Airport Extreme N Users – Turn on your IPV6 Firewall!

As noted in the linked Ars Technica article, Apple messed up and left the IPv6 firewall off. Oops.


Out of the box, the router will connect you to the IPv6 Internet using an automatically configured tunnel. This means putting IPv6 packets put inside regular IPv4 packets. Those of you who really want to test IPv6 (you know who you are) are better off manually configuring a tunnel to your ISP or a tunnel broker, this is faster. If you don’t want IPv6 and don’t want to turn it off on all MacOS X and Windows Vista systems connected to the AirPort Extreme, you can select “Link-local only” as the IPv6 mode. If you leave IPv6 turned on, you may want to select “Block incoming IPv6 connections” to turn on the IPv6 firewall or your network is wide open over IPv6, even if it’s firewalled over IPv4.

Ipv 6 Airport Extreme n


  1. Yes but the OS X firewall is off by default as well. Enabling it at the router protects all machines behind the LAN as well (but clearly not the wireless clients open to direct attack)

  2. Turning on the “block all incoming IPv6 connections” option will also break: 1) active mode FTP from the local network to public IPv6 servers; 2) IPv6/IPsec with ISAKMP/IKE; 3) Quicktime streaming over IPv6; 4) BitTorrent sharing with IPv6; 5) certain VoIP applications; 7) anything else that communicates over more than one socket and relies on inbound flows to work.

    It breaks all these things in exchange for protection against all those evil IPv6 worms we keep hearing about in the news all the time. Why, I’ve heard that an unprotected Mac OS X computer hooked up to the IPv6 Internet without a firewall protecting it will be completely owned by mob hackers from Port Watson in less than fifteen seconds. TURN ON YOUR FIREWALLS!!!

  3. Are you serious? I wonder if our VPN issues with sonicwall are related to this? Apple’s new 7.1 firmware sets up the IPv6 more securely, but maybe this is why Sonicwall isn’t working?

  4. There appears to be some confusion about how to disable IPv6 on Mac’s and Vista. On Mac’s, you will need to enable the firewall for IPv6 and block all inbound and outbound IPv6 connections. For the geeks in the group, that is protocol 41, 43, 44, 58, 59 and 60 for inbound and outbound.

    Oh, J H woodyatt – I don’t remember any IPv6 worms as of today — which ‘evil IPv6 worms’ are you talking about? The “Effect of DNS Delays on Worm Propagation in an IPv6 Internet “ that discussed the inability of worms to propagate in the IPv6. The quote from the paper is “Fast-propagate worm is impossible in IPv6” because “in a /64 IPv6 sub-network, which is the smallest sub-network in IPv6 – it will take 30 thousand years to compromise most of the vulnerable hosts”. I like my Mac, but don’t expect to be around for 30,000 years.

  5. “which ‘evil IPv6 worms’ are you talking about? “

    Why, the ones that require AirPort Extreme to ship from the factory with the packet filter turned on by default to prevent them from getting a foothold on your local network from which they can freely make outbound connections. You know, the ones that made the V6OPS working group in the IETF decide that, even though draft-ietf-nap is informational and explicitly calls out that it isn’t making policy recommendations, stateful packet filters should nevertheless be widely deployed at residential IPv6 gateways to prevent inbound connections from being made, and that these filters should be turned on by default and require explicit user intervention to disable them.

    Those darned IPv6 worms are extremely pernicious, aren’t they? Why, they’re so evil nobody even knows where they are or what they’re doing! But, we know THEY MUST BE STOPPED! TURN ON YOUR FIREWALLS!!!

    p.s. There are actually ways that IPv6 worms could propagate over IPv6 more readily without randomly generating addresses to probe, but those mechanisms are easily interdicted by widely deploying RFC 3041 private addressing to prevent addresses from usable beyond the necessary intervals of time in which they’re used.

  6. “maybe this is why Sonicwall isn’t working?”

    More likely it’s just a new bug in the ISAKMP ALG that wasn’t there before, introduced by the fix to get the Nortel Contivity VPN to work. Wouldn’t it be nice if you didn’t need an ALG at all to interoperate? What a wonderful world that would be.

  7. More likely it’s just a new bug in the ISAKMP ALG that wasn’t there before, introduced by the fix to get the Nortel Contivity VPN to work. Wouldn’t it be nice if you didn’t need an ALG at all to interoperate? What a wonderful world that would be.

    Well Sonicwall didn’t work before the fix, nor after, so I am willing to try a few things out. I have the ear of an apple engineer to report results to.

  8. Interesting. The reports I’ve seen say that SonicWall was working before 7.1 and now it’s broken.

  9. Yeah, SonicWall worked with the DMZ hack only – then work upgraded the client and it stopped working totally. No change on 7.1

  10. Steve, can you elaborate on the DMZ hack you used with the SonicWall VPN and your AirPort Extreme. I have not yet upgraded from 7.0 to 7.1, so if there is a solution until Apple fixes the issue, I’d like to try it.

Comments are closed.