IPV6 Tunnels/Firewalls and News

Microsoft Windows xp professional w/serv...
November 21, 2009 at 23:53:36
Specs: Windows XP Sp3Pro
Hi,
Ok I have set up an IPV6 tunnel to connect to some IPV6 only news servers. The connection works without the windows firewall on, but is blocked when I activate it.

I sort of half understand this stuff, but if anyone that could pass a knowledgable eye over it, I would appreciate it.


I am configured thusly:

XP Sp3 Pro
I have a cable connection, that is NOT using a router (ie no NAT)

My news client talks to 127.0.0.1 port 1119

and I used (ip's removed)

[CODE]
"netsh interface portproxy add v4tov6 listenport=1119 connectaddress=mynewsserver.ipv6.address.com
connectport=119"
[/CODE]

To make the tunnel connection.
and something like (ip's removed)

[CODE]
"ipv6 install"
"ipv6 rtu ::/0 2/::tunnelbrokers.ipv6.here pub"
"ipv6 adu 2/2001:470:sum:addr::2"
[/CODE]

to config IpV6.

The line in the "pfirewall.log" file (ip's removed)

[CODE}
"DROP TCP src.ipv6.addr dest.ipv6.addr 3491 119 64 S 257086100 0 16384 - - - SEND"
[/CODE]

Now I thought that the Windows firewall didn't drop "Outgoing" packets?

I have tried adding exceptions for, the news client, ports 1119, 119, even wininet.dll, but I just cant get my head around whats up.

Please can somebody shed any light on what is happening??

Many, many thanks in advance.

B.


See More: IPV6 Tunnels/Firewalls and News

Report •


#1
November 22, 2009 at 07:21:14
[CODE}
"DROP TCP src.ipv6.addr dest.ipv6.addr 3491 119 64 S 257086100 0 16384 - - - SEND"
[/CODE]

Here's my guess: Do you see the 3491 before the 119? That's the local random source port that Windows is using. It may change on each connection attempt. Windows, Unix & Linux always use random source ports above 1024. So that's really the listening port, in which case, it may have to be changed to "any" in the firewall rules or somewhere in the client configuration. What is the name of the news client that you are using?

How do you know when a politician is lying? His mouth is moving.


Report •

#2
November 22, 2009 at 08:36:34
My news client talks to 127.0.0.1 port 1119

News client is talking to itself. This entry makes no sense unless you are also running a dns server.


Report •

#3
November 22, 2009 at 09:37:31
wanderer
makes perfect sense if you read the line

"netsh interface portproxy add v4tov6 listenport=1119 connectaddress=mynewsserver.ipv6.address.com
connectport=119"

proxies port 1119 to 119, basically pushes all the traffic out from 1119 down a 4to6 tunnel and vice versa, appearing as port 119 in IPV6 land (the correct port for NNTP)

guapo
I was using Grabbit (excellent workhorse, highly reccomend), but didnt work (cos of the firewall) then tried Altbinz (when discovered the firewall problem, now Grabbit works fine with the firewall off)
You are correct about the port 3491 changing on each connect, but I tried adding the executable to the exclusions, with the scope set to "Any computer on the Internet" (keep in mind I am using the plain old M$ firewall.
When u say "Any" I entered the rule using netsh

netsh firewall add portopening ALL 119 AltBinz-119 ENABLE ALL

but if I used something like (probly not correct, just Illustrating a point)

netsh firewall add portopening ALL ALL AltBinz-119 ENABLE ALL

then there would be no point in having a firewall ??

My thought was that the traffic is actually being sent/recieved via the process that is running the IPV6 "Tunnel", which I had assumed was wininet.dll (or svchost.exe, as I saw that in the list of connections with "netstat" on the ports in question) and as that isnt in the list of exclusions then traffic was being dropped flow. But as it is a system dll I assumed that it would be allowed access.

Some people may ask "Why bother", IPV6 tunnels etc, well one simple reason, free (yes free, and fast) binary Usenet access. I am not blessed with huge amounts of cash, so anything that can help is a great help.


Report •

Related Solutions

#4
November 22, 2009 at 12:52:29
http://ipv6int.net/systems/windows_...

Take a look at that ^^.

Some sites suggest the command
netsh interface portproxy add v6tov4

I tunnel my IRC connection through a paid proxy service using SSH & a Putty client. I set the local port to 5001 & the remote port to the server:6667, so after I SSH to the proxy server, I run server 127.0.0.1 5001, it connects to the IRC server through my paid proxy service. Those settings are done in the Putty client.

As far as I can tell, your tunnel is through IPv4 to IPv6. It's really not going though another machine or server. That's why you may need v6tov4 set by netsh.

That's all guess work on my part but from what I've researched so far, that's the best I can find.

How do you know when a politician is lying? His mouth is moving.


Report •

#5
November 23, 2009 at 13:19:27
Frirewall is blocking 4to6. See how to allow it. Otherwise it is the localhost issue.Might be just as open if you allow it an exception.


All those toredo clients and 4to6 might be a bit security issue. Well, I guess we can assume what you are doing with the reader anyway.

Playing to the angels
Les Paul (1915-2009)


Report •


Ask Question