If IPv6 isn’t required and is disabled, would it be safe to completely remove any firewall rules and address lists related to IPv6?
Cheers.
If your configuration is based on the default configuration (defconf), even if you currently have no uses IPv6 (and have /ipv6 settings set disable-ipv6=yes), you should still keep the IPv6 firewall rules and related address lists (as enabled, not disabled).
They will only take some negligible storage space. Removing them now 100% do not make your router safer at all. Instead, you should keep them so that in the future, when your ISP provides you with IPv6 access for example, you would only have to set disable-ipv6=no and would have a good firewall protection for IPv6 ready.
But if you like minimalist configuration export then you can disable the defconf rules. But don’t forget to restore them before re-enabling IPv6. If you have home router models from MikroTik, you can retrieve the default firewall configuration from /system default-configuration print without-paging.
If IPv6 is really fully and totally off, yes, they are safe to delete.
Some random thoughts:
- last time I looked, a restart of the router is necessary for the disabling to take effect
- there’s really no benefit in removing the rules, the entire ipv6 firewall is inactive with ipv6 disabled
- after disabling ipv6, disconnection and reconnection of devices may be required for them to abandon their acquired addresses and attempts to use them
- even with disabled ipv6, you may still see ipv6 packets in sniffer/torch etc. tools - this does not mean that these packets are actually processed by the router
Even if I don’t use ipv6 at all, I usually enter these fw rules. This may be over-the-top paranoia on my part.
/ipv6 firewall filter
add chain=input action=drop
add chain=forward action=drop
add chain=output action=drop