ip6tables and multiple possible source addresses
ben at bjencks.net
Wed Jan 18 08:10:42 CET 2012
On Jan 17, 2012, at 8:04 PM, Tom Perrine wrote:
> Someone must have already figured this out; I'm feeling "virtual Monday" pretty bad right now :-(
> With IPv6 a host can have "lots" (more than 1) of possible IPv6 addresses to use as the source address. I've read the RFCs, so I can (usually) make a good guess as to which one will be used, but...
> When writing a host-specific ip6tables rule, which address do you need to list? All of the possible Global Scoped addresses?
> This seems...... awkward (and error prone).
> Am I missing something, or is it that bad?
If you have control over the host, you can set and/or verify its source address selection policy to make sure you use the right IP. If you don't, you shouldn't trust that the IP continues to refer to the same host over long periods of time, and simply filter based on the actual source IP you see at the moment. Besides, if a host starts using a different source address (e.g. privacy addresses) it's very likely that it doesn't *want* to be treated as the same host.
More information about the ipv6-ops