• 4 Posts
  • 190 Comments
Joined 1 year ago
cake
Cake day: June 4th, 2023

help-circle

  • We don’t have many unit tests that test against live APIs, most use mock APIs for testing.

    The only use for this header would be if somebody sees it during development, at which point it would already be in the documentation or if you explicitly add a feature to look if the header is present. Which I don’t see happening any time soon since we get mailed about deprecations as well.


  • I don’t really get the purpose of a header like this, who is supposed to check it? It’s not like developers casually check the headers returned by an API every week.

    Write them a mail if you see deprecated functions being used by a certain API key, probably much more likely to reach somebody that way.

    Also, TIL that the IETF deprecated the X- prefix more than 10 years ago. Seems like that one didn’t pan out.



  • Yeah, I’m also on my third controller RMA. First the stick on the left controller started drifting, then the right controller’s plastic started peeling off and finally the right controller stopped working altogether.

    At least they did the third RMA for free way out of warranty.

    Had to buy a new headset cable on my own though when the display started flickering after 2 years. They also sent me a new plastic clip for the cable on the back when the old one broke and a new left speaker when it started crackling instead of requiring me to send in the full headset so that’s pretty cool.






  • There is this notion that IPv6 exposes any host directly to the internet, which is not correct. When the client IP is attacked “directly” the attacker still talks to the router responsible for your network first and foremost.

    While a misconfiguration on the router is possible, the same is possible on IPv4. In fact, it’s even a “feature” in many consumer routers called “DMZ host”, which exposes all ports to a single host. Which is obviously a security nightmare in both IPv4 and IPv6.

    Just as CGNAT is a thing on IPv4, you can have as many firewalls behind one another as you want. Just because the target IP always is the same does not mean it suddenly is less secure than if the IP gets “NATted” 4 times between routers. It actually makes errors more likely because diagnosing and configuring is much harder in that environment.

    Unless you’re aggressively rotating through your v6 address space, you’ve now given advertisers and data brokers a pretty accurate unique identifier of you. A much more prevalent “attack” vector.

    That is what the privacy extension was created for, with it enabled it rotates IP addresses pretty regularily, there are much better ways to keep track of users than their IP addresses. Many implementations of the privacy extension still have lots of issues with times that are too long or with it not even enabled by default.

    Hopefully that will get better when IPv6 becomes the default after the heat death of the universe.


  • With NAT on IPv4 I set up port forwarding at my router. Where would I set up the IPv6 equivalent?

    The same thing, except for the router translating 123.123.123.123 to 192.168.0.250 it will directly route abcd:abcd::beef to abcd:abcd::beef.

    Assuming you have multiple hosts in your IPv6 network you can simply add “port forwardings” for each of them. Which is another advantage for IPv6, you can port forward the same port multiple times for each of your hosts.

    I guess assumptions I have at the moment are that my router is a designated appliance for networking concerns and doing all the config there makes sense, and secondly any client device to be possibly misconfigured. Or worse, it was properly configured by me but then the OS vendor pushed an update and now it’s misconfigured again.

    That still holds true, the router/firewall has absolute control over what goes in and out of the network on which ports and for which hosts. I would never expose a client directly to the internet, doesn’t matter if IPv4 or IPv6. Even servers are not directly exposed, they still go through firewalls.


  • Anything connected to an untrusted network should have a firewall, doesn’t matter if it’s IPv4 or IPv6.

    There’s functionally no difference between NAT on IPv4 or directly allowing ports on IPv6, they both are deny by default and require explicit forwarding. Subnetting is also still a thing on IPv6.

    If anything, IPv6 is more secure because it’s impossible to do a full network scan. My ISP assigned 4,722,366,482,869,645,213,696 addresses just to me. Good luck finding the used ones.

    With IPv4 if you spin up a new service on a common port it usually gets detected within 24h nowadays.



  • Domi@lemmy.secnd.metoSelfhosted@lemmy.worldHelp with IPv6
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    29 days ago

    Off the top of my head, why did you set the prefix to 0x1? I was under the impression that it only needs to be set if there are multiple vlans

    I have multiple VLANs, 0x1 is my LAN and 0x10 is my DMZ for example. I then get IP addresses abcd:abcd:a01::abcd in my LAN and abcd:abcd:a10::bcdf in my DMZ.

    However, I get a /56 from my ISP wich gets subnetted into /64. I heard it’s not ideal to subnet a /64 but you might want to double check what you really got.

    what are your rules for the WAN side of the firewall?

    Only IPv4 + IPv6 ICMP, the normal NAT rules for IPv4 and the same rules for IPv6 but as regular rule instead of NAT rule.

    My LAN interface is only getting an LLA so maybe it’s being blocked from communicating with the ISP router.

    If you enable DHCPv6 in your network your firewall should be the one to hand out IP addresses, your ISP assigns your OPNsense the prefix and your OPNsense then subnets them into smaller chunks for your internal networks.

    It is possible to do it without DHCPv6 but I didn’t read into it yet since DHCPv6 does exactly what I want it to do.


  • Domi@lemmy.secnd.metoSelfhosted@lemmy.worldHelp with IPv6
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    30 days ago

    I’m no expert on IPv6 but here’s how I did it on my OPNsense box:

    • Activate IPv6 on your WAN interface (probably already done)
    • Activate IPv6 on the LAN interface, use Track interface on IPv6, track the WAN interface and choose a prefix ID like 0x1
    • Activate DHCPv6 under Services -> ISC DHCPv6 for your LAN interface (you can shorten the range like ::eeee to ::ffff, you don’t have to type the full IP)
    • Activate Router advertisments under Services -> Router Advertisments for your LAN interface (set Advertisments to Managed and Priority to High

    After that your DHCP server should serve public IPv6 addresses inside of your prefix and clients should be able to connect to the internet.

    A few notes:

    • Don’t forget to add an allow rule for IPv6 on your LAN as well if you only have one for IPv4
    • Repeat the steps above for every VLAN you have, always use a different prefix ID
    • You don’t have to use NAT rules with IPv6 anymore and can just directly add a regular firewall rule to WAN with the target IP and port and you are done
    • Make sure you don’t have any of the various “Disable IPv6” toggles enabled, there’s a few in the firewall settings and general settings for example