I think this is probably another IPv6 bug but I’ll post it here first for comments.
I’ve been playing around with a torrent client called Tixati and one of the nice features of the client is the ability to select which protocol stack to use when in use, for example one may select:
IPv4 Only
IPv4 Preferred
IPV6 Preferred
IPv6 Only
Recently, I’ve been using IPv6 only and it’s working very well. Today I reinstalled CIS and decided to make my firewall rules form scratch. In the process, I loaded up Tixati and noticed there were no alerts for inbound connections, even though I was seeding. Further investigation revealed all of the inbound IPv6 connections were being picked-up by WOS, at least as far as CIS was concerned. I immediately changed the mode from IPv6 only to IPv6 preferred and was greeted by a deluge of alerts, all for inbound IPv4 connections.
Following this, I changed the mode back to IPv6 only and loaded Microsoft Network Monitor, it’s handy in these situations, as it shows the process involved in the connection. As can be seen from the snippet below, Tixati is clearly the recipient of the inbound IPv6 connections, even though CIS thinks otherwise.
63559 0x998 20:17:55 31/01/2012 146.8713467 tixati_Windows.exe 2001:0:4137:9E76: 2001:470:1F15:1A37: TCP SrcPort=58955, DstPort=64185
63560 0x998 20:17:55 31/01/2012 146.8714034 tixati_Windows.exe 2001:470:1F15:1A37: 2001:0:4137:9E76: TCP SrcPort=64185, DstPort=58955
63724 0x998 20:17:56 31/01/2012 147.1873339 tixati_Windows.exe 2001:0:4137:9E76: 2001:470:1F15:1A37: TCP SrcPort=58955, DstPort=64185
63725 0x998 20:17:56 31/01/2012 147.1876155 tixati_Windows.exe 2001:0:4137:9E76: 2001:470:1F15:1A37: TCP SrcPort=58955, DstPort=64185
63808 0x998 20:17:56 31/01/2012 147.3950926 tixati_Windows.exe 2001:470:1F15:1A37: 2001:0:4137:9E76: TCP SrcPort=64185, DstPort=58955
63938 0x998 20:17:56 31/01/2012 147.7019954 tixati_Windows.exe 2001:0:4137:9E76: 2001:470:1F15:1A37: TCP SrcPort=58955, DstPort=64185
Bottom line:
- CIS failed to alert for inbound IPv6 connections
- CIS failed to recognise the correct owner of the inbound IPv6 connections and used WOS.
On the back of this, I though I’d try a little remote desktop, unfortunately, I was able to make a connection over Ipv6, with no alerts and no rules form the remote. Once again WOS picked up the connection. I tried again with IPv4 and received the appropriate alerts.
This post is likely connected with an ongoing scenario Re: ICMPv6 from NDP are assigned to random running processes causing asking pop-ups
Edit: added a couple of RDP images. The automatic rule created when connecting via IPv6 is a bit naughty really, but I guess it does this because both machines are part of the same LAN. I’ll have to try it again from outside the LAN. Anyway, I’m sure you get the point.
[attachment deleted by admin]