IPV6 Firewall question

[olaughlj]

When attempting to define an IPV6 Firewall rule why is a local IP address required? Since there is no NAT on IPV6 it seems weird that have to include at least a partial address.

 

[RMerlin]

When attempting to define an IPV6 Firewall rule why is a local IP address required? Since there is no NAT on IPV6 it seems weird that have to include at least a partial address.

That's precisely because there is no NAT that you need to specify a local IP. All the IPv6 traffic is routed, so if you want to allow traffic to a specific IP (for instance, you want to only allow RDesktop to a specific desktop), then you need to define that desktop's IP. If you want to allow RDesktop to the whole subnet, then you enter the subnet.

I think you are mixing up port forwarding with firewalling here.

 

[olaughlj]

Well my thoughts on it were, those are dynamically assigned values even the first 4 hex sets in my address if I were just going to let everything through and why would I want/be required to enter those into a configuration page when the software already figures that out and displays what my LAN address is? I know that the prefix shouldn't change, but if it were to change (say I move or switch IPs) wouldn't it make more sense to have merlin just allow empty values represent the LAN address?

 

[RMerlin]

Well my thoughts on it were, those are dynamically assigned values even the first 4 hex sets in my address if I were just going to let everything through and why would I want/be required to enter those into a configuration page when the software already figures that out and displays what my LAN address is? I know that the prefix shouldn't change, but if it were to change (say I move or switch IPs) wouldn't it make more sense to have merlin just allow empty values represent the LAN address?

If the IPs are dynamic, then you might have a different problem where remote clients wouldn't be able to connect to the intended IP inside your subnet.

I don't like leaving security to randomness, so I felt it was safer that the user have to specify the local IP in a rule, or at the very least the target prefix. You can probably use a wildcard-like prefix I suppose if you didn't mind the security implications of always allowing any target on your LAN with a single rule, even including link-local IPs.

I'd have to give it more thought, but at a first glance, I'm not sure I like the idea of allowing users to leave the local field entirely empty.

 

[mhofman]

It would be great to be able to only provide the suffix (last 64 bits) of the destination's IP, and have the prefix automatically taken from the IPV6 configuration.
This would allow to avoid reconfiguring manually all the rules for ISPs that tend to to once in a while re-assign a new prefix.

 

[charlie2alpha]

It would be great to be able to only provide the suffix (last 64 bits) of the destination's IP, and have the prefix automatically taken from the IPV6 configuration.
This would allow to avoid reconfiguring manually all the rules for ISPs that tend to to once in a while re-assign a new prefix.

I agree to this proposal, my ISP gives me a different prefix (dynamic) every time the PPPoE reconnects using DHCP PD, so each client forms a different IP using the prefix and their MAC address in EUI-64 format. The last 64 bits remain the same obviously, so these can be configured in the firewall since they remain static.

Exceptions can be PCs running Windows, but in my case I've disabled that behavior and forced my Windows clients to use the EUI-64 as well.

 

[RMerlin]

I agree to this proposal, my ISP gives me a different prefix (dynamic) every time the PPPoE reconnects using DHCP PD, so each client forms a different IP using the prefix and their MAC address in EUI-64 format. The last 64 bits remain the same obviously, so these can be configured in the firewall since they remain static.

Exceptions can be PCs running Windows, but in my case I've disabled that behavior and forced my Windows clients to use the EUI-64 as well.

May I ask what particular need you have for an open port if your delegated prefix is dynamic? Just curious.

 

[olaughlj]

May I ask what particular need you have for an open port if your delegated prefix is dynamic? Just curious.

I run a server off a linux box that is dynamically assigned an IPV6 address and use a script when the ethernet port goes up to register a AAAA record with a dynamic DNS service.

 

[charlie2alpha]

May I ask what particular need you have for an open port if your delegated prefix is dynamic? Just curious.

I'm running a linux box that registers it's own IP using inadyn-mt with a dyn.com dynamic dns hostname. I'm using it as an owncloud and http server among other things. Inadyn-mt does a very good job updating both the ipv4 and ipv6 address since dyn.com supports it too.

Thinking about though, if the last 64 bits are the constant here, wouldn't be easier to have the firewall accepts MAC addresses directly instead anyway?

 

[sinshiva]

I'm running a linux box that registers it's own IP using inadyn-mt with a dyn.com dynamic dns hostname. I'm using it as an owncloud and http server among other things. Inadyn-mt does a very good job updating both the ipv4 and ipv6 address since dyn.com supports it too.

Thinking about though, if the last 64 bits are the constant here, wouldn't be easier to have the firewall accepts MAC addresses directly instead anyway?

i looked into this myself; unfortunately, the only way to do it would be via ebtables, which it would seem is notoriously bad for performance.