Monday, April 01, 2013

Some PowerShell IPv6 and Adv. Firewall cmdlets

I've been working to find excuses to use PowerShell basically to force myself to learn it. I presented at TechMentor and put together a long list of PowerShell cmdlets (PowerShell's way of saying commands) I felt would be useful. These are the ones I think folks need to know who are interested in deploying IPv6 and want to understand some best practices configurations plus how to do some configuration work with the Advanced Firewall. It isn't particularly pretty or well structured but I thought I would provide what I put together for the demo so others don't have to dig around as much to figure it out.

So, here it is in all its ugly glory...

# - Pre-build items (to do before) IPv6  demo 1

# - Show building everything out

# - from gold image of server 2012 (a server w/ nothing on it)

#

# -----------------------------

# - first get your network adapter naming

Get-NetIPInterface

# - determine the interface index number for the interface you want to set - in this case 12

# - see if any existing IP addresses are assigned to the interface

Get-NetIPAddress

# - if not then you can set the IP address on the interface for the first time using

New-NetIPAddress -InterfaceIndex 12 –IPAddress 10.10.1.1 -PrefixLength 24 -DefaultGateway 10.10.1.254 -whatif

New-NetIPAddress -InterfaceIndex 12 -IPAddress 2001:0db8:cafe:0010::1 -PrefixLength 64 -DefaultGateway 2001:0db8:cafe:0010::254 -whatif

# - validate the information

# - lets start using some of the built in alias commands - so gip = get-netipconfiguration

Get-Alias gip

# - now use it

gip

# - next lets look at the routing table to confirm things are built out the way we expect

# - first confirm the IPv4 routes

Get-NetRoute -AddressFamily IPv4

# - next confirm the IPv6 routes

Get-NetRoute -AddressFamily IPv6

#

# - if you are modifying an existing server IP stack you will need to use

Set-NetIPAddress -InterfaceIndex 12 -IPAddress 10.10.2.1 -PrefixLength 24 -WhatIf

Set-NetIPAddress -InterfaceIndex 12 -IPAddress 2001:0db8:cafe:0010::2 -PrefixLength 64 -WhatIf

# - notice no default gateway modifications were done since that is a routing table function

Get-NetRoute

# - modify the routing entries

# - you will note a principle difference in a SLAAC IPv6 configuration vs. a Static one

# - specifically, you will see the next hop on a SLAAC will use the link-local address of the RA

# - technically in proper IPv6 routing the link-local address is used however in static config

# - you will likely end up putting in a next hop with a unique local address (ULA)

# - you will have to remove the routing entry for the default gateway before applying a new one

Remove-NetRoute -DestinationPrefix ::/0 -Confirm

New-NetRoute -DestinationPrefix ::/0 -InterfaceIndex 12 -NextHop 2001:db8:cafe:10::253 -Publish Yes -RouteMetric 256 -whatif

# - the basics are now in place for IPv4 and IPv6 to function on the interface

# - next we need to add DNS entries onto the server for IPv4 and IPv6

# - you can use gip to see what the DNSServer values are

gip

# - or alternately use

Get-DnsClientServerAddress -AddressFamily IPv6

# - if the output contains fec0 values then the interface does not have proper local IPv6 DNS resolver entries - so fix it

Set-DnsClientServerAddress -InterfaceIndex 12 -ServerAddresses 2001:4860:4860::8888, 2001:4860:4860::8844 -WhatIf

#

# - optionally build out DNS and DHCP install - for now just install the services on the Server

install-windowfeature DNS DHCP

# - make sure they installed

get-windowsfeature

# - look at dhcp first

get-command -module DHCPServer

# - need to figure out how to get the account roles installed and working without the Server Manager Wizard - not critical if you did the install w/ the wizard but w/ PowerShell it doesn't work correctly

# - display the windows management interface - refresh to show the DNS and DHCP services are there

# - add an IPv6 and IPv4 scope so our Windows8 computer can come up

# - IPv6 first

Add-DHCPServerv6Scope -Prefix 2001:db8:cafe:10:: -name test1-ipv6 -state Active -whatif

Add-DHCPServerv6ExclusionRange -Prefix 2001:db8:cafe:10:: -StartRange 2001:db8:cafe:10::1 -EndRange 2001:db8:cafe:10::256 -whatif

Set-DHCPServerv6PolicyOptions

Get-DHCPServerv6Scope | Format-List *

# - notice anything odd about the range that was excluded? What are valid IPv6 addresses - like: 2001:db8:cafe:10::a - is that in the range?

