之前不太熟悉IPv6的规则,使用的是全部开放局域网的所有机器同类端口,比如转发到所有机器的80端口等,这样子外面的访问就能访问内部所有的开放80端口的机器,存在安全隐患。
今天有空琢磨了一下IPv6资料,摸索了一下搞定了开放内部群晖的特定端口的规则写法。
有空的人可以看一下IPv6的地址定义和掩码的维基资料
https://en.wikipedia.org/wiki/IPv6_address
Special addresses
See also: Reserved IP addresses § IPv6
There are a number of addresses with special meaning in IPv6.[26] They represent less than 2% of the entire address space:
Address block (CIDR) | First address | Last address | Number of addresses | Usage | Purpose |
---|---|---|---|---|---|
::/0 | :: | ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | 2128 | Routing | Default route (no specific route) |
::/128 | :: | :: | 1 | Software | Unspecified address. |
::1/128 | ::1 | ::1 | 1 | Host | Loopback address to the local host. |
::ffff:0:0/96 | ::ffff:0.0.0.0 | ::ffff:255.255.255.255 | 2128−96 = 232 = 4294967296 | Software | IPv4 mapped addresses. |
::ffff:0:0:0/96 | ::ffff:0:0.0.0.0 | ::ffff:0:255.255.255.255 | 232 | Software | IPv4 translated addresses. |
64:ff9b::/96 | 64:ff9b::0.0.0.0 | 64:ff9b::255.255.255.255 | 232 | Global Internet | IPv4/IPv6 translation.[27] |
100::/64 | 100:: | 100::ffff:ffff:ffff:ffff | 264 | Routing | Discard prefix.[28] |
2001::/32 | 2001:: | 2001::ffff:ffff:ffff:ffff:ffff:ffff | 296 | Global Internet | Teredo tunneling. |
2001:20::/28 | 2001:20:: | 2001:2f:ffff:ffff:ffff:ffff:ffff:ffff | 2100 | Software | ORCHIDv2.[29] |
2001:db8::/32 | 2001:db8:: | 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff | 296 | Documentation | Addresses used in documentation and example source code.[30] |
2002::/16 | 2002:: | 2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff | 2112 | Global Internet | The 6to4 addressing scheme (now deprecated).[31] |
fc00::/7 | fc00:: | fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | 2121 | Private network | Unique local address.[32] |
fe80::/10 | fe80:: | febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff | 2118 | Link | Link-local address. |
ff00::/8 | ff00:: | ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | 2120 | Global Internet | Multicast address. |
在中国移动的IPv6网络下,OpenWRT设置正确的话,家里的所有的机器都能拿到公网的IPv6地址,但是OpenWRT的防火墙模式如下图只开放了ICMP协议和VPN协议。
先打开群晖信息中心查看获取的IPv6地址资料
找到规格如这个的地址资料2409:8a55:2240:e440::88a/64,然后打开OpenWRT添加防火墙规则。
比如我像开放电驴4672和BT 6881的UDP对外端口,提高下载速度。添加一条如下图的防火墙规则。
里面的Destination address是重点的地方,原来我们的群晖IPv6地址是这个2409:8a55:2240:e440::88a/64,但是移动分配的公网地址不是固定的,一段时间就会变动变动,组合方式是前面四段xxxx:xxxx:xxxx:xxxx,双冒号::后面的是家里OpenWRT分配的后四段地址0000:0000:0000:88a,因为前面三段都是0缩写成了::88a
突然发现不知道怎么说了,有空再补充资料,反正最后填进去的格式就是下面这个了。
所以Destination address的掩码地址全格式就是这样子::88a/0
保存生效,这样子外面IPv6公网就能访问这2个端口了。