I am not a network professional, but a few years ago I required a rather simple network security setup, and installed Astaro on a box behind a broadband router. The goal of the setup was to restrict a single computer behind the Astaro to communicate with only a handful of IPv4 addresses, without interfering with other computers attached to the router. The setup worked and completely blocked any traffic other than to and from the allowed IP addresses.
I now have to implement a similar setup, but this time, I am concerned about IPv6 and potential leakage of unwanted/unauthorised IPv6 traffic into the computer behind the Astaro.
My internet provider has not fully implemented IPv6 for non commercial customers. Using Test your IPv6. it appears that on some days an IPv6 address is assigned to me while on other days no IPv6 address can be detected. On the days that an IPv6 address is detected, the test indicates that Teredo is being used.
After searching through the documentation for Sophos, I have found that it is possible to dissable IPv6, but how effective would this actually be in blocking undesired traffic? Given that Teredo is being used by my ISP, would it be theoretically possible to pass unwanted IPv6 traffic through the Astaro/Sophos in an IPv4 packet?
When I originally set up the Astaro a few years back, I was able to use packet filter rules to completely control traffic. If it is possible to pass unwanted IPv6 traffic in an IPv4 packet (carrying packet), would that IPv6 traffic have to originate from the same network as the IPv4 carrying packet, or could completely undesired potentially harmful IPv6 traffic be hidden in and then surrepitiously delivered by the IPv4 carrying packet?
I have found that Teredo uses UDP port 3544. Would blocking this port prevent such a problem?
Is there a way to completely control all traffic so that any IPv6 traffic contained within an IPv4 packet is blocked?
Any feedback on this would be great.
This thread was automatically locked due to age.
