Introduction

The “Firewall Tester for IPv6”, or ft6, is a tool you can use to test how your firewall handles IPv6. This document covers the basic architecture of ft6, how to install it, set it up and run it. We explain the tests and what to make of the results. We even show how to build your very own test yourselves! Some familiarity with the the TCP/IP Stack and IPv6 in particular is assumed.

This document and ft6 itself are being released under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 license. ft6 was written in cooperation with EANTC as part of the project IPv6 Intrusion Detection System, funded by BMBF.

Architecture

ft6 is a client-server application. The client will send data over the network, which the server attempts to capture. The server will then send back to the client a list of messages it received. That way, the client will know what messages were blocked (or lost) along the way.

Note the word “lost” in the parentheses above. Client and server will not be able to figure out why a message wasn’t received at the server. They will, however, always assume that a packet was lost due to the firewall blocking it. To make the results meaningful you must make sure to not acidentally test some other devices as well. When setting up, it is therefore important to place the client and server directly one hop away from your firewall, to ensure that no other devices are interfering with the traffic.

Most communication will be sent via UDP with the destination port defaulting to 80 (www). That means you need to provide at least one open port for ft6 to work. Also, if your firewall policies are very different for each service you provide, it might be useful to check each port separately. ft6 marks packets with strings like “XXXXXXTest1Step1”. If your firewall rules match such strings ft6 will likely fail. Client and server also perform a kind of handshake, by sending messages “StartTest n”, “EndTest n”, “StartResult n”, “EndResult n” and “ACKNOWLEDGED” (with n being and integer). Please don’t block those either.

Table Of Contents

Previous topic

Welcome to ft6 - Firewall Tester for IPv6’s documentation!

Next topic

Running ft6

This Page