IPV6 Firewall with dynamic prefix

omrij

Occasional Visitor
Hi
What is the best way to use IPV6 firewall when IPV6 prefix is dynamic?
Can we add rule based on suffix? Based on host name? Based on Mac address?

Thanks in advance
 

Martineau

Part of the Furniture

ColinTaylor

Part of the Furniture
Does this
http://blog.dupondje.be/?p=17
give any guidance with reference to MAC address?
I don't think this approach would work anymore, although it depends on the particular client. For example, since Windows 7 randomised identifiers are used by default instead of EUI-64. This was introduced as part of the privacy extension for SLAAC.
 

Martineau

Part of the Furniture
I don't think this approach would work anymore, although it depends on the particular client. For example, since Windows 7 randomised identifiers are used by default instead of EUI-64. This was introduced as part of the privacy extension for SLAAC.
At least the OP has a possible solution and can ultimately decide if it is feasible for his environment/privacy requirements.

NOTE: You can override Micro$oft's default behaviour...
Code:
PS C:\Users\admin> Get-NetIPv6Protocol

DefaultHopLimit               : 128
NeighborCacheLimit(Entries)   : 256
RouteCacheLimit(Entries)      : 4096
ReassemblyLimit(Bytes)        : 66145536
IcmpRedirects                 : Enabled
SourceRoutingBehavior         : DontForward
DhcpMediaSense                : Enabled
MediaSenseEventLog            : Disabled
MldLevel                      : All
MldVersion                    : Version2
MulticastForwarding           : Disabled
GroupForwardedFragments       : Disabled
RandomizeIdentifiers          : Disabled      <<====== Overidden
AddressMaskReply              : Disabled
UseTemporaryAddresses         : Enabled
MaxTemporaryDadAttempts       : 3
MaxTemporaryValidLifetime     : 7.00:00:00
MaxTemporaryPreferredLifetime : 1.00:00:00
TemporaryRegenerateTime       : 00:00:05
MaxTemporaryDesyncTime        : 00:10:00
DeadGatewayDetection          : Enabled
 
Last edited:

omrij

Occasional Visitor
Thanks for all the replies
As I mentioned, it's Linux based so it might work.

As I'm a newbie, and guidance how to achieve my goal (I understand that it's not via GUI) would be appreciated.
 

ColinTaylor

Part of the Furniture
Thanks for all the replies
As I mentioned, it's Linux based so it might work.

As I'm a newbie, and guidance how to achieve my goal (I understand that it's not via GUI) would be appreciated.
I'd guess it would depend on the particular Linux distro you're using in your Docker container. It may already be using EUI-64 addresses so check for that before wasting time trying to change something that doesn't need changing.
 

dave14305

Part of the Furniture
Depending on what you want your rule to do, you might consider combining ip6tables and ipset to get a MAC-based solution.
  1. Create an inet6 hash:ip ipset with a 1-day timeout.
  2. Create an ip6tables PREROUTING rule that matches a specified MAC address and add the local address to the ipset created above.
  3. Create your desired rule matching on the ipset which will be updated as new prefixes or SLAAC addresses come and go.
This might not work, but demonstrates the idea:
Code:
ipset -! create myip6device hash:ip family inet6 timeout 86400
ip6tables -A PREROUTING -i br0 -m conntrack --ctstate NEW -m mac --mac-source aa:bb:cc:dd:ee:ff -j SET --add-set myip6device src --exist
ip6tables -A FORWARD -i eth0 -m set --match-set myip6device dst -J ACCEPT
 

omrij

Occasional Visitor
Sorry for the confusion
The current situation is that the my ipv6 "suffix" is fixed and based on Mac address of the container (actually macvlan)
So I don't need this change (I believe)

What I need is a way to make a rule in firewall which will take into account the dynamic prefix and the fixed suffix.

And a little guidance how to enable it.
 

dave14305

Part of the Furniture
What I need is a way to make a rule in firewall which will take into account the dynamic prefix and the fixed suffix.
Follow the rule example in the article linked by Martineau, specifying your fixed suffix ::aaaa:bbbb:cccc:dddd/::ffff:ffff:ffff:ffff as the template for the host portion of the address. Leave the ffff’s as they are.
 

SomeWhereOverTheRainBow

Part of the Furniture
Depending on what you want your rule to do, you might consider combining ip6tables and ipset to get a MAC-based solution.
  1. Create an inet6 hash:ip ipset with a 1-day timeout.
  2. Create an ip6tables PREROUTING rule that matches a specified MAC address and add the local address to the ipset created above.
  3. Create your desired rule matching on the ipset which will be updated as new prefixes or SLAAC addresses come and go.
This might not work, but demonstrates the idea:
Code:
ipset -! create myip6device hash:ip family inet6 timeout 86400
ip6tables -A PREROUTING -i br0 -m conntrack --ctstate NEW -m mac --mac-source aa:bb:cc:dd:ee:ff -j SET --add-set myip6device src --exist
ip6tables -A FORWARD -i eth0 -m set --match-set myip6device dst -J ACCEPT
Could a script be made that dynamically update the firewall rules as the ipv6 prefix changes? simply define the rules up under a chain, as the prefix changes an event based script is triggered that simply updates the rules inside the chain?
 

Martineau

Part of the Furniture
This is by far probably the simplest solution I have seen in a while. Awesome share @Martineau!
Well.....only if it actually works? ;)

P.S. I was hoping that an IPv6 Guru would chime in to say beware!....a minor security issue with it as-is, is that it opens up all inbound subnets, so if you have say a /56 from your provider then you should really restrict it to just the relevant one of your /64 subnets.

eg. Only subnet 0x23
Code:
::0023:a3a3:beff:fe89:93af/::00ff:ffff:ffff:ffff:ffff
Can't recall/find the relevant article/reference at the moment, but this does sound plausible?
 
Last edited:

SomeWhereOverTheRainBow

Part of the Furniture
Well.....only if it actually works? ;)

P.S. I was hoping that an IPv6 Guru would chime in to say beware!....a minor security issue with it as-is, is that it opens up all inbound subnets, so if you have say a /56 from your provider then you should really restrict it to just the relevant one of your /64 subnets.

eg. Only subnet 0x23
Code:
::0023:a3a3:beff:fe89:93af/::00ff:ffff:ffff:ffff:ffff
Can't recall/find the relevant article/reference at the moment, but this does sound plausible?
No one said the easiest/simplest is the safest ;).
 

dave14305

Part of the Furniture
It turns out that if you enter the Local IP in the IPv6 firewall rule to start with ::, the firmware assumes it’s an eui64 address and adds the bitmask automatically.
1653503920709.png

Code:
# ip6tables -S FORWARD | grep beef
-A FORWARD -d ::abcd:dead:beef:cafe/::ffff:ffff:ffff:ffff -p tcp -m state --state NEW -m tcp --dport 7695 -j ACCEPT
 

omrij

Occasional Visitor
following your advice (but the simple way, as i'm newbie)
using GUI firewall using the template you provided ( ::aaaa:bbbb:cccc:dddd/::ffff:ffff:ffff:ffff) where ::aaaa:bbbb:cccc:dddd is using MAC-to-EUI64 conversion seems to work.

using port scanner showing the ports on the specific IPV6 are open (and not on other clients on the same network)
and the services using this ports work of course (few services using NGINX and adguard home)
is this safe/legit?

Thanks!!!
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top