[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: portsentry(1) and ipv6?

Fabrice Bauzac wrote: 
> Hello,
> 
> 12 sept. 2020 14:09:14 Dan Ritter <dsr@randomstring.org>:
> 
> > John Conover wrote:
> >>
> >> Does portsentry(1) make any sense in systems with ipv6 connectivity?
> >>
> > Yes and no. If you want to know that machines are scanning
> > ports, yes. If you want to effectively block IPs, no.
> 
> Why would it not be able to block ipv6 addresses? Shouldn't a firewall rule work? Could you please elaborate or direct me to some explanatory webpage?

Of course it can block IPv6 addresses.

The problem is that every IPv6 user on the planet is assigned
something between a /48 and a /64 worth of addresses.

They can literally never repeat an address, switching addresses
for every port, while scanning you once a second for a year.
You will run out of memory.

So you switch to blocking subnets... and then you discover that
you are blocking Amazon, Google, Microsoft, and a ridiculous
number of virtual-machine providers who offer new machines for
$3/month.

Blocking IPv6 addresses because they poked at you isn't
worthwhile. You need to secure your services and rate-limit new
connections.

-dsr-
Reply to: