Carlos E. R. wrote:
On 2023-04-25 11:14, Per Jessen wrote:
Given that it is such a simple rule "accept this traffic from that machine", I'm sure you just need to look closer.
It is a rich rule. I'm running now the "susefirewall2-to-firewalld", and I saw the rich rules pass by. Taking a long time to convert.
Okay, that _does_ surprise me. It seems like a perfectly trivial rule. I have to wonder if it is just a shortcoming of that migration script.
Well, if you explain to us what you wish to permit, from where to where, I'm sure we can find a solution.
Oh, this is just hypothetical. Given a sample rule:
FW_TRUSTED_NETS="192.168.1.15,tcp,smtp" it would be converted to 20 lines like:
accept smtp from fe80::2d8:61ff:fea1:5abd
Well, first of all, LL addresses are only used for routing. Second, the problem is that while your "192.168.1.15" is static, the ipv6 address is not. Even if you use the EUI64 address, the prefix might still change.
and have a script to dynamically change it every time the prefix or one of the sufixes change.
To keep track of the prefix, I think(!) the easiest would be to monitor the lease file, hint: "inotify-tools". I did wonder about using the firewall to watch for router annoncements, but it becomes unnecessarily complex. Instead of "192.168.1.15", you would need to use the EUI64 address, and disable privacy extensions.
(I don't know how to find out if a machine is using one or the other, though)
It is a firewalld setting.
Anyway, isn't it all a bit moot? You said you have cancelled your participation in the beta-test programme.
Which they haven't acknowledged.
I can disable it myself in the router, but meanwhile I can test things. Like firewalld configs.
Sure, but why bother. As others have already said - when you don't have an actual need, why bother - _unless_ you think it is fun. -- Per Jessen, Zürich (9.5°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes