mins ago










  • This is a good point about IPv6 firewall allow rules: The configuration option to allow specific IPv6 traffic through is generally not named "port forwarding" because that's not what it is. I've seen several other names used, so it may be hard to find. Knowing the specific router model may help.
    – Michael Hampton
    3 mins ago















up vote
4
down vote













No. Neither the Windows firewall nor a competent router's firewall is "all or nothing".




Home users are generally expected to set the Windows Firewall to the Private profile when they are connected to their home network




The "Private" mode doesn't actually allow all connections from everywhere: most of the default rules are limited to "This subnet" only, which for IPv6 means that even in this mode, only other hosts within the same /64 (e.g. just your home hetwork) will be accepted. Foreign connections remain blocked.



(Note also that the built-in Windows Firewall knows about higher layers than just TCP ports: it can also restrict access to individual RPC services even if they're running on a shared port. This also means that SMB file-sharing access doesn't necessarily automatically grant RPC-over-SMB access.)



There are exceptions to "same subnet" being default (e.g. Remote Desktop is wide open as MS trusts NLA), but those are easy to change via wf.msc.



Which brings to the second reason: even if the profile had bad defaults, just having two customizable profiles is in itself a feature useful by many advanced users (who would still be able to configure at least custom rules for different security levels).




With IPv4 there's usually NAT in between which acts as a firewall.




NAT doesn't act as a firewall; it is used in addition to a firewall. Yes, you could say that it provides an extra layer against distant attackers – due to private LAN addresses being unroutable on the Internet – but that has nothing to do with actual packet filtering that a firewall does.



If you have just NAT but no other form of packet filtering, then your immediate WAN neighbours still have ways of reaching inside your LAN with just an ip route add.




Some routers (including mine) has an "IPv6 firewall" which simply drops all inbound IPv6 traffic. But if I actually want to open at least one inbound port for some application (such as Remote Desktop) then I have no choice but to expose everything to everyone.




That's a significant omission in your router's firmware then. If its firewall supports custom "allow-specific, deny-all" rules for incoming IPv4, there is no reason it cannot support the same for IPv6.



In both IPv4 and IPv6, it is trivial for a router to implement a firewall that passes through inbound connections to a specific host only, and/or to a specific port only. Most home routers don't even implement their own; they ship standard Linux iptables, so they have no excuse.



If you're completely sure your router doesn't offer custom IPv6 rules (they might be named "virtual server" or "port forwarding" despite not involving DNAT), check if there is a firmware update available.






share|improve this answer






















  • Thank you for that detailed answer. The default firewall rules often being for local subnet only is a very good point. I verified this on my machine by testing all TCP ports from another local computer and the using an only IPv6 TCP port checker on those findings. All were closed except those that I explicitly opened.
    – boot4life
    48 mins ago










  • This is a good point about IPv6 firewall allow rules: The configuration option to allow specific IPv6 traffic through is generally not named "port forwarding" because that's not what it is. I've seen several other names used, so it may be hard to find. Knowing the specific router model may help.
    – Michael Hampton
    3 mins ago













up vote
4
down vote










up vote
4
down vote









No. Neither the Windows firewall nor a competent router's firewall is "all or nothing".




Home users are generally expected to set the Windows Firewall to the Private profile when they are connected to their home network




The "Private" mode doesn't actually allow all connections from everywhere: most of the default rules are limited to "This subnet" only, which for IPv6 means that even in this mode, only other hosts within the same /64 (e.g. just your home hetwork) will be accepted. Foreign connections remain blocked.



(Note also that the built-in Windows Firewall knows about higher layers than just TCP ports: it can also restrict access to individual RPC services even if they're running on a shared port. This also means that SMB file-sharing access doesn't necessarily automatically grant RPC-over-SMB access.)



There are exceptions to "same subnet" being default (e.g. Remote Desktop is wide open as MS trusts NLA), but those are easy to change via wf.msc.



Which brings to the second reason: even if the profile had bad defaults, just having two customizable profiles is in itself a feature useful by many advanced users (who would still be able to configure at least custom rules for different security levels).




With IPv4 there's usually NAT in between which acts as a firewall.




