ip6tables and multiple possible source addresses

Zuleger, Holger, VF-DE holger.zuleger at vodafone.com
Wed Jan 18 13:41:31 CET 2012


> On Tue, Jan 17, 2012 at 05:04:00PM -0800, Tom Perrine wrote:
> > When writing a host-specific ip6tables rule, which address 
> do you need 
> > to list? All of the possible Global Scoped addresses?
> Maybe this is an indication that host-specific ipv6 firewall rules for
> "only certain hosts in an otherwise non-trusted /64 subnet" 
> is a stupid
> idea right from the start...
and this is stupid in IPv4 networks as well.

If you want to have host specific filtering of outgoing traffic, please
use proxies with user authentication.

Anyway, because of the huge address space in IPv6, one option would be
spend every host it's own subnet (up to 65000 hosts).
But I wouldn't recommend this...


More information about the ipv6-ops mailing list