Ipv6 firewall functions

Post Reply
Djunity
Junior Member
Posts: 3
Joined: 27 Jun 2012, 18:54

Ipv6 firewall functions

Post by Djunity »

Hi all,

Does any one know why csf reports this
Blocking 2001:1be8:3f03:0480:0000:0000:0002:02f3...

deny failed: [2001:1be8:3f03:0480:0000:0000:0002:02f3] is one of this servers addresses!
As that im sure that this ip is not used ont this server the ipv6 address on this server that is uses is
2001:1be8:3f03:0480:0000:0000:0002:0213
It looks like it wont block it becouse it is in the same range strangly enough with ipv4 you can for example block 10.0.0.110 if you have 10.0.0.109 on the server.
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Re: Ipv6 firewall functions

Post by chirpy »

IPv6 addresses are usually assigned in a /64 CIDR, which you may not be taking into account.
philb
Junior Member
Posts: 2
Joined: 31 Jan 2013, 01:57

Re: Ipv6 firewall functions

Post by philb »

Just hit this when trying to add a v6 host in the same /64 into the allow list.

CSF seems to be conflating IPs in the same range as being bound on the server, when this isn't the case.

Having an v6 interface of 2a01::101/64 bound (as an example) does not mean that every IP in that /64 is bound to the server any more than 111.222.111.222/24 being bound means that every address in that /24 v4 range is bound to the server.

Adding the entry manually into the allow list circumvents this, but it's definitely a bug in the sanity checking when doing a quick-add.

(awesome work, by the way - only discovered this a week ago, and makes my life a lot easier, particularly with dedicated server customers to try and save them "from themselves" - made sure to take a pass at your tip jar this evening - something I encourage anyone reading this who uses CSF in a commercial environment to do.)
philb
Junior Member
Posts: 2
Joined: 31 Jan 2013, 01:57

Re: Ipv6 firewall functions

Post by philb »

This should now be resolved in the latest version:

5.76 - Only add the /128 IPv6 bound address per NIC instead of the whole /64
to the local IPv6 addresses

( from: configserver (dot) com/free/csf/changelog.txt )
Post Reply