# - see the hosts that are active in the IPv6 scope

Get-DHCPServerv6Binding

#

# - IPv4 commands for similar purpose

Add-DHCPServerv4Scope -StartRange 10.10.1.16 -EndRange 10.10.1.31 -SubnetMask 255.255.255.0 -Name test1-ipv4 -whatif

Set-DhcpServerv4OptionValue -Dnsserver 8.8.8.8 -Router 10.10.1.254 -DNSDomain ipv4.example.com

#Set-DhcpServerv4OptionDefinition –OptionId 3 –DefaultValue 10.10.1.254 -Name "default gateway"

Get-DHCPServerv4Scope | Format-List *

Get-DHCPServerv4OptionValue

Get-DHCPServerv4Binding

#

# ----------------------------

# - Demo 1 run through script

# - show how to disable 6to4

# - first check the status

Get-Net6to4Configuration

# - note the state is Default

# - turn off 6to4

Set-Net6to4Configuration -State Disabled

# - same task with netsh for v2

netsh interface ipv6 6to4 set state disable

# - show the status

netsh interface ipv6 6to4 show state

#

#

# - show how to turn off isatap

# - first check the status

Get-NetIsatapConfiguration

# - note the state is Default

# - turn off ISATAP

Set-NetIsatapConfiguration -State Disabled

# - same task with netsh for v2

netsh interface isatap set state disable

# - show the status

netsh interface ipv6 isatap show state

#

#

# - show how to turn off teredo

# - first check the status

Get-NetTeredoConfiguration

# - note the state is Default

Set-NetTeredoConfiguration -Type Disabled

# - same task with netsh for v2

netsh interface teredo set state type=Disabled

# - show the status

netsh interface teredo show state

#

#

# - review through each of the powershell cmdlets if time permits:

Get-Net6to4Configuration | gm

Get-NetIsatapConfiguration | gm

Get-NetTeredoConfiguration | gm

#

#

# - get IP address, interface alias and prefix origin info

# - example get-netadapter formatted output for all up interfaces:

Get-NetAdapter | ? status -eq 'Up' | Get-NetIPAddress -ea 0 | ft ipaddress, interfaceindex, interfacealias, prefixorigin -a

#

# - show DHCP Lease status for IPv6 network

Get-DHCPServerv6Lease -Prefix 2001:db8:cafe:10:: | Format-List

# - switch to local Win8 client - show IPv6 address is in the DHCPv6 Lease info

gip

#

# - review through the IPv6 specific powershell cmdlets:

Get-NetIPv6Protocol | gm

get-help Get-NetIPv6Protocol -full

# - go through the specific parameter options

# -

# - review through the IPv6 settings commands

get-help Set-NetIPv6Protocol - full

#

# ----------------------------

# - Demo 2 run through script

# - interface specific configurations

#     powershell for each interface type for firewall configuration - sequencing through those

#     focus is on best practice - which means turn the service off but firewall against it also

#     show RAGuard behavior via FW rules for servers if they will have static IPv6 addresses (recommended)

#     show why ICMPv6 is so important to allow through (PathMTU discovery)

# - Show network module NetTCPIP

Get-Module NetTCPIP | gm

# - Show how to test (ping, tracert, nslookup)

# - all the command prompt options work in powershell - demo them

# - first introduce test-connection -Quiet returns a boolean value (True/False)

Test-Connection 10.10.1.1 -Quiet

Test-Connection 2001:db8:cafe:10::1 -Quiet

# - next show all the specific TCP settings and what Transport filter options are available

Get-NetTCPSetting

# - next show the Transport filters

Get-NetTransportFilter

# - you can create a custom Transport filter using

New-NetTransportFilter -SettingName Datacenter -DestinationPrefix 10.0.0.0/8

New-NetTransportFilter -SettingName Datacenter -DestinationPrefix 2001:db8:cafe:10::/64

