Best Method To Disallow All ipv6 traffic

Armz
2011-06-25
2013-03-05
  • Armz
    Armz
    2011-06-25

    Hello.

    I have more than one system where I wish to disallow all ipv6 traffic, and have it apply
    to any newly installed program that would try to use ipv6 tcp/udp.

    Which would be the best way to acomplish this in Firewall Builder ?

    Thank you.
    Armz

     
  • Mike Horn
    Mike Horn
    2011-06-26

    Firewall Builder policies can be either IPv4-only, IPv6-only or IPv4 and IPv6.  There are a couple of ways to do what you describe:

    1) Double-click the main Policy object to edit it and change the ruleset type to "IPv4 and IPv6". This will create entries for each rule in both iptables and ip6tables for rules that have either Any or an IPv6 address in the rule.  You could add a rule at the top that explicitly blocked IPv6 by creating an IPv6 Adress object with "::" and bit mask length 0 and using that as the Source in the rule.

    2) A slightly cleaner way would be to create a new policy object and set it as IPv6 ruleset and make sure to mark it as a "Top ruleset".  Now you can add a single rule with leaving the default values in place (deny all) and this will generate an ip6tables entry that blocks all IPv6 traffic.

     
  • Armz
    Armz
    2011-06-27

    Thanks for the direction Mikehorn.