Neustradamus :xmpp: :linux:#nftables 1.1.3 has been released (#Netfilter / #libnftables / #libnftnl / #iptables / #ip6tables / #arptables / #ebtables / #PacketFilter / #Firewall) https://netfilter.org/projects/nftables
#nftables 1.1.1 has been released (#Netfilter / #libnftables / #libnftnl / #iptables / #ip6tables / #arptables / #ebtables / #PacketFilter / #Firewall) https://netfilter.org/projects/nftables
#nftables 1.1.0 has been released (#Netfilter / #libnftables / #libnftnl / #iptables / #ip6tables / #arptables / #ebtables / #PacketFilter / #Firewall) https://netfilter.org/projects/nftables
T_XHrm, I think I'm calling it a day (or a night). Couldn't figure out yet why on this #Proxmox server a Linux bridge wouldn't forward #Multicast Router Discovery (#MRD) messages generated via @troglobit's mrdisc. While sending to ff02::6a via ICMPv6 echo request or UDP works just fine...
Disabling multicast snooping on the bridge does not help either. Nor does "ebtables -I FORWARD -p IPv6 --ip6-destination ff02::6a -j ACCEPT".
Likely sth. with the #ip6tables with nf-call-ip6tables enabled...
MOULE 
Here's how you will know when you've block threads.net on Mastodon 4.1.0 and above, as well as the resulting #iptables and #ip6tables entries.
The below screenshots only show how to block one domain and 3 IP addresses. See the next post in this thread for an updated list of all #Meta domains' IP addresses to block so they don't steal your data and flood your servers with traffic! #FediBlock #Fediverse #Threads #Instagram #FediPact #AntiMeta #MetaBlock
Guido Drehsenafter a couple of days work the systems on both server do now work via #IPv4 and also #IPv6 in #Docker containers with IP6 #NAT. The systems are now no longer reachable with global IP6 addresses but instead only by internal #ULA unique local addresses. This does make the #ufw firewall management with #ip6tables a lot easier and more secure and #fail2ban does now also work with IP6 accesses.
To bad that the docker documentation is rusty concerning the IP6 NAT feature. Did cost me quite some time.
To bad that the docker documentation is rusty concerning the IP6 NAT feature. Did cost me quite some time.
nach tagelanger Arbeit laufen nun alle Systeme beider Linux Server korrekt sowohl unter #IPv4 als auch über #IPv6 in #Docker Containern mit IP6 #NAT. Somit sind die Systeme nicht mit direkt ansprechbaren globalen IP6 Adressen erreichbar, sondern nur mit den internen #ULA unique local addresses. Das macht die #ufw Firewall Verwaltung mit #ip6tables deutlich einfacher und #fail2ban greift auch bei den IP6 Zugriffen.
Leider ist die Doku der Konfiguration bei Docker dazu miserabel, kostete viel Zeit
Leider ist die Doku der Konfiguration bei Docker dazu miserabel, kostete viel Zeit
_bka_@Iaintshootinmis Happy to help. Methodologies are a bit different since network are larger by magnitudes.
@thc built some nice scripts in the past: https://github.com/vanhauser-thc/thc-ipv6
If you run out of time scanning the subnets in scope, which is likely, you might want to try techniques like IPv6 DNS walk https://github.com/nomis/ip6walk
For Layer2 check link-local address scopes and multicast addresses like ff02::1 or ff02::2.
Generally when it comes to filtering, I recommend to check if they handle #IPv6 and #IPv4 addresses differently in #firewalls. While #iptables is used for IPv4, IPv6 uses #ip6tables.
