On Fri, Apr 28, 2023 at 3:21 PM Freek de Kruijf <freek@opensuse.org> wrote:
Op vrijdag 28 april 2023 13:18:47 CEST schreef Carlos E. R.:
On 2023-04-28 13:13, Andrei Borzenkov wrote:
On Fri, Apr 28, 2023 at 1:12 PM Carlos E. R. <robin.listas@telefonica.net> wrote:
I want to block them only on IPv6.
If you are not going to use IPv6 internally, having source zone for 192.168.1.0/24 (or whatever your internal addresses are) and fallback zone for external traffic would be much more clean.
I expect^H^H^H^H^H^Hhope to have proper IPv6 one day...
-- Cheers / Saludos,
Carlos E. R. (from 15.4 x86_64 at Telcontar)
All global IPv6 addresses are 2000::/3 so you might block/drop all these addresses by using "firewall-cmd --zone=block --add-source=2000::/3" or "firewall-cmd --zone=drop --add-source=2000::/3", depending on if you want to reject (with an ICMP message) or drop the incoming IPv6 package from a global IPv6 address. You still can use private IPv6 addresses (link local or unique local addresses).
This will block both external and internal IPv6, so will have more or less the same effect as "not using IPv6 internally". LL and ULA have been beaten to death previously.