33C3: IPv6 at Home – Make Sure Your IPv6 Firewall Works As Intended!

Back in 2016, I’ve written quite a number of blog posts about how to set up a server at home that is reachable over IPv6. Here’s a link to the summary. Over time one forgets some of the details so I recently couldn’t remember anymore if I’ve just opened my IPv6 firewall for single ports to the IPv6 Interface ID of my server or if I had given a ‘carte blanche’. No worries, as after all, who can find me in 128 bits of IPv6 entropy? But then I watched this talk at the recent 33C3 conference and I got worried enough to check my setup like real quick…

Basically the talk goes into the details of finding IPv6 servers on the Internet by intelligently using the Reverse-DNS lookup mechanism that translates IPv6 addresses to domain names (FQDNs). It’s not as straight forward as it sounds as the full search space has a size of 2^128 entries. In other words, one has to be a bit selective about searches to get a meaningful list of IPv6 hosts in a reasonable search time of a few days. For details have a look at the video above.

On my side I was relieved to see that I indeed only opened a single port on my IPv6 server at home to the Internet as that server also runs Samba for local file access. I use strong passwords so having that service exposed to the Internet wouldn’t have been a major issue. However, even without knowing the password, Samba would reveal the names of the shares on the server. The screenshot on the right shows the IPv6 firewall settings on my “Fritzbox” DSL router for my IPv6 server. I’m sorry for the German text in the screenshot, there is no English user interface (!).