WIN 7 Teredo Questions

I have latest Comodo Firewall release installed on my WIn 7 OS.

My router does not suport IPv6 which means WIN 7 is using Teredo protocol for IPv6 traffic. I have seen traffic in/out on port 3544 so it appears that a least part of Teredo is working. I came accross MSNet article about configuring your firewall for Teredo: Required Firewall Exceptions for Teredo - Win32 apps | Microsoft Learn .

Do I have to add the ICMPV6 rules mentioned in this article to my default Global rules? Do I have to add any other rules?

I have already crashed my router once which I think happened when I enabled the IPv6 checkbox. That setting is only for native IPv6 support - correct?

Teredo uses ICMPv6 echo request/reply to facilitate communication between the various components that comprise the Teredo network (clients, relays, servers etc.) so you will need to make sure you can accept echo reply messages. Unfortunately, ICMPv6 filtering is currently not working in CIS, so you either have to allow all ICMPv6 traffic, or none.

I have already crashed my router once which I think happened when I enabled the IPv6 checkbox. That setting is only for native IPv6 support - correct?

I’d need to know more about your router to comment on whether if and how it supports Ipv6, as there are several options available to connect to the IPv6 Internet.

If you want to ‘play’ with IPv6, depending on the support your router provides, a better option, assuming your ISP doesn’t offer you native IPv6, would be to set-up a tunnel with one of the free brokers, such as Hurricane Electric Free IPv6 Tunnel Broker who I use. There are others:

Freenet6 Services - gogoNET
SixXS - IPv6 Deployment & Tunnel Broker

If you really do want to use Teredo, and I suggest thinking carefully about that (might be of interest Re: Windows Vista NOT completely safe with CIS (IPv6).) then you might need some help setting things up, as it’s not as straight forward as it might seem. Take a look at this for more information: IPv6 at home, Part 1: Overview, Teredo – Thorsten on (mostly) Tech

Thanks for those great reference links. I created a Word doc. and combined all the “IV6 At Home” article parts. Printed it all out for future reference.

I guess I should have looked at my default NIS 2011 System rules first on my WIN XP install. Appears Symantec might have a leg up on Teredo. The NIS 2011 default System rules cover all the ICMP rules mentioned in the MS link I posted plus a couple of block rules for Teredo/IPv6 that were not mentioned in the Comodo IV6 article.

I might copy those rules over and create equivalent Comodo firewall rules. Just to see if Teredo works on my WIN 7 OS.

I agree that Teredo has had security issues. Actually any P2P tunneling has security issues. From what I have seen so far on the WIN 7 OS, appears only port 3544 connections are to Microsoft Teredo servers.

I would still like to know what that Comodo IPv6 filter option does?

I got lazy and just added the rules suggested in ‘Comodo Firewall IPv6 Guidelines.’ Also shut down Teredo using netsh command. Shut down all tunneling traffic from what I can see.

Are those Teredo servers still the only ones existance that are mentioned in the above guidelines?

You won’t be able to reproduce the rules exactly, as I mentioned in my previous post, icmpv6 filtering in CIS currently doesn’t work, so you either allow all icmpv6 traffic, or none.

I agree that Teredo has had security issues. Actually any P2P tunneling has security issues. From what I have seen so far on the WIN 7 OS, appears only port 3544 connections are to Microsoft Teredo servers.

The tunnelling only exists as far as the Teredo relay, once the encapsulated packet has passed through the ipv4 Internet and reached the relay, the packet is decapsulated and passed on to the ipv6 Internet.

Port 3544 is the primary port for Teredo, but as mentioned, you will need to allow icmpv6

I would still like to know what that Comodo IPv6 filter option does?

Enabling ipv6 filtering simply means CIS will recognise ipv6 traffic.

Are those Teredo servers still the only ones existance that are mentioned in the above guidelines?

The only servers I know of are:

teredo.ipv6.microsoft.com (the default for Windows clients using Teredo)
teredo.remlab.net (the default for linux clients using Miredo)
teredo2.remlab.net
debian-miredo.progsoc.org
teredo.ginzado.ne.jp
teredo.iks-jena.de

Updated information regarding Teredo relays can be found at http://www.bgpmon.net/teredo.php

You might also want to read this report by Symantec, as you have NIS.