On 2023-04-25 06:30, Andrei Borzenkov wrote:
On 24.04.2023 22:00, Carlos E. R. wrote:
On 2023-04-24 19:25, Andrei Borzenkov wrote:
On 24.04.2023 13:47, Carlos E. R. wrote:
Beta:/etc/firewalld/zones # firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" source mac="...:d4" reject' success Beta:/etc/firewalld/zones # firewall-cmd --list-rich-rules
Beta:/etc/firewalld/zones # less public.xml
Beta:/etc/firewalld/zones # firewall-cmd --reload Error: Message recipient disconnected from message bus without replying Beta:/etc/firewalld/zones #
In Tumbleweed it works correctly.
In Leap 15.4 with default nftables backend firewalld gets "unsupported family" and aborts. It does not happen in firewalld itself, but rather in supporting library used by firewalld. It works when using iptables backend.
Apparently nobody tried to define ipv6 rules so far in Leap.
Well, in all machines except one I think I can block both ipv4 and 6. But there is one machine, the server, that must accept incoming attempts on ssh and http on Ipv4 at least. And from what I have seen in my test machine, it will be blocked.
Maybe another rich rule to accept on those two ports?
Use
rule priority="10" ...
to order this rule after normal "allow" chain. Any positive number will do.
Or you can switch to iptables backend so that family="ipv6" works.
Thanks. First I have to migrate from SuSEfirewall2. There was a migration tool... I have forgotten its name. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)