Hi, As far as I know not mentioned elsewhere yet. I found this using the linux adagium "use the source". The SuSEfirewall2 says that IPv6 is not supported in the script and that is because connection tracking is not yet in the kernel. Well, that is not exactly true. The kernel with 9.2 does support it (marked experimental). And the script does too! How to get it working.. easy: in /etc/sysconfig/SuSEfirewall2 set: FW_IPv6="yes" or to anything else then "no", "drop" or "reject" and FW_IPv6_REJECT_OUTGOING="no" This works if you have native IPv6 _and_ IPv4 on the same device(s) (internal and or from isp) If you have an IPv6 over IPv4 tunnel you need to do the following extra items. This is necessary because the script logic cannot handle device detection/verification for pure IPv6 devices yet. So also change the following: FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" If that file is not there, you can copy it from /usr/share/doc/packages/SuSEfirewall2 And in that file add the following lines in the section fw_custom_before_antispoofing() ip6tables -A INPUT -j input_ext -i <tunnel device name goes here> ip6tables -A FORWARD -j forward_ext -i <tunnel device name goes here> restart the firewall and that did it for me. Your comments, remarks, are appreciated. BB, Arjen
Arjen Runsink wrote:
As far as I know not mentioned elsewhere yet. I found this using the linux adagium "use the source".
The SuSEfirewall2 says that IPv6 is not supported in the script and that is because connection tracking is not yet in the kernel.
Well, that is not exactly true. The kernel with 9.2 does support it (marked experimental). And the script does too!
How to get it working.. easy:
in /etc/sysconfig/SuSEfirewall2 set:
FW_IPv6="yes"
or to anything else then "no", "drop" or "reject"
SuSEfirwewall2 is supposed to automatically detect whether IPv6 support is available if FW_IPv6 is empty (which is the default). Does that not work for you? Did you maybe update from some older version and therefore have old comments in /etc/sysconfig/SuSEfirewall2?
and
FW_IPv6_REJECT_OUTGOING="no"
This variable only matters if stateful ipv6 filtering is not supported by the kernel/ip6tables.
This works if you have native IPv6 _and_ IPv4 on the same device(s) (internal and or from isp) If you have an IPv6 over IPv4 tunnel you need to do the following extra items. This is necessary because the script logic cannot handle device detection/verification for pure IPv6 devices yet. So also change the following:
You can find SuSEfirewall2 beta versions in people/lnussel on the ftp server btw. I changed the way interfaces are detected so v6-only interfaces should work as well now. Feedback welcome. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
On Thursday, 3 March 2005 13:24, Ludwig Nussel wrote:
Arjen Runsink wrote:
FW_IPv6="yes"
or to anything else then "no", "drop" or "reject"
SuSEfirwewall2 is supposed to automatically detect whether IPv6 support is available if FW_IPv6 is empty (which is the default). Does that not work for you? Did you maybe update from some older version and therefore have old comments in /etc/sysconfig/SuSEfirewall2?
Yes I did update (9.2+you), found a .rpmnew version and migrated my settings to it. Did not see a comment regarding that.
You can find SuSEfirewall2 beta versions in people/lnussel on the ftp server btw. I changed the way interfaces are detected so v6-only interfaces should work as well now. Feedback welcome.
Ok I will try your latest version. Btw ip6t_REJECT does not seem to work. I have been fiddling with this this moring. As a quick test: ip6tables -I INPUT -p tcp --dport 113 -i lo -j REJECT --reject-with tcp-reset telnet ::1 113 telnet will timeout instead of stopping immediately I guess that since this is not even in 2.6.11 (pristine) this is only in the suse kernel. I have not looked at the modules' source yet. BB, Arjen
participants (2)
-
Arjen Runsink -
Ludwig Nussel