ConfigServer Community Forum

Hello,

If I wanted to whitelist my server's IPv6 local loopback address, do I need to whitelist: Or would be enough? Essentially, is it a good idea to whitelist the link-local address (fe80)? Also, should it be fe80::/10 or fe80::/64? I'm still struggling a little with the IPv6 stuff.

Thanks!!!

The localhost address for IPv6 should already be whitelisted in the same way localhost is for IPv4. In iptables parlance, you will see !lo which basically means ignore the loopback device.

Additionally, lfd itself ignores 127.0.0.0/8 as well as ::1/128 so that the loopback IP's should never be actively blocked.

ForumAdmin wrote: ↑18 Jun 2017, 21:30 The localhost address for IPv6 should already be whitelisted in the same way localhost is for IPv4. In iptables parlance, you will see !lo which basically means ignore the loopback device.

Additionally, lfd itself ignores 127.0.0.0/8 as well as ::1/128 so that the loopback IP's should never be actively blocked.

Thank you! I've been manually whitelisting them. I feel like such a fool!

There's no way to currently whitelist by DNS name, correct? For example, I cannot whitelist scanmyserver.com, I have to whitelist every IP address that they use or whitelist the entire netblock that they're assigned, right? Something like 192.168.2.0/24 would work to whitelist everything from 192.168.2.1 - 192.168.2.254, but something like scanmyserver.com in csf.allow and csf.ignore won't work.

You could use csf.dyndns for that, also check the DYNDNS settings in csf.conf

Wow! Thank you ForumAdmin! That csf.dyndns is exactly what I was looking for! Much appreciated.