On 2023-04-25 10:28, Per Jessen wrote:
Carlos E. R. wrote:
Yes, I use the public zone in all my machines, then I explicitly open the ports I need. For example, I always open SSH, but also NFS, sometimes http...
This worked while the router kept internet out, with NAT and firewall. Then comes IPv6, killing NAT,
To be precise - s/killing NAT/making NAT superfluous/
Ok :-)
and then I discover my router firewall does not work on IPv6.
Still nothing from the beta test support?
Not yesterday. The forum page dies of timeout even if permanently open and computer running, and it is a chore to login again. Doing so now to check. [...] No answer on forum, nor to direct email.
With SuSEfirewalld I used this rule:
FW_TRUSTED_NETS=192.168.1.15,tcp,smtp \ 192.168.1.15,tcp,ftp 192.168.1.15,tcp,ftp-data \ 192.168.1.15,udp,syslog 192.168.1.15,tcp,514 \ 192.168.1.15,udp,6666 192.168.1.15,icmp \ 192.168.1.15,tcp,nfs 192.168.1.15,udp,sunrpc"
Which allowed those ports only if coming from that machine. I'd like to know if there is a similar trick with firewalld.
Yes there is "a similar trick" - firewalld hasn't changed the basics of firewalling, only how it is managed.
Your definition above seems to translate to:
"accept smtp from 192.168.1.15" (for instance).
Ok, and where in the GUI do you write that? :-) Another rich rule?
There will be some straight forward way of defining that with/in firewalld too.
I don't see it in the GUI.
However, even if it exists, on IPv6 the address used to enter is not one, but several, and the prefix changes.
What about your 192.168.1.15 - did that never change, i.e. was it a fixed allocation or did you just hope it never would?
On IPv4 there is no problem, I control the IP numbers completely. Yes, the low IP numbers, 1..32 are static (from memory, up to 32). Some were DHCP fixated numbers, which are now gone with the router change.
If the machine address (i.e. excluding the prefix) does not change, you don't have to specify the prefix.
If I do "ip addr" on my machine now, ... wait, look: cer@Telcontar:~> ip addr | grep inet6 | wc -l 13 cer@Telcontar:~> Some sufixes are temporary, ie, they change. cer@Telcontar:~> ip addr | grep inet6 | grep temporary | wc -l 9 cer@Telcontar:~> An incoming connection can take any of those 13 addresses. Don't think "normally", think also bad actors. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)