Following up from the update a couple of weeks ago, I’ve just made another update live for Sympl, updating the firewall package to version x.20220719.0.
The only effective change here is to reduce the IPv6 network masks when blacklisting addresses, and in the vast majority of cases, you won’t notice any changes.
For those interested, here’s a bit more information as to what this change actually is (everyone else can skip the rest!):
Previously when the blacklist was triggered for an IPv6 address (from multiple failed attempts to SSH to the server, failed mail logins and so on) rather than blocking the individual IP address, Sympl would block the whole /64 range, which means it’s blocking 18.4 quintillion (18,446,744,073,709,551,616) addresses, or what is often a single LAN or subnet.
This is simply due to the fact that in many IPv6 environments, multiple devices share a large /64 subnet, which are linked to a single ‘owner’, so blocking that whole network makes sense, especially as a single device may have multiple IPs assigned to it.
In most cases, this is fine, but in a few cases where there’s IPv4 to IPv6 NAT in place or reasonably tidy networks, it can result in the whole network being blocked, causing knock-on issues where unexpected things are blocked, going as far as blocking your providers DNS servers or routers, effectively cutting IPv6 off entirely.
With this in mind, the default range block has been cut down to a /112 (the last block of 4 characters in the IPv6 address), which only affects 65,536 IPv6 addresses, and will often block a single device based on the way the addresses are assigned.
While in theory this is less secure than blocking the whole /64 network, in practice we’ve seen little to no evidence of third parties scanning from multiple IPv6 addresses on the same network or host, and most scanning activity tends to come from botnets of compromised servers all over the internet, so this wouldn’t make a significant difference blocking the /64 versus the more targeted /112.
As always, if anyone has any questions, just post here or drop me a private message.