Carlos E. R. wrote:
On 2023-04-21 10:40, Per Jessen wrote:
Andrei Borzenkov wrote:
On Fri, Apr 21, 2023 at 11:14 AM Per Jessen <per@opensuse.org> wrote:
Andrei Borzenkov wrote:
On Fri, Apr 21, 2023 at 10:52 AM Per Jessen <per@opensuse.org> wrote:
Carlos E. R. wrote:
> I'm asking how to block external internet in openSUSE, using > SuSEfirewall2 or firewalld. On each computer.
ip6tables -A INPUT -p all -s yourpref/64 -j ACCEPT
What is not clear in "prefix will change every day"?
Andrei, that is very clear, but that's a hurdle Carlos will somehow have to live with / work around. Reload the firewall when the address changes ?
Do you have any practical suggestions on how it can be automated?
Heh, that is left as an exercise for the reader :-)
Possible options -
* some hook that could be called when the address changes. * maybe set up a file monitor on the lease file. * maybe an iptables rule that triggers on the new RA?
I think the latter is my favourite.
And more importantly, do you have any idea how it can be done *before* prefix change,
With a modern crystal ball, that is not a problem ...
as otherwise you have a window where the firewall is configured for the old prefix which may have already been reused for some other customer and so allow external traffic.
Very true - but we are talking about a second or less. (estimated).
Five minutes. I can only think of a cron job running every five minutes that learns the profix and act.
It could be 32-37 minutes if you write the cron job for that. I guess you skipped the section "Possible options" above. Even with "bit-banging", e.g. querying the address in a tight loop, you can probably achieve a sub-second window. -- Per Jessen, Zürich (8.8°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes