Best way to whitelist IPv6 local loopback

[Spork Schivago]

Hello,

If I wanted to whitelist my server's IPv6 local loopback address, do I need to whitelist:

Code: Select all

::1/128
fe80::/10

Or would

Code: Select all

::1/128

be enough? Essentially, is it a good idea to whitelist the link-local address (fe80)? Also, should it be fe80::/10 or fe80::/64? I'm still struggling a little with the IPv6 stuff.

Thanks!!!

[ForumAdmin]

The localhost address for IPv6 should already be whitelisted in the same way localhost is for IPv4. In iptables parlance, you will see !lo which basically means ignore the loopback device.

Additionally, lfd itself ignores 127.0.0.0/8 as well as ::1/128 so that the loopback IP's should never be actively blocked.

[Spork Schivago]

The localhost address for IPv6 should already be whitelisted in the same way localhost is for IPv4. In iptables parlance, you will see !lo which basically means ignore the loopback device.

Additionally, lfd itself ignores 127.0.0.0/8 as well as ::1/128 so that the loopback IP's should never be actively blocked.

Thank you! I've been manually whitelisting them. I feel like such a fool!

There's no way to currently whitelist by DNS name, correct? For example, I cannot whitelist scanmyserver.com, I have to whitelist every IP address that they use or whitelist the entire netblock that they're assigned, right? Something like 192.168.2.0/24 would work to whitelist everything from 192.168.2.1 - 192.168.2.254, but something like scanmyserver.com in csf.allow and csf.ignore won't work.

[ForumAdmin]

You could use csf.dyndns for that, also check the DYNDNS settings in csf.conf

[Spork Schivago]

Wow! Thank you ForumAdmin! That csf.dyndns is exactly what I was looking for! Much appreciated.