NAT doesn't act as a firewall; it is used in addition to a firewall. Yes, you could say that it provides an extra layer against distant attackers – due to private LAN addresses being unroutable on the Internet – but that has nothing to do with actual packet filtering that a firewall does.



If you have just NAT but no other form of packet filtering, then your immediate WAN neighbours still have ways of reaching inside your LAN with just an ip route add.




Some routers (including mine) has an "IPv6 firewall" which simply drops all inbound IPv6 traffic. But if I actually want to open at least one inbound port for some application (such as Remote Desktop) then I have no choice but to expose everything to everyone.




That's a significant omission in your router's firmware then. If its firewall supports custom "allow-specific, deny-all" rules for incoming IPv4, there is no reason it cannot support the same for IPv6.



In both IPv4 and IPv6, it is trivial for a router to implement a firewall that passes through inbound connections to a specific host only, and/or to a specific port only. Most home routers don't even implement their own; they ship standard Linux iptables, so they have no excuse.



If you're completely sure your router doesn't offer custom IPv6 rules (they might be named "virtual server" or "port forwarding" despite not involving DNAT), check if there is a firmware update available.






share|improve this answer














No. Neither the Windows firewall nor a competent router's firewall is "all or nothing".




Home users are generally expected to set the Windows Firewall to the Private profile when they are connected to their home network




The "Private" mode doesn't actually allow all connections from everywhere: most of the default rules are limited to "This subnet" only, which for IPv6 means that even in this mode, only other hosts within the same /64 (e.g. just your home hetwork) will be accepted. Foreign connections remain blocked.



(Note also that the built-in Windows Firewall knows about higher layers than just TCP ports: it can also restrict access to individual RPC services even if they're running on a shared port. This also means that SMB file-sharing access doesn't necessarily automatically grant RPC-over-SMB access.)



There are exceptions to "same subnet" being default (e.g. Remote Desktop is wide open as MS trusts NLA), but those are easy to change via wf.msc.



Which brings to the second reason: even if the profile had bad defaults, just having two customizable profiles is in itself a feature useful by many advanced users (who would still be able to configure at least custom rules for different security levels).




With IPv4 there's usually NAT in between which acts as a firewall.




NAT doesn't act as a firewall; it is used in addition to a firewall. Yes, you could say that it provides an extra layer against distant attackers – due to private LAN addresses being unroutable on the Internet – but that has nothing to do with actual packet filtering that a firewall does.



If you have just NAT but no other form of packet filtering, then your immediate WAN neighbours still have ways of reaching inside your LAN with just an ip route add.




Some routers (including mine) has an "IPv6 firewall" which simply drops all inbound IPv6 traffic. But if I actually want to open at least one inbound port for some application (such as Remote Desktop) then I have no choice but to expose everything to everyone.




That's a significant omission in your router's firmware then. If its firewall supports custom "allow-specific, deny-all" rules for incoming IPv4, there is no reason it cannot support the same for IPv6.



In both IPv4 and IPv6, it is trivial for a router to implement a firewall that passes through inbound connections to a specific host only, and/or to a specific port only. Most home routers don't even implement their own; they ship standard Linux iptables, so they have no excuse.



If you're completely sure your router doesn't offer custom IPv6 rules (they might be named "virtual server" or "port forwarding" despite not involving DNAT), check if there is a firmware update available.







share|improve this answer














share|improve this answer



share|improve this answer








edited 2 hours ago

























answered 3 hours ago









grawity

222k33454518




222k33454518











  • Thank you for that detailed answer. The default firewall rules often being for local subnet only is a very good point. I verified this on my machine by testing all TCP ports from another local computer and the using an only IPv6 TCP port checker on those findings. All were closed except those that I explicitly opened.
    – boot4life
    48 mins ago










  • This is a good point about IPv6 firewall allow rules: The configuration option to allow specific IPv6 traffic through is generally not named "port forwarding" because that's not what it is. I've seen several other names used, so it may be hard to find. Knowing the specific router model may help.
    – Michael Hampton
    3 mins ago

















