Prevent IPv6 local link on SDN VNet

[FingerlessGloves]

Hi,

It would be nice if there was an option to prevent IPv6 Link-Local happening on the bridges that get created, in my setup I've created a VNET for each VLAN I need but I noticed each bridge has a IPv6 Link-Local, which means the host is listening on that network, ideally the host shouldn't have any IP addresses assigned to that network for security reasons.

For now I shall look at doing something like net.ipv6.conf.wgwin1.addr_gen_mode=1 in /etc/sysctl.d/ for the names I created, but would be nice if there was a UI option to prevent any IPs getting added to it on the host side, or perhaps it's the default, unless a IP is directly given. I could disable IPv6 entirely on the host, but I feel that's OTT.

Unless I'm going about this wrong?

 

[Gilou]

You can use the firewall to restrict those access to the host as it is, no code, no edit

But it's true it could be disabled using ifupdown2, so that interfaces with something like "enable (or disable) link local v6" have the appropriate sysctl set. Go and patch it. And it could be reasonable, but then again, if you enable the IP filter on the VM, no added code haha, and IIRC, it will not let LL traffic through.

 

[Gilou]

There is a bug discussion here, that do not fix it but discusses options: https://bugzilla.proxmox.com/show_bug.cgi?id=1251
Another one, with mostly opinions, and the same idea I gave, use ifupdown2 and an up script: https://bugzilla.proxmox.com/show_bug.cgi?id=4538

 

[Gilou]

The firewall way works for the underlying bridge.. but it seems that by default vnets allow that traffic (set up using SDN), which to me, is a bug, I'll investigate..

EDIT: Yes.. damned. I'll open a bug but if you have firewall on, on a host, link local is blocked from a bridge set directly on the host. But not on one set up through SDN.. even if firewall is enabled on that vnet (which probably means ingress anyway..).

 

[FingerlessGloves]

I agree the Proxmox Firewall will help with the host having a LL on those bridges/interfaces, but from a security audit point of view, they may say that's not enough . I think for now I'll go for the sysctl option. Then if needed I can prove the hosts don't have any direct access to those VNETs and there is also the Firewall there. Bet n braces. Ideally the host should only be able to talk on the very few networks it needs to function and just forward the rest.

 

[Gilou]

I really think we need either generally allowing disabling link-local on an interface, or simply deny any IP configuration on the SDN bridges.. or a bit nicer, being able mark it for VM traffic only. This bug is not good on default setup btw.. This allows for so many kind of attacks on hosts from the VMs..

 

[FingerlessGloves]

I feel marking a vnet as "VM traffic only" would be a nice clear way to present the option, ideally default option too, I can't see many wanting the host to be "on" the vnet.

I just reread your message, and that's bad the firewall isn't applying to the SDN bridge, I'm glad you tested that, could of gone unnoticed for a while.