On 2023-04-21 09:11, Andrei Borzenkov wrote:
On Fri, Apr 21, 2023 at 12:36 AM Carlos E. R. <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
I discovered that my ISP provided "router" does not do any firewalling on IPv6. All my IPv6 capable machines are fully visible from internet.
My Linux machines have a firewall. On some of them, I opened ports to be used in the intranet. It was obvious, an address such as 192.1.1.50 was in my intranet.
Now, how the $%&# can the firewall that an incoming IPv6 address is actually in my intranet, or is external?
Consider that my ISP provided prefix is not fixed, but is dynamic. I can not write the address in any script, because it changes when the router reboots.
Ideas?
Pragmatic answer - do not use IPv6 inside your LAN and simply block IPv6 except ports you want to make available from outside.
Yes, I was considering that. Disable IPv6. As this is a Beta test, just ask the provider to drop IPv6 service.
You could also block all IPv6 packets from your router MAC address.
-- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)