Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

optionally block incoming IPv6 connections except for explicitly allowed IPs #32

Open
stapelberg opened this issue Jun 19, 2019 · 0 comments
Open

optionally block incoming IPv6 connections except for explicitly allowed IPs #32

stapelberg opened this issue Jun 19, 2019 · 0 comments
Labels
enhancement New feature or request good-for-stream https://www.twitch.tv/stapelberg

Comments

@stapelberg
Copy link
Contributor

It might be prudent to only allow incoming IPv6 connections to IP addresses which are explicitly listed, and default to not allowing incoming connections to other IPs.

In terms of configuration, the feature will be enabled as soon as a non-empty array of allowed IP addresses is defined (blocking all incoming connections can be achieved by allowing an unused IP address).

These are the nftables commands I used for prototyping:

# nft add chain ip6 filter forward '{' type filter hook forward priority 0 \; '}'
# nft add chain ip6 filter block-incoming
# nft add rule ip6 filter forward jump block-incoming
# nft add rule ip6 filter block-incoming oifname "lan0" tcp flags syn ip6 daddr ::1 accept
# nft add rule ip6 filter block-incoming oifname "lan0" tcp flags syn reject
@stapelberg stapelberg added the enhancement New feature or request label Jun 19, 2019
@stapelberg stapelberg added the good-for-stream https://www.twitch.tv/stapelberg label May 23, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good-for-stream https://www.twitch.tv/stapelberg
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@stapelberg