10.4 Tiger and blocking ports for IPv6
I am using free.fr in France, and IPv6 is enabled as part of the service. There are certain services running that were only accessible to the local network, but I now find that if I know the IPv6 address of the machine they are world accessible. I tried limiting services to be only accessible to the local machine, by adjusting the settings in the Firewall configurations in the system preferences, but the services still seem to be world accessible. Do the firewall configurations ignore IPv6? Is there any way to make it so that services are only available to machines in the local networks via IPv6. I suspect I going to need a command line tool or a third-party tool.
Comments
ip6fw -f flush
ip6fw add 1000 allow tcp from any to 2a01:e35:eeee:eeee::/64 ssh
ip6fw add allow ipv6-icmp from :: to ff02::/16
ip6fw add allow ipv6-icmp from fe80::/10 to fe80::/10
ip6fw add allow ipv6-icmp from fe80::/10 to ff02::/16
ip6fw add 2100 allow ipv6 from 2a01:e35:eeee:eeee:/64 to any
ip6fw add 2200 allow ipv6-icmp from any to any
ip6fw add 2300 allow tcp from any to any established
ip6fw add 3000 deny log all from any to any
It does the job, allowing me to connect to an ipv6 hosts, such as ipv6.google.com, yet not allowing access to ports I want protected (22 is intentionally left open).
I will add a StartUpItem or a LaunchDaemon to have this set on startup.
If there is a user friendly approach, ie using a GUI, then I would interested to know.