Teredo / Miredo service

Some times ago I was adviced taking care of Teredo (in Linux Miredo).

Wikipedia says following about this peculiar service:

In computer networking, Teredo is a transition technology that gives full IPv6 connectivity for IPv6-capable hosts that are on the IPv4 Internet but have no native connection to an IPv6 network. Unlike similar protocols such as 6to4, it can perform its function even from behind network address translation (NAT) devices such as home routers…

The Teredo server listens on UDP port 3544…

Concerning IT security you can read following:

Teredo increases the attack surface by assigning globally routable IPv6 addresses to network hosts behind NAT devices, which would otherwise be unreachable from the Internet. By doing so, Teredo potentially exposes any IPv6-enabled application with an open port to the outside. Teredo tunnel encapsulation can also cause the contents of the IPv6 data traffic to become invisible to packet inspection software, facilitating the spread of malware. Finally, Teredo exposes the IPv6 stack and the tunneling software to attacks should they have any remotely exploitable vulnerability.

Firewalling, filtering, and blocking
For a Teredo pseudo-tunnel to operate properly, outgoing UDP packets to port 3544 must be unfiltered. Moreover, replies to these packets (i.e., “solicited traffic”) must also be unfiltered. This corresponds to the typical setup of a NAT and its stateful firewall functionality. Teredo tunneling software reports a fatal error and stops if outgoing IPv4 UDP traffic is blocked.

Miredo in Linux systems:
Several Linux distributions have included Miredo as a Teredo tunneling. Principally it is the same like in Windows.

Conclusion:
As of today IPFire 2.x can not handle IPv6 connections. Thus we are still working in a IPv4 world.

In order to eliminate this vulnerability I made following:
First I created a new service.
Service name: Teredo
Protocol: UDP
Port: 3544

After that I created a new firewall rule.
Source: Any
Destination: RED
Protocol: Preset → Services: Teredo
REJECT

I would like to know the opinion of the network experts to this topic. I am looking forward to any reply :wink:

Thanks, Pierre