On 2023-04-21 12:17, Nohk Two wrote:
On 2023/4/21 17:16, Andrei Borzenkov wrote:
On Fri, Apr 21, 2023 at 12:14 PM Carlos E. R. <robin.listas@telefonica.net> wrote:
On 2023-04-21 09:11, Andrei Borzenkov wrote:
...
Pragmatic answer - do not use IPv6 inside your LAN and simply block IPv6 except ports you want to make available from outside.
Yes, I was considering that. Disable IPv6. As this is a Beta test, just ask the provider to drop IPv6 service.
I believe what Andrei suggested is that don't listen to the IPv6 addresses for your services. That is if you have a web server then just let the web server listen to IPv4 addresses.
Far easier and safer to disable IPv6 entirely at the router or ISP. It is the only safe route, actually. I asked at the ISP Beta support forum, no answers yet. I don't know if the problem is only with this router or with all, and whether they decide they have to publish a patch or not, or perhaps there is some configuration I can do at the router. Meanwhile, what I'm contemplating is how to tell SuSEfirewall2 or firewalld how to distinguish intranet traffic from Internet traffic (on IPv6). There must be a way. Directly handling iptables myself is too complicated for me.
If you did this, then the firewall might be easier to manage. You can just accept the necessary ICMPv6 inputs and drop all others.
-- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)