You are not logged in.
- Topics: Active | Unanswered
#1 2023-08-01 03:37:08
- kulak
- Member
- Registered: 2020-12-27
- Posts: 26
ufw configuration with IPv6 privacy extensions
My IPv4 network is 10.0.1.0/24 and protecting access to SSH is just limiting source IP to 10.0.1.0/24 network.
But, I can't figure out how to accomplish the same with IPv6. The problem is caused by privacy extensions which make IPv6 addresses change all the time.
It seems that I need to define IPv6 prefix for my machines, but I don't know how to do that with Network Manager.
Both client and server are Arc Linux machines and both use Network Manager.
Offline
#2 2023-08-01 06:51:13
- -thc
- Member
- Registered: 2017-03-15
- Posts: 775
Re: ufw configuration with IPv6 privacy extensions
I see several possible approaches here - all with caveats:
1. Use firewall rules that match the hardware MAC addresses instead - only feasible with few matches.
2. Use a static globally routed IPv6 prefix - only useful if your internet provider uses a static IPv6 prefix for your connection.
3. Use a locally routed ULA-prefix - must be supported by your router.
Offline
#3 2023-08-01 11:29:13
- 2ManyDogs
- Forum Fellow
- Registered: 2012-01-15
- Posts: 4,646
Re: ufw configuration with IPv6 privacy extensions
Not sure why you cross-posted this, but please don't do that. If you want a topic moved, please use the Report link to let Staff know. As this topic has a reply, I will close the other one.
Offline
#4 2023-08-08 05:53:00
- kulak
- Member
- Registered: 2020-12-27
- Posts: 26
Re: ufw configuration with IPv6 privacy extensions
It seems I used option 3 from the answer above.
It turns out that my DNS server provides all LAN machines with the same network in `Unique-Local Unicast (Unique Local Address (ULA)) (fc00::/7)` range. I am using PFSense router.
I used this calculator to identify subnet from individual IP addresses of my machines: http://www.gestioip.net/cgi-bin/subnet_calculator.cgi. Unfortunately, I was not able to find this subnet in pfsense LAN interface.
Once I identified my LAN subnet I used it in firewall rule for IPv6 and it worked great:
ufw allow from fd04:1bb:ac77:5d31::/64 to any app ssh comment 'ssh from ULA IPv6'
ufw allow from fd04:1bb:ac77:5d31::/64 to any app cifs comment 'cifs from ULA IPv6'
My understanding is ULA range fc00::/7 is only routable on my home network, so it is exactly what I was looking for.
Last edited by kulak (2023-08-08 06:06:32)
Offline