Hi, I have just started dabbling with IPv6 sine my ISP is finally handing out prefixes.
I now want to expose a specific machine, on a designated port, publically. Given that I no longer have to deal with port forwarding and such, it should be a simple allow forward rule but I’m getting a bit stumped that in order to forward it, I need to explicitly define the destination IP.
Given that it’s SLAAC IPs, the last 8 bytes are always “known”, however the prefix might change occasionally. Is there no way to define firewall rules to be more lenient, like “ends with ::aabb:fffe:ccdd:eeff”? How are one supposed to give an allow rule for a SLAAC defined IP then?
I mena, of course I could open up that port for the entire bridge (or vlan), but that goes against my principle. Any ideas or pointers is greatly appreciated!
When you use SLAAC, your hosts will get a “permanent” address and a “temporary” one. You allow the traffic on the forward chain towards the “permanent” address, and you also create a DNS record based on the “permanent” address. Allow all traffic, you perform firewall measures on the host itself to protect open ports etc with ACL using UFW or Windows firewall or whatever.
Just check in the CLI:
Windows - ipconfig
Linux/macOS - ip a or ifconfig
I mean, you can surely allow everything through, but expecting everyone to block stuff on the machine itself? Not really viable IMHO.
I have a firewall capable router, I prefer handling blocking traffic at first point TBH.
Also, the temporary vs permanent, is kind of odd. On my windows machine, I seem to be using the temporary address as SRC when accessing internet even though I have a permanent address. But maybe that’s the point? Not “exposing” your primary/permanent address on outgoing connections? Seems kind of dumb though… On Linux I only get a single IPv6 (except the link local one).
Firewalling on the edge itself is a practice that will result in unnecessary STUN/TURN traffic and also adds complexity in the network, and may break layer 4 protocols other than TCP/UDP, on host is where you’re actually running apps, ACLing should occur on the host. Whether you have the competency to do this is your choice.
And that’s the whole point of temporary privacy extension addresses, they are meant to be used as source IP for outgoing traffic, whereas permanent address is designed for hosting/mgmt/DNS etc.
There are many RFCs laid down by the IETF that goes into details on permanent/temporary usage and use-cases.
Current solution is to use address lists in firewall rules while updating these lists from the DHCPv6 Client script which gets called when new prefix is delegated.