The principle is to block packets instead of route packets. Blocking can be done based on any parameter of the IP or TCP or UDP packet. Or even based on content of these packets.
Examples of typical components of packets or frames to use to decide weather to block or not include:
Source IP address
Destination IP address
IP protocol (ICMP, TCP or UDP)
Source TCP or UDP port
Destination TCP or UDP port
The firewall rules can be applied to all traffic going in or out of each interface on a router.
You would typically block TCP traffic to destination ports to prevent access to applications, since applications typically listen for connections on well known ports.
NOTE: the order of the firewall rules as applied to each interface is important and can change the behavior of the rules.
A router with interfaces eth0 - 131.94.128.1/24 eth1 - 131.94.129.1/24 Might have firewall rules for each interface. Defaults might be pass or drop. Example: eth0 outbound src=131.94.50.1 dst=any proto=any source port=any dest port=any --- drop packet src=any dst=131.94.128.55 proto=tcp source port=any dest port=25 --- drop packet pass all others eth0 inbound pass all The above would block host 131.94.50.1 from talking to any host on 131.94.128.0/24 block any host from making a tcp connection to port 25 on 131.94.128.55 Since port 25 is used to receive mail, this would effectively prevent host 131.94.128.55 from receiving mail. eth1 outbound src=131.94.51.1 dst=131.94.129.56 proto=udp source port=any dest port=any --- drop packet src=any dst=any proto=udp source port=any dest port=any --- pass packet src=any dst=any proto=tcp source port=any dest port=any --- pass packet src=any dst=any proto=icmp source port=any dest port=any --- pass packet drop all others eth1 inbound src=131.94.129.100 dst=any proto=any source port=any dest port=any --- drop packet pass all The above would inbound disallow 131.94.51.1 from sending any UDP traffic to 131.94.129.56 allow any host to send udp traffic to hosts on 131.94.129.0/24 (except for the stuff blocked by the first rule) allow any host to send tcp traffic to hosts on 131.94.129.0/24 allow any host to send tcp traffic to hosts on 131.94.129.0/24 Deny all other traffic outbound Deny all traffic from 131.94.129.100 pass all other
IPv6 is also sometimes referred to as the Next Generation IP protocol. It was designed to solve specific problems seen in IPv4. Larger address space was needed, IPv6 uses 128 bit addresses instead of 32 bit. Support for auto-configuration was also included. Improved options and provisions for protocol expansion were also designed in, as well as special support for Quality of Service and other resource allocation issues.
The address space is large. 128 bits. They are written as groups of 4 hexadecimal digits, separated by colons. Double :: can represent a strings of 0's. IPv6 addresses fall into 3 main categories: Unicast, Multicast and Anycast. (NOTE: No broadcast). Unicast is a single destination, multicast can be any number of destinations. These are just like IPv4. But there are also anycast addresses, which allow you to address to "any" computer that handles a service, the "nearest" will respond.
Like IPv4 there are some reserved addresses:
::1 unicast localhost
::0 unspecified address
ff02::1 multicast all nodes on link
ff02::2 multicast all routers on link
Unlike ipv4, there are different scopes of addresses space for
different types of addresses. For example:
fe80::/10 reserved for link local addresses ff00::/8 reserved for multicast addressesLink local addresses are only valid on the link.
Global addresses follow the format:
| n bits | m bits | 128-n-m bits | +------------------------+-----------+----------------------------+ | global routing prefix | subnet ID | interface ID | +------------------------+-----------+----------------------------+ Interface ID is usually EIU-64 format, and is usually 64 bits.Global address space is assigned by IANA out of 2000::/3
The address space is designed to be very hierarchical with ISP's allocating subnets of their address space to downstream customers. For example 2001:0400::/23 is address space assign by IANA to AIRN, for use in North America. Internet2/Abilene network uses the prefix 2001:468::/32. AMPATH/SFG uses 2001:468:0700/40 and FIU is assigned 2001:468:0701/48.
