I realize that this question might sound kind of strange, but it is necessary for my situation as far as I can tell.
The root of it is that my ISP assigns IPv6 global addresses dynamically and refreshes the assignment once in a while. I'm running a VM that I don't want accessing my local network. Everything works fine, I'm blocking all sorts of stuff, like local addresses as destination IPs for example. It's not a bad network sandbox, apart from this glaring hole in the security. The VM (assuming it knows the public IPv6 of one of my local network devices) can just communicate with them. This is because the host system has no way of telling proper internet addresses apart from local network devices that happen to be addressed using global IPv6 addresses.
Like I said, I can't setup any static prefix exclusion rules in my firewall because the prefix changes. And I want to stay away from changing the firewall rules with some sort of script that gets fired when the interface receives a new global IPv6. That's pretty disgusting, among other reasons because it allows for a certain small time window when the new IPv6 gets assigned where the firewall rules haven't been updated yet where the VM can access the local network devices without getting blocked. That's not good.
I was really hoping that there's simply some sysconfig variable somewhere that tells the linux kernel to not route any packets where the destination address prefix is the same as the interface global address prefix. Effectively like saying "You're not allowed to access local network devices through their global addresses".
I can't solve my problem by adjusting the firewall on my local network's router, because it isn't nearly configurable enough. Also, I'd prefer to keep my security contained to the host computer, so that I can move the computer to different networks without too much reconfiguration in the router and so forth.
Anyway, yeah, that's my situation. I'm really hoping someone can just point me in the direction of a simple fix, but I fear that there isn't one. Anyone got any good ideas on how to deal with this?
