TIPS IPv6 dual stack and extension permit/deny

[Randomandy]

Something I just realized while working with IPv6 dual stack and PIAF:

When employing extension permit/deny rules, the following:

deny = 0.0.0.0/0.0.0.0​

permit = 192.168.15.0/255.255.255.0​

means:

deny all IPv4 address space except for the IPv4 space specified in the permit rule....​

AND ALLOW ALL IPv6 address space.​

Similarly,

deny = ::/0​

means:

deny all IPv6 address space except for the address space specified in the permit rule...​

AND ALLOW ALL IPv4 address space.​

So, when operating dual-stack (IPv4 + IPv6), for the deny rule to behave as you probably intend (to deny everything), it needs to be set to:

deny = 0.0.0.0/0.0.0.0&::/0​

The & enables adding multiple rules via GUI, so

deny = 0.0.0.0/0.0.0.0&::/0​

permit 192.168.15.0/255.255.255.0​

denies everything except 192.168.15.0/255.255.255.0 in IPv4. No IPv6 addresses allowed.
"&" can also be used in the permit rule if you want to permit both an IPv4 block and and IPv6 block. e.g.

deny = 0.0.0.0/0.0.0.0&::/0​

permit 192.168.15.0/255.255.255.0&2001:dead:beef::/64​

Denies everything except 192.168.15.0/24 in IPv4 space and 2001:dead:beef::/64 in IPv6 space.

Otherwise, I am finding PIAF (20650 i386 Green, Yealink T19P, X-Lite 4.6.1) running smoothly so far with IPv6 and IPv4 endpoints. Just remember that the default PIAF firewall is set to default deny IPv6. So you will need to modify that before any IPv6 will work. And IIRC fail2ban isn't set up to defend (or capable of defending) against IPv6.