Re: Debian 11: How to disable IPv6
rhkramer@gmail.com writes:
> I could not find (in the searching I did) equivalent functionality for IPv6, so
> I disabled IPv6 in hopes of keeping my systems (fairly) secure.
The equivalent to NAT in IPv6 is NAT, of course. It's not usually spoken
of much but for example my VPN provider does just that, I get a
non-routable FC00: address and they convert it to something else. Kind
of important for the P in VPN. Rules for NAT in IPv6 and nftables or
ip6tables look much the same as IPv4. I've never tried it though.
> I'm not sure that makes a lot of sense, and I'm sure [some | many | most |
> maybe almost all] will disagree, especially based on the 128(?)-bit address
> space in IPv6, but that was the reason I disabled IPv6.
Without NAT, if I don't allow IPv6 forwarding all willy nilly in the
router then my internal devices are quite safe from external access (and
the ones that are actual computers have firewalls too.) Currently I have
things setup so that only related and established connections are
forwarded. Normal stateful firewall in other words. Basically all my nft
rules in the forward chain are just this:
chain forward {
type filter hook forward priority 0; policy drop;
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
# connections from the internal net to the internet or to other
# internal nets are allowed
iifname $DEV_PRIVATE accept
# the rest is dropped by the above policy
}
Reply to: