rhkra...@gmail.com writes: > I could not find (in the searching I did) equivalent functionality for IPv6, > so > I disabled IPv6 in hopes of keeping my systems (fairly) secure.
The equivalent to NAT in IPv6 is NAT, of course. It's not usually spoken of much but for example my VPN provider does just that, I get a non-routable FC00: address and they convert it to something else. Kind of important for the P in VPN. Rules for NAT in IPv6 and nftables or ip6tables look much the same as IPv4. I've never tried it though. > I'm not sure that makes a lot of sense, and I'm sure [some | many | most | > maybe almost all] will disagree, especially based on the 128(?)-bit address > space in IPv6, but that was the reason I disabled IPv6. Without NAT, if I don't allow IPv6 forwarding all willy nilly in the router then my internal devices are quite safe from external access (and the ones that are actual computers have firewalls too.) Currently I have things setup so that only related and established connections are forwarded. Normal stateful firewall in other words. Basically all my nft rules in the forward chain are just this: chain forward { type filter hook forward priority 0; policy drop; # Allow traffic from established and related packets, drop invalid ct state vmap { established : accept, related : accept, invalid : drop } # connections from the internal net to the internet or to other # internal nets are allowed iifname $DEV_PRIVATE accept # the rest is dropped by the above policy }