OPNsense Forum
English Forums => General Discussion => Topic started by: binaryanomaly on January 15, 2023, 11:36:14 am
-
Hi,
I'm playing around with IPv6 and start asking myself how I can at all work with firewall rules that are specific for a single host while privacy extensions are active.
Privacy extensions are probably wise to use to not expose to much information.
But it seems that I am loosing the ability to i.e. open up specific ports for single hosts when the ipv6 address is constantly changing.
Any thoughts / advice on this?
Thx
-
IPv6 hosts can have multiple IP addresses. Any server should have a static IP address, just add them to all hosts you are exposing to the WAN.
E.g. one of my Windows DNS servers has a well known IPv6 address that gets shared internally in RADV, but if I browse to https://ifconfig.co from its desktop I get a different IP from the /64 subnet it is in.
I wish any attacker the very best of luck in their reconnaissance if they're trying to tie the two together from 18 billion billion possibilities 8)
Bart...
-
Thanks. That's so far also my understanding.
But doesn't that kind of also make it impossible to restrict outgoing traffic ip based when the outgoing ip is constantly changing?
-
That's why most comnercial firewalls introduced the concept of "zones" years ago. Keep systems that share a common policy in a common VLAN - that way it works with OPNsense, too. Only thing I am missing is the concept of a destination zone/interface instead of a destination address or network.
From servers to WAN ... for example. Unfortunately pf cannot do that (yet).
-
Thanks understood. Some problems solved, some newly created...