#

# - might need to add additional testing / settings - not critical

#

# - next go over the advance firewall options

Get-NetFirewallRule | gm

# - firewall rules

# - netsh can be used also:

netsh advfirewall monitor show firewall rule name=all dir=in

# - powershell now

Get-NetFirewallRule

# - walk through the output of some of the firewall rules

#

# - sample creating new firewall rule

# - first example is blocking a specific application (not just a port)

New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe –Protocol TCP –LocalPort 23 -Action Block –PolicyStore domain.contoso.com\gpo_name

#

# - second example is blocking a specific IPv4 address to prevent 6to4

New-NetFirewallRule -DisplayName "Block 6to4 Outbound" -Direction Outbound -Protocol 41 -RemoteAddress 192.88.99.1 -Action Block

#

# - example - allow TCP traffic addressed to port 12345 and the range of ports 5000-5020 to a specific application from the computers on the remote side of an edge (NAT) device, using the Teredo IPv6 interface

New-NetFirewallRule -DisplayName "Allow TCP 12345 and 5000-5020 over Teredo" -Direction Inbound -Action Allow -EdgeTraversalPolicy Allow -Protocol TCP -LocalPort

    12345,5000-5020 -Program "C:\Program Files (x86)\TestIPv6App.exe"

#

#- IPv6 FW examples:

# - IPv6 FW rules to block 6to4 traffic

New-NetFirewallRule -DisplayName "Block 6to4 Outbound" -Direction Outbound -Protocol 41 -RemoteAddress 192.88.99.1 -Action Block

New-NetFirewallRule -DisplayName "Block 6to4 Outbound ICMP" -Direction Outbound -Protocol ICMPv4 -RemoteAddress 192.88.99.1 -Action Block

New-NetFirewallRule -DisplayName "Block 6to4 Inbound" -Direction Inbound -Protocol 41 -RemoteAddress 192.88.99.1 -Action Block

# - display the results

Get-NetFirewallRule -DisplayName "Block 6to4 Outbound"

Get-NetFirewallRule -DisplayName "Block 6to4 Outbound ICMP"

Get-NetFirewallRule -DisplayName "Block 6to4 Inbound"

# - disable the FW rule:

Disable-NetFirewallRule -DisplayName "Block 6to4 Outbound"

Disable-NetFirewallRule -DisplayName "Block 6to4 Outbound ICMP"

Disable-NetFirewallRule -DisplayName "Block 6to4 Inbound"

# - enable the FW rule:

Enable-NetFirewallRule -DisplayName "Block 6to4 Outbound"

Enable-NetFirewallRule -DisplayName "Block 6to4 Outbound ICMP"

Enable-NetFirewallRule -DisplayName "Block 6to4 Inbound"

# - finally remove the FW rule:

Remove-NetFirewallRule -DisplayName "Block 6to4 Outbound"

Remove-NetFirewallRule -DisplayName "Block 6to4 Outbound ICMP"

Remove-NetFirewallRule -DisplayName "Block 6to4 Inbound"

#

# - IPv6 FW rules to block ISATAP traffic

# - more specific rules can be built for this around isatap.domain-name but those would be specific for AD joined hosts

# - this rule will also block 6to4 traffic automatically making the above FW rule redundant but useful for tracking purposes

New-NetFirewallRule -DisplayName "Block ISATAP Outbound" -Direction Outbound -Protocol 41 -RemoteAddress Internet -Action Block

# - display the results

Get-NetFirewallRule -DisplayName "Block ISATAP Outbound"

# - disable the FW rule:

Disable-NetFirewallRule -DisplayName "Block ISATAP Outbound"

# - enable the FW rule:

Enable-NetFirewallRule -DisplayName "Block ISATAP Outbound"

