Block any other Networktraffic beside IP4-Traffic?

uraltermann · 31 December 2022 14:09

Hi all,

as I have understood ipfire does not support ipv6 by now.
At the moment it looks like, that any ipv6 traffice is - by default - bypassing ipfire (and my routing-rules) and “reaches” anything in the WAN.

My fireoptions r:
NAT in use.
FORWARD blocked
OUTGOING allowed

What do I have to do so that only ipv4-traffice is allowed through by the firewall?

cu

UralterMann

bonnietwin · 31 December 2022 16:13

Hi @uraltermann

Welcome to the IPFire community.

That is correct. IPv6 is being built into IPFire3.x but will still take some time.
IPFire2.x has IPv6 disabled by default in /etc/sysctl.conf

  31 net.ipv6.conf.all.disable_ipv6 = 1
  32 net.ipv6.conf.default.disable_ipv6 = 1
  35 net.ipv6.conf.all.accept_redirects = 0
  36 net.ipv6.conf.default.accept_redirects = 0

All the firewall rules, as far as I can tell (limited knowledge) by searching in the git repository are using iptables which is IPv4 based.

If you have IPv6 traffic on your lan network then you will probably need to write your own firewall rules into some script using ip6tables which exists in IPFire. You will not be able to do this via the WUI. Also your rules, I would expect, will also need to use the ip6tables-apply, ip6tables-restore and ip6tables-save commands in the appropriate way to make the rules you raise valid. That script would then need to be run during the startup of IPFire, so would an initscript to run it.

I don’t believe you can use firewall.local because I believe that takes any rules listed in there and runs them via iptables and hence only for IPv4.

Maybe someone else with better understanding of how the firewall rules are used in IPFire can comment further.

bbitsch · 31 December 2022 16:30

I’ve just tried to reproduce the situation with my W10 system.
If I only activate IPv6 there is no internet connection. So IPv6 traffic isn’t passed through IPFire.
I think you have some other problem. How is your client connected?

hvacguy · 31 December 2022 19:27

There is nothing to stop this.

bbitsch · 1 January 2023 10:29

But this refers to IPv4!
If IPv6 traffic is possible, there must be some other connection to the internet.
The ‘standard’ is
WAN <---> access device ( modem, ... ) <---> IPFire <---> LAN with clients
The two local networks are IPv4 only.

@uraltermann , if the IPv6 traffic is accomplished by tunneling, this post may be interesting.

zebulon · 3 January 2023 10:02

Hi,
New user with IPFire.
The way that I setup the network is that I use IPFire also as a DHCP server. This server does not pass IPv6 adresses.
Maybe something to test out. My setup did not pass IPv6.
(though I use a home network and I also disabled IPv6 on all clients)

uraltermann · 21 October 2023 07:11

Thank you all.
Checked the configuration in /etc/sysctl.confand i am shure, that ipv6 is blocked. No “ping -6 or perf3 -6” is working…
So, works as intended.

hvacguy · 21 October 2023 15:04

Commonly used on Xbox and Microsoft PC.