Telenet's firewall at your home

Telenet has installed a firewall to protect your computers at home.
This firewall is now split in a old IPv4 part and a new IPv6 part.

Default Firewall

The default firewall (for Ipv4 and Ipv6) seems setup (seems: we could not find official documentation)

To allow your internal network to reach the outside IPv4- or IPv6 Internet.
To protect your internal network(s) against access from the outside IPv4- or IPv6 Internet.

Litle is officially known about the Telenet Firewall at your home.

Rumors

Ports 0-1024 are blocked one cannot e.g. setup a ssh server at home, unless one connects it to e.g. port 2022.
(both for IPv4 and IPv6 )
IPv6 has its own set of ICMP messages. Telenet blocks most of these except those necessary for the correct operation of your computers. E.g. "host unreachable , ...)
The ICMP6 messages which are not blocked are "rate limited" to avoid denial attacks.

Changing IPv4 firewall

This is done by a web interface:
telenet ipv4 firewall

This setup allows my home machine hastierre to act as a ssh server listening on some higher port. (the port forwarding is not used)

Changing IPv6 Firewall

Some information about IPv6 are helpful:

Most implementation on IPv6 on desktiops and laptops use "Privacy extensions". These computers will use more or less random addresses when connecting to the outside world.
To allow these computers one has to specify an address range (CIDR range) in a firewall rule source address.
Even when using "privacy extensions" each computer has one global Ipv6 address, This address should be used in the target address of the firewall rule.

The Telenet Helpdesk when asked for help about the IPv6 firewall, did produce this URL (20140315)
http://klantenservice.telenet.be/content/welke-instellingen-voor-ipv6-vind-ik-op-mijn-telenet

The information in this URL treats the IPv4 addresses and the IPv6 addresses as similar. They are not:; a computer, e.g. with IPv6 privacy extensions uses several IPv6 addresses.
In the firewall rules it is important to select the correct address (or address range) and this address is probably not shown by the Telenet Web site
Moreover there is no syntax description for some fields required by the IPv6 firewall ( e.g. "CIDR prefix", "Poort of range", ...)

These suggestions may help when adding (or changing) rules to the IPv6 firewall.

Source can be host / Cidr /Any:
for Cidr is accepts network ranges e.g. 2a02:2c40:0:a007::/64 (this is a subrange range of Computerwtenschappen)
You need CIDR to accept connections from a computer with privacy extensions.
Poort of range:
Even when 1. is ANY you need to specify a port or range.
By some experimenting I did find out that e.g. 2000:2256 is an accepted syntax for a range
When you click "firewall rule toevoegen" some syntax? checking seems to be done. Invallid or missing field are marked in red.
When the Firewall rule is syntactically? accepted you still need to store the changes (indicated with a green tekst) by clicking "wijzigingen opslaan". (see below)

Tests (20140314)

The "wijzigingen opslaan" may result in a number of messages. I have seen

"Error"
"wijziging tijdelijk niet mogelijk" After a few hours this did change into "error"
A pop up "server error" window from my browser (Iceweasel/debian or Firefox/ubuntu.)

In my humble opinion the webinterface or the firewall behind seems rather new/instable/experimental...

Yet I did succeed in entering one rule, to access an ssh server at home from e.g. dellzebub.cs.kuleuven.be.
This rule will not work

the source port range should be larger e.g. 1025:64000
but this did result in "error" Why ???
the target port should probably be >1024
But I did want to try if lower IPv6 ports are allowed.
The instability of the webinterface did prevent this....

Tests (20140317)

During the weekend (15-16 march) Telenet did an upgrade of the "mijn telenet" website. Apparently with success:

Firewall rule for Ipv6 ssh server access at home

Firewall rule for Ipv6 ssh server access at home

The source address is for all hosts at 2a02:2c40:0:a007::/64 (network with dellzebub and friends).
The port range 1025:65000 is used to allow all ports set up by users processes (1025:65535 would be better).

The destination address is the global dynamic adress of my home ssh server. Found under Linux with :

hastierre:~$ ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
...
4: ...0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:14:c1:22:50:96 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.163/24 brd 192.168.0.255 scope global wlan0
    inet6 2a02:1810:b80b:4100:51ad:2483:6a14:ea88/64 scope global temporary dynamic 
       valid_lft 566766sec preferred_lft 48366sec
    inet6 2a02:1810:b80b:4100:214:c1ff:fe22:5096/64 scope global dynamic 
       valid_lft 566766sec preferred_lft 48366sec
    inet6 fe80::214:c1ff:fe22:5096/64 scope link 
       valid_lft forever preferred_lft forever

The target port range includes two ports on which the ssh server listens 20 and 2022.
This is used for a test which shows that lower ports (0-1024?) are allways blocked. (same for IPv4)