10.4 Tiger and blocking ports for IPv6

in Mac Software edited January 2014
I am using free.fr in France, and IPv6 is enabled as part of the service. There are certain services running that were only accessible to the local network, but I now find that if I know the IPv6 address of the machine they are world accessible. I tried limiting services to be only accessible to the local machine, by adjusting the settings in the Firewall configurations in the system preferences, but the services still seem to be world accessible. Do the firewall configurations ignore IPv6? Is there any way to make it so that services are only available to machines in the local networks via IPv6. I suspect I going to need a command line tool or a third-party tool.


  • Reply 1 of 1
    ajmasajmas Posts: 554member
    Not finding a "user friendly" approach, I found an approach that can be achieved via the command line. I ended up using the following solution, which involves updating the entries manually with ip6fw (routable network prefix is not the actual one I am using):


    ip6fw -f flush

    ip6fw add 1000 allow tcp from any to 2a01:e35:eeee:eeee::/64 ssh

    ip6fw add allow ipv6-icmp from :: to ff02::/16

    ip6fw add allow ipv6-icmp from fe80::/10 to fe80::/10

    ip6fw add allow ipv6-icmp from fe80::/10 to ff02::/16

    ip6fw add 2100 allow ipv6 from 2a01:e35:eeee:eeee:/64 to any

    ip6fw add 2200 allow ipv6-icmp from any to any

    ip6fw add 2300 allow tcp from any to any established

    ip6fw add 3000 deny log all from any to any

    It does the job, allowing me to connect to an ipv6 hosts, such as ipv6.google.com, yet not allowing access to ports I want protected (22 is intentionally left open).

    I will add a StartUpItem or a LaunchDaemon to have this set on startup.

    If there is a user friendly approach, ie using a GUI, then I would interested to know.
Sign In or Register to comment.