Support for IPv6 firewall #97
Labels
Comments
equetzal
added
enhancement
Merged
DT3264
added a commit
that referenced
this issue
Jun 11, 2023
This PR should be enough as a hotfix for #97.
equetzal
pushed a commit
that referenced
this issue
Jun 12, 2023
This PR should be enough as a hotfix for #97.
equetzal
pushed a commit
that referenced
this issue
Jun 12, 2023
This PR should be enough as a hotfix for #97.
equetzal
pushed a commit
that referenced
this issue
Jun 13, 2023
This PR should be enough as a hotfix for #97.
equetzal
pushed a commit
that referenced
this issue
Jun 13, 2023
This PR should be enough as a hotfix for #97.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Context
IPv6 is the new standard for the internet protocol, nowadays is common to have two stacks configured by default, the IPv4 and the IPv6. huronOS is capable of supporting both working separated or together, but the firewall is only setup at the IPv4 stack.
Problem
huronOS firewall only filters IPv4 stack, so, if a network is configured to work on both IPv4 and IPv6, the firewall might not reliable block the internet access. This is because after not being successful on resolve a domain name over IPv4, it will try on IPv6 and will be allowed to access the website.
This is a common behavior as most of home networks have this new protocol enabled by default as part of the transition to IPv6. It is necessary for this system to work reliably in this network scenarios.
Proposed Solution
Hot Fix
As a hot fix we can just drop all IPv6 communication when firewall is on DROP mode. Then enable all IPv6 when on allow mode.
Correct solution
Replicate the firewall on both stacks, and do resolve DNS over IPv6 too.
Allow exceptions on the config file of the directives server for IPv6 too.
Document all this behavior on the Docs
The text was updated successfully, but these errors were encountered: