# IPv6: Private LAN: Security policy

## schorsch_76

Hi, 

i read a lot about ipv6. Currently my ISP provides both, IPv4 and v6. I turned off IPv6 currently. I have a DSL modem which gets handled by a Alix Board which runs gentoo + pppd. I used radvd to supply the given prefix to my internal network. 

BUT: On my server i have a v6 address too. I could directly ping to my laptop on my LAN. 

I dont want to offer my internal services to the public... What security policy do you use for your LAN machines? 

[1] http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/

----------

## UberLord

Firewall your services on your router so only clients within the prefix can access them.

You could even block inbound access to clients within your prefix from the internet entirely, unless they have a prior outbound route (this is the stateful bit of the firewall) which gives you the same security as IPv4 NAT in the the internal clients don't need a firewall.

I can't tell you how to do this on Linux as I use NetBSD to power my router.

----------

## Ant P.

 *schorsch_76 wrote:*   

> I dont want to offer my internal services to the public... What security policy do you use for your LAN machines?

 

I give them a site-local prefix (fd00::/8) and bind internal services to those addresses. It's the same as having 192.168 IPv4 addresses.

----------

## schorsch_76

Thanks for the input  :Smile: 

----------

