Single host firewall rules in the age of IPv6 privacy extensions

Started by binaryanomaly, January 15, 2023, 11:36:14 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 15, 2023, 11:36:14 AM
Hi,

I'm playing around with IPv6 and start asking myself how I can at all work with firewall rules that are specific for a single host while privacy extensions are active.

Privacy extensions are probably wise to use to not expose to much information.

But it seems that I am loosing the ability to i.e. open up specific ports for single hosts when the ipv6 address is constantly changing.

Any thoughts / advice on this?

Thx
January 15, 2023, 03:13:12 PM #1
IPv6 hosts can have multiple IP addresses. Any server should have a static IP address, just add them to all hosts you are exposing to the WAN.

E.g. one of my Windows DNS servers has a well known IPv6 address that gets shared internally in RADV, but if I browse to https://ifconfig.co from its desktop I get a different IP from the /64 subnet it is in.

I wish any attacker the very best of luck in their reconnaissance if they're trying to tie the two together from 18 billion billion possibilities  8)

Bart...
January 15, 2023, 03:48:31 PM #2
Thanks. That's so far also my understanding.

But doesn't that kind of also make it impossible to restrict outgoing traffic ip based when the outgoing ip is constantly changing?
January 15, 2023, 04:00:10 PM #3
That's why most comnercial firewalls introduced the concept of "zones" years ago. Keep systems that share a common policy in a common VLAN - that way it works with OPNsense, too. Only thing I am missing is the concept of a destination zone/interface instead of a destination address or network.

From servers to WAN ... for example. Unfortunately pf cannot do that (yet).
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 15, 2023, 04:37:39 PM #4
Thanks understood. Some problems solved, some newly created...
Print
Go Up Pages1
User actions