[squid-users] squid disable ipv6 outbound traffic
Amos Jeffries
squid3 at treenet.co.nz
Sun Dec 2 09:42:25 UTC 2018
On 2/12/18 10:14 am, Dmitri Seletski wrote:
> Hello Dear Squidies,
>
> Situation:
>
> I have,
>
> IPv4 only tunnel for security.
>
> IPv6 enabled ISP.
>
> VM with Squid in it, that works over bridge.(so it has both NAT IPv4 IP
> an IPv6 IP)
>
FYI: Modern Internet connected software is required to prefer IPv6 over
the outdated and deprecated IPv4. Squid will not be the only software
with this behaviour so you need to do this properly (see below) not just
for Squid.
>
> Problem:
>
> When i go to some sites, Squid instead of pulling traffic over tunnel
> provider, does it over IPv6 enabled ISP of mine, which defeats purpose
> of VPN provider.
Is that VPN provider running your traffic through some specialized
security checking software?
If not then Squid is providing *better* security just by existing in the
traffic path. Even for that IPv6 traffic.
>
> So i need to know how to kill IPv4, at least outbound traffic from Squid
> to rest of Internetz pages. (and no, preference to IPv4 DNS is not an
> option, as some pages are not available in IPv4, so i'd rather not see
> them at all)
It is your OS which decides whether or not the VPN or the IPv6 is used
for any given connection.
So the proper way to do what you are asking is to set your VM's firewall
to only allow access through the VPN for connections made by Squid.
Connections to the IPv6 network should be rejected with an ICMPv6
"Network Unavailable" packet which makes Squid move on to the IPv4 attempts.
Amos
More information about the squid-users
mailing list