Host addresses are assigned out of the lower 64 bits of an IP address. Often they are automatically assigned based on the hosts Ethernet MAC address using a method called SLAAC (Stateless address autoconfiguration). As specified in RFC4291 Appendex A a 48 bit Ethernet address is convert to a 64 bit Interface ID using the IEEE EUI-64 Algorithm. The second bit of the first octet is set to a flipped, and the 2 octets ff:fe are placed in between the OUI (3 octets) and the end stations ID (3 octets) If a host has a 48 bit MAC address of 08:09:0a:0b:0c:0d it would be used to create a 64 bit EUI-64 address of 0a09:0aff:fe0b:0c0d. If the host had a 48 bit mac address of 00:c0:a8:7d:77:4a it would use the 64 bit EUI-64 address of 02c0:a8ff:fe7d:774a.
An IPv6 Packet Header takes the following format:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| Traffic Class | Flow Label |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Payload Length | Next Header | Hop Limit |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| |
+ Source Address +
| |
+ +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| |
+ Destination Address +
| |
+ +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Version 4-bit Internet Protocol version number = 6.
Traffic Class 8-bit traffic class field. See section 7.
Flow Label 20-bit flow label. See section 6.
Payload Length 16-bit unsigned integer. Length of the IPv6
payload, i.e., the rest of the packet following
this IPv6 header, in octets. (Note that any
extension headers [section 4] present are
considered part of the payload, i.e., included
in the length count.)
Next Header 8-bit selector. Identifies the type of header
immediately following the IPv6 header. Uses the
same values as the IPv4 Protocol field [RFC-1700
et seq.].
Hop Limit 8-bit unsigned integer. Decremented by 1 by
each node that forwards the packet. The packet
is discarded if Hop Limit is decremented to
zero.
Source Address 128-bit address of the originator of the packet.
See [ADDRARCH].
Destination Address 128-bit address of the intended recipient of the
packet (possibly not the ultimate recipient, if
a Routing header is present). See [ADDRARCH]
and section 4.4.
The next header field specifies a IcmpV6, TCPV6 or UDPV6 header following
(or options, or other protocols, security options, etc).
All nodes are required to recognize certain addresses as itself.
o Its required Link-Local Address for each interface.
o Any additional Unicast and Anycast Addresses that have been
configured for the node's interfaces (manually or
automatically).
o The loopback address.
o The All-Nodes Multicast Address (ff02::1)
o The Solicited-Node Multicast Address for each of its unicast
and anycast addresses.
o Multicast Addresses of all other groups to which the node
belongs.
Solicited-node multicast address are computed as a function of a
node's unicast and any anycast addresses. A solicited-node multicast
address is formed by taking the low-order 24 bits of an address
(unicast or anycast) and appending those bits to the prefix
FF02::1:FF00/104 resulting in a multicast address in the
range FF02::1:FF00:0000 to FF02::1:FFFF:FFFF
An example: The host with the IPv6 address of
2001:468:701:3801:02c0:a8ff:fe7d:774a/64
would have a solicited-node multicast address of
ff02::1:ff7d:774a/64.
The IPV6 ethernet type field identifier in the ethernet header is 0x86dd
The system in IPv6 that is analogous to ARP in IPv4 is the IPv6 ICMPv6 neighbor discovery protocol. In its basic form it works like arp in that you send a NEIGHBOR SOLICITATION request to the multicast address that is the solicited-node multicast address. The neighbor responds with the Hardware address to use to deliver. Just like IPv4 you will include your hardware address (in ipv6 as an icmpv6 option) so that the solicited host would would not need to make a solicitation in the other direction.
When bringing a interface up ICMPv6 is also used to perform duplicate address detection. This consists of a neighbor solicitation for the proposed address. If someone responds, then the address can not be used.
IPv6 implements automatic address configuration of hosts. Routers will advertise a prefix and hosts can combine that with the EUI-64 representation of the MAC address to form a full 128 bit ipv6 address. Routers advertise the prefixes via ICMPv6 router advertisement and router solicitation messages. Router solicitations can be used by hosts when they come up and want an address immediately. They are sent from the host to the "all routers" multicast address (FF02::2). Routers respond with a router advertisement. Routers also periodically send router advertisements to the "all hosts on link" multicast address (FF02::1).