View previous topic :: View next topic |
Author |
Message |
schorsch_76 Guru
Joined: 19 Jun 2012 Posts: 450
|
Posted: Mon Apr 11, 2016 8:54 am Post subject: IPv6: Private LAN: Security policy |
|
|
Hi,
i read a lot about ipv6. Currently my ISP provides both, IPv4 and v6. I turned off IPv6 currently. I have a DSL modem which gets handled by a Alix Board which runs gentoo + pppd. I used radvd to supply the given prefix to my internal network.
BUT: On my server i have a v6 address too. I could directly ping to my laptop on my LAN.
I dont want to offer my internal services to the public... What security policy do you use for your LAN machines?
[1] http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/ _________________ // valid again: I forgot about the git access. Now 1.2GB big. Start: 2015-06-25
git daily portage tree
Web: https://github.com/schorsch1976/portage
git clone https://github.com/schorsch1976/portage |
|
Back to top |
|
|
UberLord Retired Dev
Joined: 18 Sep 2003 Posts: 6835 Location: Blighty
|
Posted: Mon Apr 11, 2016 10:08 am Post subject: |
|
|
Firewall your services on your router so only clients within the prefix can access them.
You could even block inbound access to clients within your prefix from the internet entirely, unless they have a prior outbound route (this is the stateful bit of the firewall) which gives you the same security as IPv4 NAT in the the internal clients don't need a firewall.
I can't tell you how to do this on Linux as I use NetBSD to power my router. _________________ Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Mon Apr 11, 2016 3:58 pm Post subject: Re: IPv6: Private LAN: Security policy |
|
|
schorsch_76 wrote: | I dont want to offer my internal services to the public... What security policy do you use for your LAN machines? |
I give them a site-local prefix (fd00::/8) and bind internal services to those addresses. It's the same as having 192.168 IPv4 addresses. |
|
Back to top |
|
|
schorsch_76 Guru
Joined: 19 Jun 2012 Posts: 450
|
|
Back to top |
|
|
|