On 24.04.2023 05:24, Lew Wolfgang wrote:
On 4/23/23 07:01, Andrei Borzenkov wrote:
You use rich rules.
firewall-cmd --permanent --zone=public --add-rich-rule='rule source mac="AA:BB:CC:DD:EE:FF" reject'
This will reject any new packet coming from router. It will do it before accepting SSH on port 22.
This will still allow IPv6 RA from your router. It will block ICMPv4 so you may consider explicitly allowing it.
Personally I simply do not use IPv6 on the LAN (what's the point if I have IPv4 anyway) and block it except for a couple of ports.
Which IPv6 ports do you allow?
I hoped to get better torrent connectivity (incoming connections) but I do not see much IPv6 torrent traffic. Other than that I do not have any services that need access from outside.