How do I allow local IPv6 subnets in ufw?
I recently got IPv6 connectivity at home and now I would like to allow connections to my home server via IPv6 from the LAN only. The trick is that the IPv6 address/prefix assigned to the server is dynamic. Is there some way to write a UFW rule that allows only from directly connected subnets?
Keep in mind there are no IPv6 "local ranges" - each IPv6 "local range" is its own (at least) /64 segment of v6 addresses in a specifically defined prefix. As such, any 'private range' address you receive is going to be specific to the subnet your router sets you up on rather than the external v6 address you have (there's logic inside routers to set up the subnets automatically, but when you get into Enterprise-grade routing with advanced firewalls, routers, switches, etc., IPv6 has to be manually configured by hand and set up.
When you add into the equation that you will quite possibly (and frequently) have a changing subnet all the time, there is no way to accept them all dynamically without accepting all IPv6 inbound connections - at least on a consumer-grade network setup (with a much-more-complicated and much-more-expensive firewall appliance, you can explicitly do VLAN separation to prevent things from communicating with the outside and accept only internal v6, but you can't do this on consumer-grade router technologies).
As well, firewall rules are designed in ufw
(and the underlying iptables
and netfilter
technologies which ufw works with) to have specific rules (such as ALLOW aaaa:bbbb:cccc:dddd::dead:beef INBOUND TO dddd:eeee:ffff:0000::dead:beef PORT 22/tcp
(obviously not a rule, but just an example)) and if you are always having different addresses on different v6 subnets, (either internally or externally, but especially internally), it breaks the requirements that firewalls have for those kinds of rules.
You would therefore need to know all the subnets you'll get, and add a ufw
rule that would be for each individual subnet. If that subnet is always changing and you do not know which subnet you will get, then you can't reliably create a firewall rule in any setup that can do what you're looking to accomplish on a dynamic ever-changing basis.
This also applies to port-forwarding at home - you can't reliably set up a port forward UNLESS the internal IP address (v4 or v6) isn't going to change. (The router transparently handles INBOUND from the internet, on its own, so long as you set up the internal v6 in a static setup, but you can't guarantee this will happen without much more time-consuming network configuration and setups, and possibly more enterprise-grade level equipment which can get expensive)
Old question, but Google got me here so I think it's worth noting that you could add the IPv6 link-local range with:
ufw allow from fe80::/64
If you're connecting across the LAN then the link-local address should get used instead of your global IPv6 address.