1

I maintain several networks of 5-20 computers, which sit behind a traditional IPv4 router / firewall setup. Outbound connections are NATted, and clients outside the router access individual services via port forwarding through the router.

I'm interested in starting to use IPv6 for (some of) these machines, but I don't want to unknowingly open them up to arbitrary access from the Big Bad Internet. I do want to allow certain protocols through as directly as possible. For example, I'd like to allow direct SSH access to one of the machines.

Is there a good way to do this, without also requiring a full firewall setup on each individual machine? Should I just think of my router's public-facing IPv6 address as the entry address to an n-bit subnet where all my intranet machines live, and handle firewalling by dropping SYN packets to ports and machines that I don't want to allow access to?

Improve this question

1 Answer 1

Reset to default
2

On v4 you have a router that:

  • blocks inbound connections by default, unless permitted
  • NATs the source address on outbound connections
  • NATs the destination address on some inbound connections

In v6, you do the same but you don't do any NATing. You only need the first bullet point.

All connections are still flowing over the router, so you can still apply a firewall on the router to inbound connections. The fact that you're not NATing the addresses on those connections doesn't change that in the slightest.

handle firewalling by dropping SYN packets to ports and machines that I don't want to allow access to?

You shouldn't be doing it by dropping SYN packets. SYN only applies to TCP, for one thing. At this stage you should be using a stateful firewall which tracks connections, and you should be accepting packets which match existing connections while dropping (or better, rejecting) packets which create new connections.

But basically yes, that's how you handle firewalling.

Improve this answer
3
  • Thanks, the magic words were "you do the same but you don't do any NATing."
    – Dave M.
    Commented Jul 29, 2019 at 5:03
  • Does IPv6 have some routing-table maintenance (like IGMP or something) that lets The World figure out how to reach the IPv6 address of one of my "intranet" machines? Suppose I have an SSH server on a machine back there, and the machine has some IPv6 address. How does a random client out in the world reach an IPv6 address that's "behind" my router?
    – Dave M.
    Commented Jul 29, 2019 at 5:06
  • @DaveM.: When your prefix is assigned via DHCPv6-PD, then the ISP's DHCPv6 server itself inserts a route into ISP's routers as part of issuing the PD lease. Between customer and ISP, that's all there is. (The World doesn't need to know individual customer prefixes as they all come out of the same base prefix, so they're all covered by a single BGP announcement by the ISP.)
    – grawity_u1686
    Commented Jul 29, 2019 at 5:38

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .