On 2023-04-29 14:00, Per Jessen wrote:
Carlos E. R. wrote:
One comes from 2a02:..., which is my prefix. The one that changes, so I can not write that in the firewall rules. [snip] Well, it is a nighmare to find out what machine in the network has a certain IPv6 address. Because it is not only one, it is a bunch of them! And they change! In my case, both the prefix and the suffix.
Admittedly I don't have this issue, so I don't know how well this might work:
- monitor the ipv6 lease file, in /var/lib/NetworkManager
That machine is on wicked. But I meant that when there is a log entry mentioning an IPv6 address, it is a nightmare to find out what machine in the entire LAN it is. The issue would be having a file with *all* the IPv6 used in the LAN. I would have to run a cronjob and query each machine on ssh. That leaves out androids, printers, switches...
- when it changes, check the prefix and if necessary reload your firewall with the new prefix.
The packet I need to allow comes from another machine. The local lease file would not have it.
(I'll post a better example in a minute).
I do not see how to allow them in the firewall. Or silence them (just them).
Just a rule to permit port 5353, src and dst. Or just a rule to drop port 5353, src and dst.
I just wonder whether permitting port 5353 generically on IPv6 is safe (considering the router has no working firewall). It would be easier. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)