[Bug 822959] New: When configuring networking with yast, using dhcp6, firewall blocks it.
https://bugzilla.novell.com/show_bug.cgi?id=822959 https://bugzilla.novell.com/show_bug.cgi?id=822959#c0 Summary: When configuring networking with yast, using dhcp6, firewall blocks it. Classification: openSUSE Product: openSUSE 12.3 Version: Final Platform: Other OS/Version: openSUSE 12.3 Status: NEW Severity: Normal Priority: P5 - None Component: YaST2 AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: carlos.e.r@opensuse.org QAContact: jsrain@suse.com Found By: --- Blocker: --- I'm testing a new router that has IPv6 capabilities. I enabled its DHCP6 server, but oS 12.3 did not get an IPv6, only the IPv4 one. See: rescate1:~ # ifconfig eth0 Link encap:Ethernet HWaddr 00:21:85:16:2D:0B inet addr:192.168.1.31 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::221:85ff:fe16:2d0b/64 Scope:Link <-- (1) UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4271 errors:0 dropped:0 overruns:0 frame:0 TX packets:2762 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3171265 (3.0 Mb) TX bytes:379424 (370.5 Kb) (1) thats a link local address, not one via dhcp Log:
2013-06-03T20:57:04.618453+02:00 rescate1 network[6148]: eth0 Starting DHCP4+DHCP6 client. . . . . . . . 2013-06-03T20:57:04.619896+02:00 rescate1 ifup-dhcp[6561]: 2013-06-03T20:57:04.620840+02:00 rescate1 network[6148]: eth0 IP address: 192.168.1.31/24 2013-06-03T20:57:04.621691+02:00 rescate1 ifup-dhcp[6561]: eth0 IP address: 192.168.1.31/24 2013-06-03T20:57:04.622276+02:00 rescate1 network[6148]: eth0 DHCP6 continues in background 2013-06-03T20:57:04.623284+02:00 rescate1 ifup-dhcp[6561]: eth0 DHCP6 continues in background 2013-06-03T20:57:04.702500+02:00 rescate1 network[6148]: ..done eth1 device: Realtek Semiconductor Co., Ltd. RTL8111/8168 2013-06-03T20:57:04.703128+02:00 rescate1 ifup[8861]: eth1 device: Realtek Semiconductor Co., Ltd. RTL8111/8168 2013-06-03T20:57:04.704288+02:00 rescate1 network[6148]: No configuration found for eth1 2013-06-03T20:57:04.704996+02:00 rescate1 ifup[8861]: No configuration found for eth1 2013-06-03T20:57:04.726882+02:00 rescate1 network[6148]: ..unusedSetting up service network . . . . . . . . . . . . ...done 2013-06-03T20:57:04.726903+02:00 rescate1 systemd[1]: Started LSB: Configure network interfaces and set up routing.
The openSUSE firewall blocks it! Firewal log
2013-06-03T20:57:04.158282+02:00 rescate1 kernel: [ 1675.547633] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:f8:1a:67:91:f4:22:86:dd SRC=fe80:0000:0000:0000:d0fa:c7ff:fe67:4031 DST=fe80:0000:0000:0000:0221:85ff:fe16:2d0b LEN=152 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=48629 DPT=546 LEN=112 2013-06-03T20:57:21.676291+02:00 rescate1 kernel: [ 1693.065233] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:f8:1a:67:91:f4:22:86:dd SRC=fe80:0000:0000:0000:d0fa:c7ff:fe67:4031 DST=fe80:0000:0000:0000:0221:85ff:fe16:2d0b LEN=152 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=48629 DPT=546 LEN=112 2013-06-03T20:57:56.000281+02:00 rescate1 kernel: [ 1727.389585] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:f8:1a:67:91:f4:22:86:dd SRC=fe80:0000:0000:0000:d0fa:c7ff:fe67:4031 DST=fe80:0000:0000:0000:0221:85ff:fe16:2d0b LEN=152 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=48629 DPT=546 LEN=112 2013-06-03T20:59:07.315296+02:00 rescate1 kernel: [ 1798.704924] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:f8:1a:67:91:f4:22:86:dd SRC=fe80:0000:0000:0000:d0fa:c7ff:fe67:4031 DST=fe80:0000:0000:0000:0221:85ff:fe16:2d0b LEN=152 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=48629 DPT=546 LEN=112
