What's new

IPV6 Firewall with dynamic prefix

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

omrij

Occasional Visitor
Hi
What is the best way to use IPV6 firewall when IPV6 prefix is dynamic?
Can we add rule based on suffix? Based on host name? Based on Mac address?

Thanks in advance
 
I don't think this approach would work anymore, although it depends on the particular client. For example, since Windows 7 randomised identifiers are used by default instead of EUI-64. This was introduced as part of the privacy extension for SLAAC.
At least the OP has a possible solution and can ultimately decide if it is feasible for his environment/privacy requirements.

NOTE: You can override Micro$oft's default behaviour...
Code:
PS C:\Users\admin> Get-NetIPv6Protocol

DefaultHopLimit               : 128
NeighborCacheLimit(Entries)   : 256
RouteCacheLimit(Entries)      : 4096
ReassemblyLimit(Bytes)        : 66145536
IcmpRedirects                 : Enabled
SourceRoutingBehavior         : DontForward
DhcpMediaSense                : Enabled
MediaSenseEventLog            : Disabled
MldLevel                      : All
MldVersion                    : Version2
MulticastForwarding           : Disabled
GroupForwardedFragments       : Disabled
RandomizeIdentifiers          : Disabled      <<====== Overidden
AddressMaskReply              : Disabled
UseTemporaryAddresses         : Enabled
MaxTemporaryDadAttempts       : 3
MaxTemporaryValidLifetime     : 7.00:00:00
MaxTemporaryPreferredLifetime : 1.00:00:00
TemporaryRegenerateTime       : 00:00:05
MaxTemporaryDesyncTime        : 00:10:00
DeadGatewayDetection          : Enabled
 
Last edited:
Thanks for all the replies
As I mentioned, it's Linux based so it might work.

As I'm a newbie, and guidance how to achieve my goal (I understand that it's not via GUI) would be appreciated.
 
Thanks for all the replies
As I mentioned, it's Linux based so it might work.

As I'm a newbie, and guidance how to achieve my goal (I understand that it's not via GUI) would be appreciated.
I'd guess it would depend on the particular Linux distro you're using in your Docker container. It may already be using EUI-64 addresses so check for that before wasting time trying to change something that doesn't need changing.
 
Depending on what you want your rule to do, you might consider combining ip6tables and ipset to get a MAC-based solution.
  1. Create an inet6 hash:ip ipset with a 1-day timeout.
  2. Create an ip6tables PREROUTING rule that matches a specified MAC address and add the local address to the ipset created above.
  3. Create your desired rule matching on the ipset which will be updated as new prefixes or SLAAC addresses come and go.
This might not work, but demonstrates the idea:
Code:
ipset -! create myip6device hash:ip family inet6 timeout 86400
ip6tables -A PREROUTING -i br0 -m conntrack --ctstate NEW -m mac --mac-source aa:bb:cc:dd:ee:ff -j SET --add-set myip6device src --exist
ip6tables -A FORWARD -i eth0 -m set --match-set myip6device dst -J ACCEPT
 
Sorry for the confusion
The current situation is that the my ipv6 "suffix" is fixed and based on Mac address of the container (actually macvlan)
So I don't need this change (I believe)

What I need is a way to make a rule in firewall which will take into account the dynamic prefix and the fixed suffix.

And a little guidance how to enable it.
 
What I need is a way to make a rule in firewall which will take into account the dynamic prefix and the fixed suffix.
Follow the rule example in the article linked by Martineau, specifying your fixed suffix ::aaaa:bbbb:cccc:dddd/::ffff:ffff:ffff:ffff as the template for the host portion of the address. Leave the ffff’s as they are.
 
Depending on what you want your rule to do, you might consider combining ip6tables and ipset to get a MAC-based solution.
  1. Create an inet6 hash:ip ipset with a 1-day timeout.
  2. Create an ip6tables PREROUTING rule that matches a specified MAC address and add the local address to the ipset created above.
  3. Create your desired rule matching on the ipset which will be updated as new prefixes or SLAAC addresses come and go.
This might not work, but demonstrates the idea:
Code:
ipset -! create myip6device hash:ip family inet6 timeout 86400
ip6tables -A PREROUTING -i br0 -m conntrack --ctstate NEW -m mac --mac-source aa:bb:cc:dd:ee:ff -j SET --add-set myip6device src --exist
ip6tables -A FORWARD -i eth0 -m set --match-set myip6device dst -J ACCEPT
Could a script be made that dynamically update the firewall rules as the ipv6 prefix changes? simply define the rules up under a chain, as the prefix changes an event based script is triggered that simply updates the rules inside the chain?
 
This is by far probably the simplest solution I have seen in a while. Awesome share @Martineau!
Well.....only if it actually works? ;)

P.S. I was hoping that an IPv6 Guru would chime in to say beware!....a minor security issue with it as-is, is that it opens up all inbound subnets, so if you have say a /56 from your provider then you should really restrict it to just the relevant one of your /64 subnets.

eg. Only subnet 0x23
Code:
::0023:a3a3:beff:fe89:93af/::00ff:ffff:ffff:ffff:ffff
Can't recall/find the relevant article/reference at the moment, but this does sound plausible?
 
Last edited:
Well.....only if it actually works? ;)

P.S. I was hoping that an IPv6 Guru would chime in to say beware!....a minor security issue with it as-is, is that it opens up all inbound subnets, so if you have say a /56 from your provider then you should really restrict it to just the relevant one of your /64 subnets.

eg. Only subnet 0x23
Code:
::0023:a3a3:beff:fe89:93af/::00ff:ffff:ffff:ffff:ffff
Can't recall/find the relevant article/reference at the moment, but this does sound plausible?
No one said the easiest/simplest is the safest ;).
 
It turns out that if you enter the Local IP in the IPv6 firewall rule to start with ::, the firmware assumes it’s an eui64 address and adds the bitmask automatically.
1653503920709.png

Code:
# ip6tables -S FORWARD | grep beef
-A FORWARD -d ::abcd:dead:beef:cafe/::ffff:ffff:ffff:ffff -p tcp -m state --state NEW -m tcp --dport 7695 -j ACCEPT
 
following your advice (but the simple way, as i'm newbie)
using GUI firewall using the template you provided ( ::aaaa:bbbb:cccc:dddd/::ffff:ffff:ffff:ffff) where ::aaaa:bbbb:cccc:dddd is using MAC-to-EUI64 conversion seems to work.

using port scanner showing the ports on the specific IPV6 are open (and not on other clients on the same network)
and the services using this ports work of course (few services using NGINX and adguard home)
is this safe/legit?

Thanks!!!
 
The clients are Linux based (actually docker containers)
A bit off to the side but how are you dealing with ipv6 in docker containers with a dynamic prefix?
Sounds like you are going through figuring out the same stuff i need to with my setup. :)
 
Last edited:
Be more specific :)

No "dealing" is required
The docker is getting IPV6 based on the (dynamic) prefix and fixed suffix (based on Mac address).
And port opening is based on the suffix like suggested by the guys above.
 
Be more specific :)

No "dealing" is required
The docker is getting IPV6 based on the (dynamic) prefix and fixed suffix (based on Mac address).
And port opening is based on the suffix like suggested by the guys above.
Well in the docker-compose.yml you have to specify the subnet for the network it creates.

Code:
networks:
  lan:
    name: lan
    driver: macvlan
    enable_ipv6: true
    driver_opts:
      parent: eth0
    ipam:
      config:
        - subnet: 2600:1111:2222:3333::/64

But of course that can change at any time (usually on router reboot like the ipv4 address sometimes does).
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top