Why IPv6 filtering default disabled?

I just manually reinstalled CIS due to problems with Win10 AU.

In doing so, I reviewed all the settings and noticed that I had to tweak quite a few of them as the default settings were not what I wanted.

For instance, I believe I am fully on IPv6 from Comcast yet by default, the option “Filter IPv6 traffic” is not enabled.

From the help “Enable IPv6 filtering - Enabling this options means CIS will filter IPv6 network traffic in addition to IPv4 traffic. (Default = Disabled)” does not explain WHY this option is default disabled or what the impact of it being disabled IF you are running on IPv6 is.

Is this a security exposure if the filtering is NOT enabled?

Why can’t Comodo tell if you are running IPv6 and enable this setting as necessary?

Unknown why it is default disabled but a wish is made to make it enabled by default in the bug tracker. To answer your question on security implications with it disabled, yes you are more exposed with ipv6 filtering off as that tells CFW to ignore IPv6 packets regardless of rules set. So you should have it enabled if you have a full IPv6 dual-stack. Also note that you need to create specific global allow incoming rules for ICMPv6 in order to communicate over IPv6 properly.

Can you list the rule(s) for ICMPv6 that I need to add and how to do so?

Which begs the next question as to why these rules are not automatically in place if they are needed in the event that the user enables IPv6 filtering?


as why its not like that? Unsure, but like I said they know about it and I made the statement of what is needed for IPv6 to work correctly, its just up to them if they want it implement it or not.

edit: for the custom types 134 and 135 just enter the number in the type box. see attached.

[attachment deleted by admin]

OK, thanks did all that. Why add only the ICMP types you illustrate? Why not add all 8 types available?

Because they are not necessary to get IPv6 going. Just like with the ICMPv4 equivalent are blocked when you set block all incoming for stealth port task you will still have IPv4 connectivity. You could add address unreachable, no route to destination, and port unreachable if you really want to, but even when blocked you won’t notice problems when connection over IPv6.

Is there any way to test that Comodo is filtering IPv6 correctly?

Yes depending on which type of filtering you want to test, for incoming connection request filtering you can either use an online ipv6 port scanner such as Online IPv6 Port Scanner and Firewall Tester or if you have a separate computer you can use nmap with the following command line options: nmap -6 you can get nmap from here: Download the Free Nmap Security Scanner for Linux/Mac/Windows.

For outgoing connection filtering you can set the firewall to custom ruleset mode and use your web browser to connect to say google via its IPv6 address of 2607:f8b0:4004:80c::200e and put that in the address bar. You should get a firewall alert asking for outbound request for that address, of course you should remove any allow outgoing rules that you have already created for your browser.

Thank you, futuretech! Hope, no changes in these rules since?

Correct these rules should work for the foreseeable future.