The port 546 is assigned to it: dhcpv6-client 546/tcp # DHCPv6 Client dhcpv6-client 546/udp # DHCPv6 Client dhcpv6-server 547/tcp # DHCPv6 Server dhcpv6-server 547/udp # DHCPv6 Server So, now, after explictly opening that port, I get it: rescate1:~ # ifconfig eth0 Link encap:Ethernet HWaddr 00:21:85:16:2D:0B inet addr:192.168.1.31 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::221:85ff:fe16:2d0b/64 Scope:Link inet6 addr: fc00::7fff/64 Scope:Global <--- correct IPv6 adres. UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4854 errors:0 dropped:0 overruns:0 frame:0 TX packets:3142 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3288751 (3.1 Mb) TX bytes:430544 (420.4 Kb) I propose that YaST ifup config should automatically or manually (or at least sugest), open that port if dhcp6 (client) is enabled. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=822959
https://bugzilla.novell.com/show_bug.cgi?id=822959#c
FeiXiang Zhang
https://bugzilla.novell.com/show_bug.cgi?id=822959
https://bugzilla.novell.com/show_bug.cgi?id=822959#c
Steffen Winterfeldt
https://bugzilla.novell.com/show_bug.cgi?id=822959
https://bugzilla.novell.com/show_bug.cgi?id=822959#c
Michal Filka
https://bugzilla.novell.com/show_bug.cgi?id=822959
https://bugzilla.novell.com/show_bug.cgi?id=822959#c1
Michal Filka
https://bugzilla.novell.com/show_bug.cgi?id=822959
https://bugzilla.novell.com/show_bug.cgi?id=822959#c2
--- Comment #2 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=822959
https://bugzilla.novell.com/show_bug.cgi?id=822959#c3
Carlos Robinson
Thanks for report.
Do you use default SuSEfirewall2 configuration?
AFAIK, current changes are: Telcontar:~ # diff /other/aux_01/etc/sysconfig/SuSEfirewall2~ /other/aux_01/etc/sysconfig/SuSEfirewall2 252c252 < FW_SERVICES_EXT_TCP="546" ---
FW_SERVICES_EXT_TCP="" 266c266 < FW_SERVICES_EXT_UDP="546"
FW_SERVICES_EXT_UDP="dhcpv6-client mdns" Telcontar:~ #
and they were done after the problem was detected.
Is /etc/sysconfig/SuSEfirewall2.d/services/dhcp6-server existent at your machine?
Yep. Telcontar:~ # l /other/aux_01/etc/sysconfig/SuSEfirewall2.d/services/dhcp* -rw-r--r-- 1 root root 503 Mar 27 16:40 /other/aux_01/etc/sysconfig/SuSEfirewall2.d/services/dhcp-server -rw-r--r-- 1 root root 507 Mar 27 16:40 /other/aux_01/etc/sysconfig/SuSEfirewall2.d/services/dhcp6-server Telcontar:~ #
Do you have net device where you expect dhcp replies assigned into any zone (INT, EXT, DMZ, ...)? If yes, which one? You can check it e.g. using "yast2 firewall" -> interfaces -> Look into "Configured in" column
To look in YaST, I would have to boot into that partition, and that has to wait a bit. I can tell you the contents of the firewall file: /other/aux_01/etc/sysconfig/SuSEfirewall2: FW_DEV_EXT="eth0" FW_DEV_INT="" FW_DEV_DMZ="" Is that what you want? Or this? Telcontar:~ # cat /other/aux_01/etc/sysconfig/network/ifcfg-eth0 BOOTPROTO='dhcp' BROADCAST='' ETHTOOL_OPTIONS='' IPADDR='' MTU='' NAME='RTL8111/8168B PCI Express Gigabit Ethernet controller' NETMASK='' NETWORK='' REMOTE_IPADDR='' STARTMODE='auto' USERCONTROL='no' Telcontar:~ # -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
From YaST POV there are two possibilities: (1) do not touch (2) enable 546/udp,tcp explicitly when dhcpv6 is enabled in services. I
https://bugzilla.novell.com/show_bug.cgi?id=822959
https://bugzilla.novell.com/show_bug.cgi?id=822959#c4
Michal Filka
https://bugzilla.novell.com/show_bug.cgi?id=822959
https://bugzilla.novell.com/show_bug.cgi?id=822959#c5
--- Comment #5 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=822959
https://bugzilla.novell.com/show_bug.cgi?id=822959#c6
--- Comment #6 from Carlos Robinson
https://bugzilla.novell.com/show_bug.cgi?id=822959
https://bugzilla.novell.com/show_bug.cgi?id=822959#c7
Marius Tomaschewski
https://bugzilla.novell.com/show_bug.cgi?id=822959
https://bugzilla.novell.com/show_bug.cgi?id=822959#c9
--- Comment #9 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=822959
https://bugzilla.novell.com/show_bug.cgi?id=822959#c10
Marcus Meissner
participants (1)
-
bugzilla_noreply@novell.com