On Fri, Apr 21, 2023 at 12:36 AM Carlos E. R. <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
I discovered that my ISP provided "router" does not do any firewalling on IPv6. All my IPv6 capable machines are fully visible from internet.
My Linux machines have a firewall. On some of them, I opened ports to be used in the intranet. It was obvious, an address such as 192.1.1.50 was in my intranet.
Now, how the $%&# can the firewall that an incoming IPv6 address is actually in my intranet, or is external?
Consider that my ISP provided prefix is not fixed, but is dynamic. I can not write the address in any script, because it changes when the router reboots.
Ideas?
Pragmatic answer - do not use IPv6 inside your LAN and simply block IPv6 except ports you want to make available from outside. You could also block all IPv6 packets from your router MAC address.