  • Thank you for that detailed answer. The default firewall rules often being for local subnet only is a very good point. I verified this on my machine by testing all TCP ports from another local computer and the using an only IPv6 TCP port checker on those findings. All were closed except those that I explicitly opened.
    – boot4life
    48 mins ago










  • This is a good point about IPv6 firewall allow rules: The configuration option to allow specific IPv6 traffic through is generally not named "port forwarding" because that's not what it is. I've seen several other names used, so it may be hard to find. Knowing the specific router model may help.
    – Michael Hampton
    3 mins ago
















Thank you for that detailed answer. The default firewall rules often being for local subnet only is a very good point. I verified this on my machine by testing all TCP ports from another local computer and the using an only IPv6 TCP port checker on those findings. All were closed except those that I explicitly opened.
– boot4life
48 mins ago




Thank you for that detailed answer. The default firewall rules often being for local subnet only is a very good point. I verified this on my machine by testing all TCP ports from another local computer and the using an only IPv6 TCP port checker on those findings. All were closed except those that I explicitly opened.
– boot4life
48 mins ago












This is a good point about IPv6 firewall allow rules: The configuration option to allow specific IPv6 traffic through is generally not named "port forwarding" because that's not what it is. I've seen several other names used, so it may be hard to find. Knowing the specific router model may help.
– Michael Hampton
3 mins ago





This is a good point about IPv6 firewall allow rules: The configuration option to allow specific IPv6 traffic through is generally not named "port forwarding" because that's not what it is. I've seen several other names used, so it may be hard to find. Knowing the specific router model may help.
– Michael Hampton
3 mins ago


















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1368212%2fis-the-windows-firewall-mode-private-obsolete-with-ipv6-for-home-users%23new-answer', 'question_page');

);

Post as a guest
































































Comments

Post a Comment

Popular posts from this blog

Long meetings (6-7 hours a day): Being “babysat” by supervisor

Image
Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 31 down vote favorite 4 I hold a PhD in mechanical engineering with a 7 year background in self-guided, self-paced research including 2 years as a graduate level course instructor and a subject matter expert for various engineering projects in a university setting in the United States. For the last 10-11 months, I am working in a research industry in France where my task is to debug C++ spaghetti code written over a period of several years by my current supervisor. It is a team of 2: just I and my supervisor. Diurnally, I am posed with a "bug of the day" to get out of this C++ code. My supervisor generally gives me about 15-30 minutes to solve it and then accosts me about whether or not the task is completed and then rinses and repeats this until the end of the day. Off-late, my supervisor has been holding 6-7 hour long "meetin
Read more

Is the Concept of Multiple Fantasy Races Scientifically Flawed? [closed]

Image
Clash Royale CLAN TAG #URR8PPP up vote 2 down vote favorite Many fantasy worlds have multiple humanoid species (elves, orcs, humans, etc) living in the same world, in addition to that, they often have the ability to interbreed. And I can't help but question their believability... fantasy-races reproduction interspecies-relations share | improve this question edited Aug 9 at 14:46 Michael Kjörling ♦ 21.1k 10 85 161 asked Aug 9 at 13:13 Chlodio 118 6 closed as unclear what you're asking by MichaelK, Gryphon, John, Vincent, Frostfyre Aug 9 at 15:25 Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question. 3 Stack Exchange exist to
Read more

Confectionery

Image
Prepared foods made with a lot of sugar or other cabohydrates "Sweetmeat" redirects here. For the racehorse, see Sweetmeat (horse). Not to be confused with Sweetbread. This Kransekake is a traditional Scandinavian baker's confection. Confectionery is the art of making confections , which are food items that are rich in sugar and carbohydrates. Exact definitions are difficult. [1] In general, though, confectionery is divided into two broad and somewhat overlapping categories, bakers' confections and sugar confections. [2] Bakers' confectionery, also called flour confections , includes principally sweet pastries, cakes, and similar baked goods. Sugar confectionery includes candies ( sweets in British English), candied nuts, chocolates, chewing gum, bubble gum, pastillage, and other confections that are made primarily of sugar. In some cases, chocolate confections (confections made of chocolate) are treated as a separate category, as are sugar-free versions of
Read more