Citrix ADC / NetScaler IPv6 Black and Whitelist

In this blog post from begining 2020 I created a black and white list for IPv4.
Here is an update to achieve the same but then for IPv6.
If you dont have IPv6 running already read this post 😉 

Note 1: The defaults are just for example and you need to fill in the public ip’s which you want to block/whitelist.
Note 2: Hackers use other ip’s or use VPN’s. So this is no 100% safe solution but just an extra step.
Note 3: I’m not responsible for any damage 😉

# Add policy expressions
add policy expression POLEXP_IPv6_SUBNET_16 "CLIENT.IPV6.SRC.SUBNET(16)"
add policy expression POLEXP_IPv6_SUBNET_20 "CLIENT.IPV6.SRC.SUBNET(20)"
add policy expression POLEXP_IPv6_SUBNET_24 "CLIENT.IPV6.SRC.SUBNET(24)"
add policy expression POLEXP_IPv6_SUBNET_28 "CLIENT.IPV6.SRC.SUBNET(28)"
add policy expression POLEXP_IPv6_SUBNET_32 "CLIENT.IPV6.SRC.SUBNET(32)"
add policy expression POLEXP_IPv6_SUBNET_36 "CLIENT.IPV6.SRC.SUBNET(36)"
add policy expression POLEXP_IPv6_SUBNET_40 "CLIENT.IPV6.SRC.SUBNET(40)"
add policy expression POLEXP_IPv6_SUBNET_44 "CLIENT.IPV6.SRC.SUBNET(44)"
add policy expression POLEXP_IPv6_SUBNET_48 "CLIENT.IPV6.SRC.SUBNET(48)"

# IP/Subnet Blacklist
add policy patset PATSET_IPv6_Blacklist
bind policy patset PATSET_IPv6_Blacklist "2a02:a446::" -index 1
bind policy patset PATSET_IPv6_Blacklist "2a02:a446:3::" -index 2
bind policy patset PATSET_IPv6_Blacklist "2a02:a446:10::" -index 3
add responder policy RESPOL_IPv6_Blacklist "POLEXP_IPv6_SUBNET_16.EQUALS_ANY(\"PATSET_IPv6_Blacklist\") || POLEXP_IPv6_SUBNET_20.EQUALS_ANY(\"PATSET_IPv6_Blacklist\") || POLEXP_IPv6_SUBNET_24.EQUALS_ANY(\"PATSET_IPv6_Blacklist\") || POLEXP_IPv6_SUBNET_28.EQUALS_ANY(\"PATSET_IPv6_Blacklist\") || POLEXP_IPv6_SUBNET_32.EQUALS_ANY(\"PATSET_IPv6_Blacklist\") || POLEXP_IPv6_SUBNET_36.EQUALS_ANY(\"PATSET_IPv6_Blacklist\") || POLEXP_IPv6_SUBNET_40.EQUALS_ANY(\"PATSET_IPv6_Blacklist\") || POLEXP_IPv6_SUBNET_44.EQUALS_ANY(\"PATSET_IPv6_Blacklist\")|| POLEXP_IPv6_SUBNET_48.EQUALS_ANY(\"PATSET_IPv6_Blacklist\")" DROP

# IP/Subnet Whitelist
add policy patset PATSET_IPv6_Whitelist
bind policy patset PATSET_IPv6_Whitelist "2a02:a446::" -index 1 
bind policy patset PATSET_IPv6_Whitelist "2a02:a446:3::" -index 2
bind policy patset PATSET_IPv6_Whitelist "2a02:a446:10::" -index 3

This black and white list is a bit different then the IPv4 version. As we cant match the ipv6 subnet directly into the pattern set. To bad. 🙁

There are some examples in the pattern sets already and here is the explenation:

  • 2a02:a446::
    • The complete subnet is 2a02:a446:0000:0000:0000:0000:0000:0000
    • This equals to a /32 subnet
  • 2a02:a446:3::
    • The complete subnet is 2a02:a446:0003:0000:0000:0000:0000:0000
    • This equals to a /48 subnet
  • 2a02:a446:10::
    • The complete subnet is 2a02:a446:0010:0000:0000:0000:0000:0000
    • This equals to an /44 subnet

So when adding a subnet to the pattern set make sure you end with the double colons. And alway strip leading zeros, or else there will be no hit 😉

The expression in the responder policies will only filter /16, /20, /24, /28, /32, /36, /40, /44 and /48 subnets. Do you need others, change them and dont forget to add a policy expression as well.

Bind the required responder policy to the virtual server and you are good to go.

If someone has done it different please let me know in the comments. 😉

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top