On 2023-04-23 16:01, Andrei Borzenkov wrote:
On 23.04.2023 15:56, Carlos E. R. wrote:
On 2023-04-23 13:56, Andrei Borzenkov wrote:
On 23.04.2023 14:06, Carlos E. R. wrote:
Well, so far nobody has chimed in on how to configure firewalld to refuse incoming connections from internet on IPv6,
I already told you - block incoming connections with source MAC address of your router.
You did, but not with firewalld. I don't know how to do that.
I just looked in my laptop with Beta, and could not find the GUI to configure firewalld, only the YaST module which is way too simple.
firewall-config is missing. Installed.
I see that the zone is set to "public".
ssh service is enabled. I tested that I can reach this machine from Internet to ssh.
Sorry, I have no idea how to achieve what you say.
You use rich rules.
firewall-cmd --permanent --zone=public --add-rich-rule='rule source mac="AA:BB:CC:DD:EE:FF" reject'
This will reject any new packet coming from router. It will do it before accepting SSH on port 22.
This will still allow IPv6 RA from your router. It will block ICMPv4 so you may consider explicitly allowing it.
Personally I simply do not use IPv6 on the LAN (what's the point if I have IPv4 anyway) and block it except for a couple of ports.
Ok, trying. ssh is enabled in the section "zone public" "service: ssh" of firewalld. This is what YaST did during install when I said to activate the firewall and sshd. I try to find the MAC of the router. I do, in two machines, one using ethernet and the other using wifi: Telcontar:~ # ip neigh | grep 192.168.1.1 192.168.1.1 dev eth0 lladdr ...:d4 REACHABLE <=== 192.168.1.16 dev eth0 lladdr ...:a1 STALE Telcontar:~ # Beta:~ # ip neigh | grep 192.168.1.1 192.168.1.16 dev wlan0 lladdr ...:a1 STALE 192.168.1.1 dev wlan0 lladdr ...:d4 DELAY <=== 192.168.1.14 dev wlan0 lladdr ...:bd DELAY Beta:~ # It is the same in both places. I run the command Beta:~ # firewall-cmd --permanent --zone=public \ --add-rich-rule='rule source mac="...:d4" reject'\ success Beta:~ # Then I try to ssh from Isengard to Beta, both IPv4 and IPv6. It works, as I expected. Then I ssh to a machine of a friend, and from there I ssh to the Beta machine using IPv6. It also connects. I don't have access to run nmap on mi friend's machine, so I can not check other ports. But Beta only has the ssh service and port open, AFAIK. And other machines I have do not run firewalld yet. If I try a traceroute to my machine from outside, I see: traceroute 2a02:ZZZ:298b
12 * * * 13 2a02:XXX:64 (2a02:XXX:64) 45.349 ms 2a02:YYY:80d5 (2a02:YYY:80d5) 47.862 ms 2a02:XXX:64 (2a02:XXX:64) 47.080 ms 14 2a02:ZZZ:298b (2a02:ZZZ:298b) 50.020 ms !X 50.106 ms !X 50.330 ms !X
(if you want to see the exact, unedited output, I'll send that off-list) AFAICS 2a02:XXX:64 is not my router. 2a02:YYY:80d5 could be, but doesn't have my prefix. Similar, but not mine. If I ping6 it, it doesn't appear in "ip -6 neigh".
Telcontar:~ # ping6 2a02:YYY:80d5 PING 2a02:YYY:80d5(2a02:YYY:80d5) 56 data bytes 64 bytes from 2a02:YYY:80d5: icmp_seq=1 ttl=64 time=1.29 ms 64 bytes from 2a02:YYY:80d5: icmp_seq=2 ttl=64 time=0.468 ms ^C --- 2a02:YYY:80d5 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.468/0.879/1.291/0.411 ms Telcontar:~ # ping router PING router.valinor (192.168.1.1) 56(84) bytes of data. 64 bytes from router.valinor (192.168.1.1): icmp_seq=1 ttl=64 time=0.526 ms 64 bytes from router.valinor (192.168.1.1): icmp_seq=2 ttl=64 time=0.348 ms 64 bytes from router.valinor (192.168.1.1): icmp_seq=3 ttl=64 time=0.313 ms ^C --- router.valinor ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2031ms rtt min/avg/max/mdev = 0.313/0.395/0.526/0.093 ms Telcontar:~ #
-- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)