Re: [Shorewall-users] shorewall6 ULAs and multi-isp

Tue, 16 Jun 2015 16:45:51 -0700 

On 6/16/2015 2:20 PM, Brian J. Murrell wrote:
> So, I've been chasing an issue with IPv6 ULAs and preventing attempts to
> connect to them across the border router.  The scenario is the unwitting
> admin that accidentally puts his Internet machine's ULA address into the
> global DNS.
>
> Yes, left to their own devices, these connection attempts will timeout
> but that's such a nasty failure scenario when those attempts can be
> stopped immediately by your border router with an ENETUNREACH.
>
> On OpenWRT, (where I am running Shorewall6-lite 4.4.22.2), this ULA
> destination prevention is accomplished with Source-Destination routes
> for the global addresses in the LAN.  i.e.:
>
> default from 2001:470:aa:ccc::/64 dev 6in4-henet  proto static  metric 1024 
> default from 2001:470:ab:ccc::/64 dev 6in4-henet  proto static  metric 1024 
> default from 2002:aaaa:bbbb::/48 via ::192.88.99.1 dev 6to4-foo  proto static 
>  metric 1024 
> default from 2002::/16 via ::192.88.99.1 dev 6to4-foo  proto static  metric 
> 1024 
>
> But Shorewall6-{lite-4.4.22.2,4.6.6.2} is adding a non-source-address 
> restricted route:
>
> default via 2001:470:aa:ccc::1 dev 6in4-henet  metric 1024 
>
> when it sets up a (fallback, not balanced) Multi-ISP configuration.
> This is of course defeating the prevention (or quick refusal at least)
> of connections to ULA addresses outside of one's site.
>
> I wonder what the community's thoughts about this are.
Have you considered adding an 'unreachable' route for the ULA range in
shorewall6-routes?

-Tom

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to