Single host firewall rules in the age of IPv6 privacy extensions

[binaryanomaly]

Hi,

I'm playing around with IPv6 and start asking myself how I can at all work with firewall rules that are specific for a single host while privacy extensions are active.

Privacy extensions are probably wise to use to not expose to much information.

But it seems that I am loosing the ability to i.e. open up specific ports for single hosts when the ipv6 address is constantly changing.

Any thoughts / advice on this?

Thx

[bartjsmit]

IPv6 hosts can have multiple IP addresses. Any server should have a static IP address, just add them to all hosts you are exposing to the WAN.

E.g. one of my Windows DNS servers has a well known IPv6 address that gets shared internally in RADV, but if I browse to https://ifconfig.co from its desktop I get a different IP from the /64 subnet it is in.

I wish any attacker the very best of luck in their reconnaissance if they're trying to tie the two together from 18 billion billion possibilities 

Bart...

[binaryanomaly]

Thanks. That's so far also my understanding.

But doesn't that kind of also make it impossible to restrict outgoing traffic ip based when the outgoing ip is constantly changing?

[Patrick M. Hausen]

That's why most comnercial firewalls introduced the concept of "zones" years ago. Keep systems that share a common policy in a common VLAN - that way it works with OPNsense, too. Only thing I am missing is the concept of a destination zone/interface instead of a destination address or network.

From servers to WAN ... for example. Unfortunately pf cannot do that (yet).

[binaryanomaly]

Thanks understood. Some problems solved, some newly created...