IPv6 disabled yet majority of firewall blocks are IPv6
-
Hi there,
I have IPv6 disabled under system Advanced Networking, yet 90% of my firewall block activity is IPv6. most are LAN and UDP protocol. Is this expected?
Thank you so much.
-
If hosts on the inside are using IPv6 it would be expected that the firewall would be logging blocks.
You might want to post some of the blocks so people can see what you're talking about.
-
"Disabling" IPv6 from that page only blocks the traffic, so that's somewhat expected. Just because the system isn't actively trying to use IPv6 doesn't mean you won't see it on the network. IPv6 heavily leverages multicast where the firewall will see the packets on the network no matter what.
-
Thank you, here are some of the blocks I see. Is there anyway I can correlate what are the hosts behind this IPv6 traffic? My DHCPv6 Leases is empty so not really sure what is sending these packets.
Nov 4 16:37:18 EM2 [fe80::1472:dea:7fab:e8a4] [ff02::2] ICMPv6
Nov 4 16:37:18 LAN [fe80::1472:dea:7fab:e8a4] [ff02::2] ICMPv6
Nov 4 16:37:18 LAN [fe80::1472:dea:7fab:e8a4] [ff02::2] ICMPv6
Nov 4 16:37:13 EM2 [fe80::1472:dea:7fab:e8a4]:5353 [ff02::fb]:5353 UDP
Nov 4 16:37:13 LAN [fe80::1472:dea:7fab:e8a4]:5353 [ff02::fb]:5353 UDP
Nov 4 16:37:13 LAN [fe80::1472:dea:7fab:e8a4]:5353 [ff02::fb]:5353 UDP
Nov 4 16:37:09 EM2 [fe80::1472:dea:7fab:e8a4]:5353 [ff02::fb]:5353 UDP
Nov 4 16:37:09 LAN [fe80::1472:dea:7fab:e8a4]:5353 [ff02::fb]:5353 UDP
Nov 4 16:37:09 LAN [fe80::1472:dea:7fab:e8a4]:5353 [ff02::fb]:5353 UDP
Nov 4 16:37:09 EM2 [fe80::1472:dea:7fab:e8a4] [ff02::2] ICMPv6
Nov 4 16:37:09 LAN [fe80::1472:dea:7fab:e8a4] [ff02::2] ICMPv6
Nov 4 16:37:09 LAN [fe80::1472:dea:7fab:e8a4] [ff02::2] ICMPv6
Nov 4 16:38:07 EM2 [fe80::ae37:43ff:fedd:33ad] [ff02::2] ICMPv6
Nov 4 16:38:07 LAN [fe80::ae37:43ff:fedd:33ad] [ff02::2] ICMPv6
Nov 4 16:38:07 LAN [fe80::ae37:43ff:fedd:33ad] [ff02::2] ICMPv6
Nov 4 16:26:42 EM2 [fe80::4a5f:99ff:fe27:858f]:546 [ff02::1:2]:547 UDP
Nov 4 16:26:42 LAN [fe80::4a5f:99ff:fe27:858f]:546 [ff02::1:2]:547 UDP
Nov 4 16:26:42 LAN [fe80::4a5f:99ff:fe27:858f]:546 [ff02::1:2]:547 UDP -
Packet capture and look at the MAC addresses, I suppose. From some of the link-local addresses the MACs can be gleaned from the EUI-64 format there.
-
Thanks again, one of them looks like android device which is not easy to IPv6 disable.
So is the best practice to enable IPv6? I'm concerned about needing to maintain double firewall,suricata, traffic rules.
-
Or ignore the logs.
Or make rules that suppress the logs.
Whether or not you enable IPv6 really depends on whether or not you have IPv6.