ipv6 firewall rules help
-
My ISP provides a dynamic /56 prefix
I assign a /64 to each interface by tracking that /56 and adding a static suffix
And then I got dhcp6 assigning a static suffix to each host from the pool of available addresses in the /64 for the interface they're connected to.The setup looks like this
ISP assigned [whatever]::/56
interface pool: [whatever]01::/64
host [whatever]01::1:1Now, what I need to do is create a firewall rule that allows traffic to a certain host for a certain port. IPv6 port forwarding essentially.
The problem is that I don't see any way to actually specify the host in the firewall creation rules unless I'm being thick here.
dhcp6 uses UUID to bypass the dynamic address problem, and that's how I could assign a static suffix to the host. But neither firewall rules nor aliases allow UUIDs. And the hostname is a) not registered in DNS resolver in order to use python pfblockerNG and b) a waste of resources to keep resolving the name of a known ip even if it did.How do I make the firewall rule target the 01::1:1 suffix regardless of the [whatever] part that changes dynamically now and then?
-
@stefj By using the hostname from a static mapping in the DHCPv6 Server as a source for an alias.
-
@bob-dig said in ipv6 firewall rules help:
@stefj By using the hostname from a static mapping in the DHCPv6 Server as a source for an alias.
I did try this and it didn't seem to work. Could be a poor implementation of the idea on my end, I didn't thoroughly investigate tbh. I'll give it another try.
But I assumed that it didn't work because as I said above, the hostname assigned by dhcp6 isn't being registered in the dns resolver. And I confirmed this by trying to ping the hostname from another host. Couldn't resolve.
So, I'd have to give up pfblockerNG python for this to work?
-
@stefj said in ipv6 firewall rules help:
So, I'd have to give up pfblockerNG python for this to work?
No, DNS and the resolver have nothing to do with it.
You want to create a firewall rule, you can use an alias for that. You have to create that alias and then add the hostname to that.
Now this alias can be used in firewall rules.
Also it is not called port forwarding, it is just an open port for IPv6. -
@bob-dig I'm giving it another try with aliases and it seems to be working. Shouldn't have jumped to conclusions it seems. I'll monitor it for a bit and see how it goes.
Appreciate the help.