Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Single host firewall rules in the age of IPv6 privacy extensions
« previous
next »
Print
Pages: [
1
]
Author
Topic: Single host firewall rules in the age of IPv6 privacy extensions (Read 1047 times)
binaryanomaly
Full Member
Posts: 163
Karma: 9
Single host firewall rules in the age of IPv6 privacy extensions
«
on:
January 15, 2023, 11:36:14 am »
Hi,
I'm playing around with IPv6 and start asking myself how I can at all work with firewall rules that are specific for a single host while privacy extensions are active.
Privacy extensions are probably wise to use to not expose to much information.
But it seems that I am loosing the ability to i.e. open up specific ports for single hosts when the ipv6 address is constantly changing.
Any thoughts / advice on this?
Thx
Logged
bartjsmit
Hero Member
Posts: 1999
Karma: 193
Re: Single host firewall rules in the age of IPv6 privacy extensions
«
Reply #1 on:
January 15, 2023, 03:13:12 pm »
IPv6 hosts can have multiple IP addresses. Any
server
should have a static IP address, just add them to all hosts you are exposing to the WAN.
E.g. one of my Windows DNS servers has a well known IPv6 address that gets shared internally in RADV, but if I browse to
https://ifconfig.co
from its desktop I get a different IP from the /64 subnet it is in.
I wish any attacker the very best of luck in their reconnaissance if they're trying to tie the two together from 18 billion billion possibilities
Bart...
Logged
binaryanomaly
Full Member
Posts: 163
Karma: 9
Re: Single host firewall rules in the age of IPv6 privacy extensions
«
Reply #2 on:
January 15, 2023, 03:48:31 pm »
Thanks. That's so far also my understanding.
But doesn't that kind of also make it impossible to restrict outgoing traffic ip based when the outgoing ip is constantly changing?
Logged
Patrick M. Hausen
Hero Member
Posts: 6608
Karma: 560
Re: Single host firewall rules in the age of IPv6 privacy extensions
«
Reply #3 on:
January 15, 2023, 04:00:10 pm »
That's why most comnercial firewalls introduced the concept of "zones" years ago. Keep systems that share a common policy in a common VLAN - that way it works with OPNsense, too. Only thing I am missing is the concept of a destination zone/interface instead of a destination address or network.
From servers to WAN ... for example. Unfortunately pf cannot do that (yet).
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
binaryanomaly
Full Member
Posts: 163
Karma: 9
Re: Single host firewall rules in the age of IPv6 privacy extensions
«
Reply #4 on:
January 15, 2023, 04:37:39 pm »
Thanks understood. Some problems solved, some newly created...
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Single host firewall rules in the age of IPv6 privacy extensions