On 4/23/23 07:01, Andrei Borzenkov wrote:
You use rich rules.
firewall-cmd --permanent --zone=public --add-rich-rule='rule source mac="AA:BB:CC:DD:EE:FF" reject'
This will reject any new packet coming from router. It will do it before accepting SSH on port 22.
This will still allow IPv6 RA from your router. It will block ICMPv4 so you may consider explicitly allowing it.
Personally I simply do not use IPv6 on the LAN (what's the point if I have IPv4 anyway) and block it except for a couple of ports.
Which IPv6 ports do you allow? My Zyxel router has one check box to enable/disable IPv6, I've seen no reason to enable it myself. I played around with it a couple of years ago but could only get a /64 address from my ISP. I wanted at least a 62 because I use three subnets and I want them completely isolated except for a router management port. Maybe it can be done witha /64 but I couldn't figure it out, so why bother when IPv4 works fine. Regards, Lew