How do I allow local IPv6 subnets in ufw?

networking firewall ufw
13,483

Solution 1

Old question, but Google got me here so I think it's worth noting that you could add the IPv6 link-local range with:

ufw allow from fe80::/64

If you're connecting across the LAN then the link-local address should get used instead of your global IPv6 address.

Solution 2

Keep in mind there are no IPv6 "local ranges" - each IPv6 "local range" is its own (at least) /64 segment of v6 addresses in a specifically defined prefix. As such, any 'private range' address you receive is going to be specific to the subnet your router sets you up on rather than the external v6 address you have (there's logic inside routers to set up the subnets automatically, but when you get into Enterprise-grade routing with advanced firewalls, routers, switches, etc., IPv6 has to be manually configured by hand and set up.

When you add into the equation that you will quite possibly (and frequently) have a changing subnet all the time, there is no way to accept them all dynamically without accepting all IPv6 inbound connections - at least on a consumer-grade network setup (with a much-more-complicated and much-more-expensive firewall appliance, you can explicitly do VLAN separation to prevent things from communicating with the outside and accept only internal v6, but you can't do this on consumer-grade router technologies).

As well, firewall rules are designed in ufw (and the underlying iptables and netfilter technologies which ufw works with) to have specific rules (such as ALLOW aaaa:bbbb:cccc:dddd::dead:beef INBOUND TO dddd:eeee:ffff:0000::dead:beef PORT 22/tcp (obviously not a rule, but just an example)) and if you are always having different addresses on different v6 subnets, (either internally or externally, but especially internally), it breaks the requirements that firewalls have for those kinds of rules.

You would therefore need to know all the subnets you'll get, and add a ufw rule that would be for each individual subnet. If that subnet is always changing and you do not know which subnet you will get, then you can't reliably create a firewall rule in any setup that can do what you're looking to accomplish on a dynamic ever-changing basis.

This also applies to port-forwarding at home - you can't reliably set up a port forward UNLESS the internal IP address (v4 or v6) isn't going to change. (The router transparently handles INBOUND from the internet, on its own, so long as you set up the internal v6 in a static setup, but you can't guarantee this will happen without much more time-consuming network configuration and setups, and possibly more enterprise-grade level equipment which can get expensive)

Share:
13,483

Related videos on Youtube

user96232
Author by

user96232

Updated on September 18, 2022

Comments

  • user96232
    user96232 over 1 year

    I recently got IPv6 connectivity at home and now I would like to allow connections to my home server via IPv6 from the LAN only. The trick is that the IPv6 address/prefix assigned to the server is dynamic. Is there some way to write a UFW rule that allows only from directly connected subnets?

    • Admin
      Admin over 9 years
      Keep in mind there are no IPv6 "local ranges" - each IPv6 local range is going to be different all the time and there is no way to accept them all. You would need to add a UFW rule that would be for each individual subnet - if that subnet is always changing then you can't reliably create a firewall rule in any setup that can do what you're looking to accomplish.
  • user96232
    user96232 about 7 years
    Thanks, but what I'm looking for is something more along the lines of what the Windows firewall offers. It lets you specify that you want to allow the Local Subnet(s) only.
  • user96232
    user96232 about 7 years
    Thanks, but what I'm looking for is something more along the lines of what the Windows firewall offers. It lets you specify that you want to allow the Local Subnet(s) only.
  • Thomas Ward
    Thomas Ward over 6 years
    @user96232 What that is doing is that it would only permit whatever CIDR range is on the dynamically assigned IPv6 address - that is, if you get the IP address of 1111:2222:3333::3652/64, anything in the /64 would be considered the 'local range' but still be a public IP address. Unless you are explicitly setting your network DHCP with a private IPv6 address prefix (such as those generated by this tool), which are actually not addressable in the public Internet and then setting up IPv6 (sorta)NAT, you're not going to have a 'local ipv6 subnet'.
  • Thomas Ward
    Thomas Ward over 6 years
    @user96232 There's no equivalency between hte "Local subnets only" option and anywhere else, not without a lot of manual definitions.
  • user96232
    user96232 over 6 years
    "it would only permit whatever CIDR range is on the dynamically assigned IPv6 address " That's precisely the goal. The router does not allow traffic from the public internet, but I want the clients on the subnet to communicate. I realize that I can rely on the router and use an allow any rule on the hosts, but I was hoping ufw had something smarter than that.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

ufw firewall deny outgoing but allow browser
Configure UFW to allow only established and related conections (on IPv4)
Why is ufw logging 'BLOCK' messages regarding a port for which ufw is configured to 'ALLOW' connections?
UFW wont delete rule
How do I allow multiple ports simultaneously in UFW?
UFW - allow range of IP addresees?
What are ICMP redirects and should they be blocked?
Open port 80 on Ubuntu server
UFW for OpenVPN
Uncomplicated Firewall (UFW) is not blocking anything when using Docker