Firewall IP blocking: IPv6 not possible

imc67

Hi,

After reading this thread https://forum.cloudron.io/topic/3154/new-firewall-feature-issues I decided to block the top 8 IP's of countries that are causing the most cyber attacks in the world.

That worked out fine, currently almost 21k IPv4 ranges are in the firewall.

Then I also wanted to add the IPv6 ranges, but that gave an error:

2001:0618:0000:0000:0000:0000:0000:0000/32 is not a valid IP or range

Is it possible to add the functionality for adding IPv6 ranges as well?

Kind regards,
Marcel.

mehdi

@imc67 I don't think Cloudron even listens on ipv6 actually ...

girish

@imc67 what @mehdi said. Cloudron does not listen on ipv6. All incoming traffic is ipv4 only.

imc67

@girish you've said before (I guess in this forum) that IPv6 works when you manually set AAAA records of (sub)domains in your DNS to the IPv6 of your Cloudron. I did that months ago and it works perfect. I can see that i.e. our Wordpress receives traffic from IPv6.

We need IPv6 (in Wordpress) because of the REST-API used by our iOS app.

So, yes it works, it's in (almost 2021) strange that Cloudron doesn't support it out of the box but also the firewall doesn't handle it ...

girish

@imc67 Ah that way. I didn't realize you setup a AAAA record manually. If so, yes, then the incoming traffic can have IPv6. Your comment sounds very similar to mine - https://forum.cloudron.io/post/6096 ha ha. Maybe you can open a feature request for IPv6 support, I am not sure how many people "require" this / are blocked by this. But happy to add it, if it's seen as important (relative to other requests).

imc67

@girish

imc67

@girish said in Firewall IP blocking: IPv6 not possible:

Maybe you can open a feature request for IPv6 support, I am not sure how many people "require" this / are blocked by this. But happy to add it, if it's seen as important (relative to other requests).

Just did that: please vote for: https://forum.cloudron.io/topic/3786/include-ipv6-into-cloudron

robi

@imc67 said in Firewall IP blocking: IPv6 not possible:

After reading this thread https://forum.cloudron.io/topic/3154/new-firewall-feature-issues I decided to block the top 8 IP's of countries that are causing the most cyber attacks in the world.

Marcel, can you share more detail about your chosen block list and how others can do the same?

imc67

@robi said in Firewall IP blocking: IPv6 not possible:

Marcel, can you share more detail about your chosen block list and how others can do the same?

Sure!

top 10 countries of attacks: https://www.privacyaffairs.com/geopolitical-attacks/

Source of country ip's: https://www.ipdeny.com/ipblocks/

I've choosen to only block those below, we don't expect any necessary traffic from those countries (it's more than 45% of the known Countries where attacks come from):

China: https://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone

Russia: https://www.ipdeny.com/ipblocks/data/aggregated/ru-aggregated.zone

North Korea: https://www.ipdeny.com/ipblocks/data/aggregated/kp-aggregated.zone

Iran: https://www.ipdeny.com/ipblocks/data/aggregated/ir-aggregated.zone

Pakistan: https://www.ipdeny.com/ipblocks/data/aggregated/pk-aggregated.zone

Syria: https://www.ipdeny.com/ipblocks/data/aggregated/sy-aggregated.zone

India: https://www.ipdeny.com/ipblocks/data/aggregated/in-aggregated.zone

Vietnam: https://www.ipdeny.com/ipblocks/data/aggregated/vn-aggregated.zone

All those IP's copy-pasted in Cloudron > Network> Firewall, currently 20906 ranges blocked.

I added them this morning and I can tell now already that spam has reduced with 90%