Firewall IP blocking: IPv6 not possible
-
Hi,
After reading this thread https://forum.cloudron.io/topic/3154/new-firewall-feature-issues I decided to block the top 8 IP's of countries that are causing the most cyber attacks in the world.
That worked out fine, currently almost 21k IPv4 ranges are in the firewall.
Then I also wanted to add the IPv6 ranges, but that gave an error:
2001:0618:0000:0000:0000:0000:0000:0000/32 is not a valid IP or range
Is it possible to add the functionality for adding IPv6 ranges as well?
Kind regards,
Marcel. -
@girish you've said before (I guess in this forum) that IPv6 works when you manually set AAAA records of (sub)domains in your DNS to the IPv6 of your Cloudron. I did that months ago and it works perfect. I can see that i.e. our Wordpress receives traffic from IPv6.
We need IPv6 (in Wordpress) because of the REST-API used by our iOS app.
So, yes it works, it's in (almost 2021) strange that Cloudron doesn't support it out of the box but also the firewall doesn't handle it ...
-
@imc67 Ah that way. I didn't realize you setup a AAAA record manually. If so, yes, then the incoming traffic can have IPv6. Your comment sounds very similar to mine - https://forum.cloudron.io/post/6096 ha ha. Maybe you can open a feature request for IPv6 support, I am not sure how many people "require" this / are blocked by this. But happy to add it, if it's seen as important (relative to other requests).
-
@girish said in Firewall IP blocking: IPv6 not possible:
Maybe you can open a feature request for IPv6 support, I am not sure how many people "require" this / are blocked by this. But happy to add it, if it's seen as important (relative to other requests).
Just did that: please vote for: https://forum.cloudron.io/topic/3786/include-ipv6-into-cloudron
-
@imc67 said in Firewall IP blocking: IPv6 not possible:
After reading this thread https://forum.cloudron.io/topic/3154/new-firewall-feature-issues I decided to block the top 8 IP's of countries that are causing the most cyber attacks in the world.
Marcel, can you share more detail about your chosen block list and how others can do the same?
-
@robi said in Firewall IP blocking: IPv6 not possible:
Marcel, can you share more detail about your chosen block list and how others can do the same?
Sure!
top 10 countries of attacks: https://www.privacyaffairs.com/geopolitical-attacks/
Source of country ip's: https://www.ipdeny.com/ipblocks/
I've choosen to only block those below, we don't expect any necessary traffic from those countries (it's more than 45% of the known Countries where attacks come from):
China: https://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone
Russia: https://www.ipdeny.com/ipblocks/data/aggregated/ru-aggregated.zone
North Korea: https://www.ipdeny.com/ipblocks/data/aggregated/kp-aggregated.zone
Iran: https://www.ipdeny.com/ipblocks/data/aggregated/ir-aggregated.zone
Pakistan: https://www.ipdeny.com/ipblocks/data/aggregated/pk-aggregated.zone
Syria: https://www.ipdeny.com/ipblocks/data/aggregated/sy-aggregated.zone
India: https://www.ipdeny.com/ipblocks/data/aggregated/in-aggregated.zone
Vietnam: https://www.ipdeny.com/ipblocks/data/aggregated/vn-aggregated.zone
All those IP's copy-pasted in Cloudron > Network> Firewall, currently 20906 ranges blocked.
I added them this morning and I can tell now already that spam has reduced with 90%
-
-
-
@girish said in Firewall IP blocking: IPv6 not possible:
... Maybe you can open a feature request for IPv6 support, I am not sure how many people "require" this / are blocked by this. But happy to add it, if it's seen as important (relative to other requests).
Actually, this is going to be more and more frequent as cloud and hosting providers are starting to charge extra for IPv4 while you get an IPv6 range at no charge. I guess before long we will be all running mainly on IPv6 addresses.