my ISP gives me a new prefix with every new connection.
Therefore I do not have a static IPv6 address, that I could use in my firewall rules.
Is there a way to have the firewall automatically extended the IPv6 address by the current prefix, so I only put the interface identifier into the firewall rule?
If not, what is the correct IPv6 way to protect all IPv6 network from incoming connections but open one system?
Here is what I tried so far. Rule 10 should open my system for incoming connections.
Thanks and best regards,
Code: Select all
0 ;;; Accept limited ICMP from everywhere chain=input action=accept protocol=icmpv6 limit=50/5s,5:packet log=no 1 chain=input action=drop protocol=icmpv6 log=no 2 ;;; Accept "established and related" chain=input action=accept connection-state=established,related log=no log-prefix="" 3 ;;; Accept everything from LAN chain=input action=accept in-interface=LAN log=no 4 ;;; Accept DHCP from WAN chain=input action=accept protocol=udp in-interface=WAN dst-port=546 log=no 5 ;;; Drop the rest chain=input action=drop log=no 6 ;;; Forward limited ICMP from everywhere chain=forward action=accept protocol=icmpv6 limit=50/5s,5:packet log=no log-prefix="" 7 chain=forward action=drop protocol=icmpv6 log=no 8 ;;; Forward "established and related" chain=forward action=accept connection-state=established,related log=no log-prefix="" 9 ;;; Forward anything to WAN chain=forward action=accept out-interface=WAN log=no 10 ;;; Open system for incoming traffic chain=forward action=accept dst-address=::46e:c43c:2d14:b979/128 log=no 11 ;;; Drop the rest chain=forward action=drop log=no