On 2023-04-25 11:57, Per Jessen wrote:
Carlos E. R. wrote:
On 2023-04-25 11:14, Per Jessen wrote:
Given that it is such a simple rule "accept this traffic from that machine", I'm sure you just need to look closer.
It is a rich rule. I'm running now the "susefirewall2-to-firewalld", and I saw the rich rules pass by. Taking a long time to convert.
Okay, that _does_ surprise me. It seems like a perfectly trivial rule. I have to wonder if it is just a shortcoming of that migration script.
Well, if you explain to us what you wish to permit, from where to where, I'm sure we can find a solution.
Oh, this is just hypothetical. Given a sample rule:
FW_TRUSTED_NETS="192.168.1.15,tcp,smtp" it would be converted to 20 lines like:
accept smtp from fe80::2d8:61ff:fea1:5abd
Well, first of all, LL addresses are only used for routing.
Per, that's an example. I used that line for the paste because i don't have to edit out for privacy. Or maybe I should have, what the heck. There are 13 IP6 addresses.
Second, the problem is that while your "192.168.1.15" is static, the ipv6 address is not. Even if you use the EUI64 address, the prefix might still change.
Right.
and have a script to dynamically change it every time the prefix or one of the sufixes change.
To keep track of the prefix, I think(!) the easiest would be to monitor the lease file, hint: "inotify-tools". I did wonder about using the firewall to watch for router annoncements, but it becomes unnecessarily complex.
Right.
Instead of "192.168.1.15", you would need to use the EUI64 address, and disable privacy extensions.
(I don't know how to find out if a machine is using one or the other, though)
It is a firewalld setting.
Anyway, isn't it all a bit moot? You said you have cancelled your participation in the beta-test programme.
Which they haven't acknowledged.
I can disable it myself in the router, but meanwhile I can test things. Like firewalld configs.
Sure, but why bother. As others have already said - when you don't have an actual need, why bother - _unless_ you think it is fun.
Well, I'm investigating. It is some fun (not much), and I don't know how many years it will take them to correct the bug firmware, or change my router. Nor do I know if the next router will not have a similar bug. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)