On Thu, 24 Mar 2022, Jeremy Ardley wrote:
On 24/3/22 1:11 am, Tim Woodall wrote:
I believe it's setting this to 2 that you want (I think there's a
setting to go in eni to do this too)
https://sysctl-explorer.net/net/ipv6/use_tempaddr/
My concern is that if I go to 1 or 2 then logging for non email activity may
suffer.
I don't know how real network engineers would solve this, but at home I
tag all traffic based on MAC at my firewall so I can easily identify the
device in the iptables log regardless of the ip.
For traffic that is sent via an intercepting proxy I also rewrite the
ipv6 source address so that the (internal) ip is unique at the proxy.
Unknown MACs aren't allowed out.
But I'm as paranoid about unknown outbound connections as I am about
inbound ones - and, unfortunately, outbound is much harder to secure,
especially if you don't trust google!
