ConfigClarityGlossary › IPv6 Mismatch

IPv6 Mismatch

An IPv6 mismatch occurs when firewall rules protect a service on IPv4 but the same port is exposed and unprotected on IPv6, because UFW and iptables rules are not automatically duplicated across address families.
IPv6UFWFirewalliptablesNetworkingSecurity

IPv6 mismatch is a silent security gap. UFW manages both IPv4 (iptables) and IPv6 (ip6tables) rules, but they must be explicitly configured. A rule like ufw deny 5432 only blocks IPv4 connections to PostgreSQL if the UFW IPv6 backend is not configured. If IPV6=yes is not set in /etc/default/ufw, the IPv6 variant of the rule is not applied.

Many VPS providers (Hetzner, DigitalOcean) assign both IPv4 and IPv6 addresses to servers. A service bound to 0.0.0.0 (which in many configurations also binds to ::) may be accessible over IPv6 even when IPv4 access is blocked.

How to Check

Run ufw status verbose and look for IPv6 entries. Each allow/deny rule should appear in both the IPv4 and IPv6 sections. If IPv6 entries are missing, check /etc/default/ufw for IPV6=yes. Also verify with ip6tables -L INPUT — if the chain is empty while UFW is active, IPv6 rules are not being applied.

Related Tools

Firewall Auditor →

Fix Guides

UFW IPv6 mismatch fix

Frequently Asked Questions

How do I enable IPv6 rules in UFW?
Edit /etc/default/ufw and set IPV6=yes. Then run ufw disable && ufw enable to reload. UFW will now create both iptables and ip6tables rules for every subsequent allow/deny command.
Does Docker expose ports on IPv6?
Docker's default bridge network does not expose IPv6 unless explicitly configured with --ipv6 in daemon.json. However, services bound to 0.0.0.0 may also bind to :: depending on the Linux kernel's net.ipv6.bindv6only setting.
How do I detect IPv6 firewall mismatches?
Paste your ufw status verbose output into ConfigClarity's Firewall Auditor. It compares IPv4 and IPv6 rule parity and flags rules that exist in one address family but not the other.