# - remove the FW rule:

Remove-NetFirewallRule -DisplayName "Block ISATAP Outbound"

#

# - IPv6 FW rules to block Teredo traffic

New-NetFirewallRule -DisplayName "Block Teredo Outbound" -Direction Outbound -Protocol udp -LocalPort 3544 -RemoteAddress Internet -Action Block

# - display the results

Get-NetFirewallRule -DisplayName "Block Teredo Outbound"

# - disale the FW rule:

Disable-NetFirewallRule -DisplayName "Block Teredo Outbound"

# - enable the FW rule:

Enable-NetFirewallRule -DisplayName "Block Teredo Outbound"

# - remove the FW rule:

Remove-NetFirewallRule -DisplayName "Block Teredo Outbound"

#

# - a better way is to link the FW rule to the application for Teredo since the port can be dynamic

# - academic exercise to determine service name and build the rule

#

# - the actual built in client FW rule for 6to4 and ISATAP inbound are:

Disable-NetFirewallRule - Name CoreNet-IPv6-In

# - the actual built in FW rule for Teredo (UDP-In) are:

Disable-NetFirewallRule - Name CoreNet-Teredo-In

# - there are several others - academic exercise to find them all - simpler to add the specific deny rules

#

# - Windows 8 and Server 2012 already have the correct ICMP filter types in place but to show an example

# - finally, make sure to allow ICMPv6 per RFC4443 - so specifically allow the following codes:

New-NetFirewallRule -DisplayName "ICMPv6 RFC4443 135 In" -Direction Inbound -Protocol ICMPv6 -IcmpType 135

New-NetFirewallRule -DisplayName "ICMPv6 RFC4443 136 In" -Direction Inbound -Protocol ICMPv6 -IcmpType 136

#

#

# ----------------------------

# - Demo 3 run through script

# A powershell cmdlet that does the set up properly for the appropriate IPv6 configurations for the end system based on best practices.

# Store the existing configuration before changing and provide an option switch to revert back to old settings.

# The best practices will do:

# 1. - Turn off isatap

# 2. - Turn off teredo

# 3. - Turn off 6to4

#

# 4. - Put ADV FW rules in place on the host

#     - Consider Limiting input rate of ND traffic? - future

#

# - future:

#     - Build ACL that allows all global, link-local, ULA and multicast - does not permit 2001:db8::/ or legacy IPv6 address space like site-local or compatible

# 5. - Ensure the client host has DHCPv6 client enabled

get-service dhcp

start-service dhcp

# 6. - Consider turning off the DHCPv6 client on statically assigned server hosts

get-service dhcp

stop-service dhcp

# - show error that happens when you try this

# - you need to shut off other services first

stop-service WinHttpAutoProxySvc

get-service WinHttpAutoProxySvc

# - and the next one - Network Location Awareness

stop-service nlasvc

get-service nlasvc

# - now try disabling dhcp again

stop-service dhcp

# 7. - Limit number of addresses per interface ? - see #6 & #8

# 8. - Turn off Random Addresses - optional

Set-NetIPv6Protocol -RandomizeIdentifiers disabled

set-netipv6protocol -RandomizeIdentifiers Enabled

# 9. - Make settings persistent - by default

# 10. - Turn off LLMNR? - no

# 11. - Turn off Internet Connection Sharing (maybe) - future

get-service sharedaccess

set-service sharedaccess -StartupType Manual

start-service sharedaccess

# 12. - Turn off icmp redirection (maybe) - future

# 13. - Turn off IPv4 (maybe) - future

# 14. - Install Routing in RemoteAccess

Install-WindowsFeature RemoteAccess

# 15. - Determine multicast listening

# - you can't do this with powershell, you have to use netsh

netsh interface ipv6 show joins

#

#

And that is it - a bit of a long post but hopefully someone can glean some  useful information out of all that mess. Remember, it was really an outline for myself of commands to run through for a presentation demo so it isn't designed to be one big PowerShell cmdlet or module.
- Ed

1 comment:

Security And Data Protection said...
This comment has been removed by a blog administrator.