SOLVED: Blocking inbound IPv6

dpjanda · September 4, 2024, 4:58pm

The mess is there for IPv6 and a secondary subnet.

Everything is working except IPv6 being able to connect to open ports - even though I don't want it too. The default rule is right at the top.

I thought that would have taken care of it.

krazeh · September 4, 2024, 5:10pm

In a default config it does, but as I said before, mess.

mk24 · September 4, 2024, 5:34pm

Remove that. Having it in the lan zone is especially bad since it's treating the pppoe wan as a lan.

Though you can write rules on forwarding in the same zone, it is really intended that conditional forwarding be between different zones. Return to a default configuration then write wan->lan accept (v6) or redirect (v4) rules only for the incoming connections that you want to allow.

dpjanda · September 5, 2024, 11:41am

SOLVED. I hope it helps someone. Solution in original post.

krazeh · September 5, 2024, 11:43am

So you solved a problem that didn't exist until you created it, and did that by adding an unnecessary rule rather than fixing the actual problem. How is that supposed to help others?

dpjanda · September 5, 2024, 12:00pm

The problem existed, I did not create it. No solution here, so I solved it myself.

No fix from you or any others. Just lip and sarcasm. Reminds me of the type who used to big themselves up on FidoNET back in the 80's - that's you. All mouth and no substance.

If anyone has a similar situation, and tries mine and it helps then that's all.

lleachii · September 5, 2024, 12:02pm

dpjanda:

config rule
         option name 'IPv6 > Cloud'
         option family 'ipv6'
         option src '*'
         option dest 'lan'
         option dest_port '443'
         option target 'ACCEPT'
         list proto 'tcp'
         list dest_ip 'whatever'
This will allow IPv6 to connect to 'whatever' with port 443. Again ANY ZONE for option src '*', for LuCI users.

To anyone who sees this "solution" - the OP has opened 443/tcp for every IPv6 LAN address. This rule is dangerous and could e.g. allow someone to access/brute force a device that would otherwise have been firewalled by the default rules.

I'm not sure how this blocks inbound IPv6 traffic to the LAN - it actually allows it.

krazeh · September 5, 2024, 12:05pm

You did. By default (as in before you made changes) the firewall does not allow unsolicited traffic (IPv4 or IPv6) to go from WAN to LAN. You made changes to the firewall which changed that behaviour.

You got fixes. Just because you didn't want to do them or didn't agree that they were necessary doesn't mean they weren't offered.

The simple fact is you made changes to the firewall which caused the behaviour you were seeing. The configs you provided demonstrated that. The quickest and best way to resolve the mess you made would be to reset the configuration and make the necessary changes for your use case properly. We'd have been perfectly happy to guide you through that.

system · September 15, 2024, 12:06pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.