I'm looking into setting up an ipv6 address for my server which should help with the reliability of some services, but I'm unsure how to firewall my server for that.
I want to ensure that my server can only be contacted through ports 80 and 443 from outside the network, and nothing else can be contacted without previously announcing itself
my modem has this page which i'm not sure if i should change anything. i'm unfamiliar with IDS and I don't know how well it works.
View attachment 6883249
I gather you have Comcast Cable with a SMCD3GNV modem?
You would want to be
very careful with that. 'IDS' typically refers to 'Intrusion Detection System'. On a dedicated enterprise firewall, that would include features like monitoring for signatures of malware communicating with a C&C server, detecting port scans, blah blah blah and alerting an administrator or SOC. On a consumer cable modem, it means
absolutely nothing.
I have no experience with your particular cable modem, and how it's set up to work with Comcast, but if it's enabled for IPv6 it will get an IPv6 prefix, probably a /64 and then allocate addresses to machines within your network prefix on some basis. That might be random, that might be based off MAC addresses. It will include computers, it will include phones, it will likely include lightbulbs and other 'smart' shit if you have them. Port scanners are really really fast nowadays so those addresses can be guessed (especially if they're MAC-based and thus more predictable), or (if they're stable) anyone with legitimate or illegitimate access to logs anywhere (for example, from dumps of Wikipedia edit history where you edited without being logged in) can just port scan IPs they know were used at one point in the past and see what answers.
The problem is that your firewall options- assuming that Comcast's modem provider even implemented them properly- don't look sufficiently restrictive. All they do is let you block some stuff, and only for ALL machines on your local network. So you couldn't block HTTP/HTTPS access to your server, without blocking it for other laptops/PCs on the network.
And any ports that don't happen to fall within their various random shitty options are presumably exposed- so if there's something that you don't INTEND to expose like a Redis server running on 6379 or 9443 on any machine on your network, you no longer have the protection of home NAT routing where you people on the internet can't access that unless you DELIBERATELY expose it, it is now just freely exposed to the internet for anyone who finds the right IP.
Also, many ISPs don't give you a stable IPv6 allocation, so you aren't necessarily going to be that much better off.
Please consider leaving native IPv6 off and using something like Tailscale, you get all the advantages of IPv6 but you can have your own private network shared between your devices and shared with anyone who should have access to it, without accidentally sharing potentially vulnerable services with the whole internet.
