3

I want to set up IPv4/IPv6 dual stack on my internet connection and my local network. To that end I want to change the firewalls on some of the machines to allow incoming traffic for certain applications from the internet, and other from the local network only. To that end I hoped to be able to do:

ufw allow internet-application

ufw allow from 192.168.0.0/24 to any app lan-application
ufw allow from fe80::/64 to any app lan-application

Unfortunately however, my home router's DNS does not resolve local machines AAAA records to their link local fe80::/64 addresses, but to their global addresses (including the prefix that changes according to what my ISP tells me).

So I was thinking maybe I need to set the firewall to accept incoming traffic from any address within the prefix that's shared by all devices in the network? Is that right? And if that's right, how would I do that?

The alternative, making my DNS server return fe80::/64 addresses for local host names doesn't seem to be possible as I don't see any settings for that.

Improve this question
5
  • Does your home router have an option to advertise an additional ULA prefix (fdXX)? Most home routers generate a static ULA precisely to avoid issues with ISPs that insist on changing the global prefix.
    – grawity_u1686
    Commented May 23, 2023 at 6:27
  • My Router is set to only give out fd00 addresses when there is no connection. Should I enable it? Although I am not sure if this is effective, as I am using SLAAC. I'll give it a try.
    – Nils Werner
    Commented May 23, 2023 at 6:29
  • 1
    Oh, that was indeed the solution! Can you write it out in an answer, so I can accept it?
    – Nils Werner
    Commented May 23, 2023 at 6:34
  • It should give those addresses unconditionally – usually that's the whole point.
    – grawity_u1686
    Commented May 23, 2023 at 6:35
  • Yeah, my router has the word "recommended" in all the wrong places apparently: ULA only when not connected, enable DHCP instead of SLAAC...
    – Nils Werner
    Commented May 23, 2023 at 6:36

1 Answer 1

Reset to default
2

While UFW could dynamically update its firewall rules according to the currently received prefix, as far as I know it doesn't have such functionality right now.

At the underlying iptables/nftables layer, I believe it would be possible to write nftables rules that do something like "if saddr/64 = daddr/64 then accept" without the need for dynamic updates, but no such thing exists in iptables which AFAIK is what UFW uses.

the prefix that changes according to what my ISP tells me

The most commonly accepted solution, in home routers, is to provide an additional ULA prefix (fdXX:) that does not change and is always present independently of the WAN connection (not just when the connection is down). All internal DNS would then use the ULA addresses, and they work in your firewall rules pretty much like an 192.168.x address.

(The difference from IPv4 is that you also have a global address that's used for connecting to other global addresses, i.e. source address selection instead of NAT.)

The alternative, making my DNS server return fe80::/64 addresses for local host names doesn't seem to be possible as I don't see any settings for that.

You cannot usefully put link-local addresses in DNS, in general, as the lookup results will not have the "zone index" (i.e. the interface ID) that Linux requires. (For example, when connecting to a link-local address on most non-Windows systems you must specify fe80::1%eth0 rather than just fe80::1.)

(Local resolvers such as Avahi for mDNS are able to return link-local results because they know that the mDNS response arrived from exactly the same interface and can just fill in the same index, but with unicast DNS that's no longer guaranteed so resolvers will not try to guess.)

Improve this answer
2
  • Ah, and now I also think I better understand the difference between link local addresses and ULA addresses.
    – Nils Werner
    Commented May 23, 2023 at 6:50
  • 1
    Right, ULAs are just like RFC1918 addresses of IPv4 – they have no special properties except for being not Internet-routable (but still routable internally), whereas link-local addresses are special in various ways (e.g. they're unconditionally excluded from routing) and aren't really meant to act as a RFC1918 replacement at all.
    – grawity_u1686
    Commented May 23, 2023 at 6:59

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .