So, I've been chasing an issue with IPv6 ULAs and preventing attempts to connect to them across the border router. The scenario is the unwitting admin that accidentally puts his Internet machine's ULA address into the global DNS.
Yes, left to their own devices, these connection attempts will timeout
but that's such a nasty failure scenario when those attempts can be
stopped immediately by your border router with an ENETUNREACH.
On OpenWRT, (where I am running Shorewall6-lite 4.4.22.2), this ULA
destination prevention is accomplished with Source-Destination routes
for the global addresses in the LAN. i.e.:
default from 2001:470:aa:ccc::/64 dev 6in4-henet proto static metric 1024
default from 2001:470:ab:ccc::/64 dev 6in4-henet proto static metric 1024
default from 2002:aaaa:bbbb::/48 via ::192.88.99.1 dev 6to4-foo proto static
metric 1024
default from 2002::/16 via ::192.88.99.1 dev 6to4-foo proto static metric
1024
But Shorewall6-{lite-4.4.22.2,4.6.6.2} is adding a non-source-address
restricted route:
default via 2001:470:aa:ccc::1 dev 6in4-henet metric 1024
when it sets up a (fallback, not balanced) Multi-ISP configuration.
This is of course defeating the prevention (or quick refusal at least)
of connections to ULA addresses outside of one's site.
I wonder what the community's thoughts about this are.
Cheers,
b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
