is your firewall blocking all ipv6?
are you sure?
Conversation
No, but some people are using the network layer as access control and don't understand IPv6 so they block it instead. 🤬🤦
4
2
22
There's some legitimate for host-based firewalls such as avoiding accidental exposed services, determining which applications/services can use the network and access control for services only able to listen on loopback instead of a Unix domain socket.
A funny part about people using firewalls is that they generally make themselves much more vulnerable to DoS attacks due to overhead and limits on tracked connections.
On Linux, having a single service listening externally with conntrack enabled breaks your SYN flood protection.
1
2
I even consider use of no-auth loopback as unacceptable "network layer as access control". It breaks all privilege separation on the host.
1
1
9
We consider it unacceptable which is why we disable listening on loopback for as many services as possible (MariaDB, PostgreSQL) and implement uid-based access control for stuff not supporting that via nftables as a workaround for software deficiencies.
1
1
6
Show replies