I created a a web page to turn my kids' devices off that would just change the 'ufw deny/allow' for the devices' ipv4 addresses (these were always mapped to the same IP number via dnsmasq assigning them per MAC ID). This stopped working on the IOS devices a while back, and I'm just now trying to figure out what exactly is going on, but haven't been able to figure out why these devices don't get denied. I confirmed it still does work for my laptop. I've also made sure all my deny rules come first in my ufw setup.
I thought maybe it was because they were using IPV6. I've tried disabling IPV6 via /etc/default/ufw, but that doesn't seem to work. I've also tried to explicitly set the deny for the IPV6 address (address reported by ntopng) via "ufw insert 44 deny from fe80::####:####:####:####" where 44 was the 1st non-IPV4 rule.
I've turned up the logging of my ufw.log, and I see a lot of PROTO=ICMPv6, which makes me think that there's still some IPV6 type path the IOS devices are using.
Anyone have a suggestion on what's special about the IOS devices, and how I might block them via UFW? I'm at a loss.