squid disable ipv6 outbound traffic

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

squid disable ipv6 outbound traffic

Dmitri Seletski
Hello Dear Squidies,

Situation:

I have,

IPv4 only tunnel for security.

IPv6 enabled ISP.

VM with Squid in it, that works over bridge.(so it has both NAT IPv4 IP
an IPv6 IP)


Problem:

When i go to some sites,  Squid instead of pulling traffic over tunnel
provider, does it over IPv6 enabled ISP of mine, which defeats purpose
of VPN provider.

So i need to know how to kill IPv4, at least outbound traffic from Squid
to rest of Internetz pages. (and no, preference to IPv4 DNS is not an
option, as some pages are not available in IPv4, so i'd rather not see
them at all)

Thanks in advance!

Dmitri

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid disable ipv6 outbound traffic

Amos Jeffries
Administrator
On 2/12/18 10:14 am, Dmitri Seletski wrote:

> Hello Dear Squidies,
>
> Situation:
>
> I have,
>
> IPv4 only tunnel for security.
>
> IPv6 enabled ISP.
>
> VM with Squid in it, that works over bridge.(so it has both NAT IPv4 IP
> an IPv6 IP)
>

FYI: Modern Internet connected software is required to prefer IPv6 over
the outdated and deprecated IPv4. Squid will not be the only software
with this behaviour so you need to do this properly (see below) not just
for Squid.

>
> Problem:
>
> When i go to some sites,  Squid instead of pulling traffic over tunnel
> provider, does it over IPv6 enabled ISP of mine, which defeats purpose
> of VPN provider.

Is that VPN provider running your traffic through some specialized
security checking software?

If not then Squid is providing *better* security just by existing in the
traffic path. Even for that IPv6 traffic.


>
> So i need to know how to kill IPv4, at least outbound traffic from Squid
> to rest of Internetz pages. (and no, preference to IPv4 DNS is not an
> option, as some pages are not available in IPv4, so i'd rather not see
> them at all)

It is your OS which decides whether or not the VPN or the IPv6 is used
for any given connection.

So the proper way to do what you are asking is to set your VM's firewall
to only allow access through the VPN for connections made by Squid.
Connections to the IPv6 network should be rejected with an ICMPv6
"Network Unavailable" packet which makes Squid move on to the IPv4 attempts.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users