On 2023-04-26 02:28, Carlos E. R. wrote:
On Tuesday, 2023-04-25 at 23:22 +0200, Bengt Gördén wrote:
On 2023-04-25 22:58, Carlos E. R. wrote:
rule family="ipv6" source address="fc00::/64" port port="5353" protocol="udp" accept rule family="ipv6" source address="fe80::/64" port port="5353" protocol="udp" accept
I have this comment on my "/etc/sysconfig/SuSEfirewall2" file, from which they werre translated to the above two lines:
# fe80::/64,udp,5353 - autoconf broadcast from printer #fc00 # Posible entrada desde internet al ssh FW_SERVICES_ACCEPT_EXT="192.168.1.14/24,_rpc_,nfs 192.168.1.15/24,_rpc_,nfs 192.168.1.129/24,_rpc_,nfs \ fe80::/64,udp,5353 fc00::/64,udp,5353 \ 192.168.1.0/24,tcp,80 192.168.1.0/24,tcp,22 \ 0/0,tcp,22,,hitcount=3,blockseconds=100,recentname=ssh"
Ie, I wrote that probably to silence noise in the log from a printer broadcast, or to have some autoconf feature from the printer working.
Whats the output of ip6tables-save
Isengard:/etc/firewalld/zones # ip6tables-save # Generated by ip6tables-save v1.8.7 on Wed Apr 26 02:17:33 2023 *raw :PREROUTING ACCEPT [14175:19377794] :OUTPUT ACCEPT [9470:17375360] COMMIT # Completed on Wed Apr 26 02:17:33 2023 # Generated by ip6tables-save v1.8.7 on Wed Apr 26 02:17:33 2023 *security :INPUT ACCEPT [12058:19236084] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [9470:17375360] COMMIT # Completed on Wed Apr 26 02:17:33 2023 # Generated by ip6tables-save v1.8.7 on Wed Apr 26 02:17:33 2023 *nat :PREROUTING ACCEPT [2050:136843] :INPUT ACCEPT [18:1343] :OUTPUT ACCEPT [37:4315] :POSTROUTING ACCEPT [37:4315] COMMIT # Completed on Wed Apr 26 02:17:33 2023 # Generated by ip6tables-save v1.8.7 on Wed Apr 26 02:17:33 2023 *mangle :PREROUTING ACCEPT [14175:19377794] :INPUT ACCEPT [14089:19371371] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [9470:17375360] :POSTROUTING ACCEPT [9475:17375810] COMMIT # Completed on Wed Apr 26 02:17:33 2023 # Generated by ip6tables-save v1.8.7 on Wed Apr 26 02:17:33 2023 *filter :INPUT ACCEPT [14033:19362332] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [9470:17375360] -A INPUT -p udp -m udp --dport 546 -j ACCEPT -A INPUT -p udp -m udp --dport 5353 -m pkttype --pkt-type multicast -j ACCEPT COMMIT # Completed on Wed Apr 26 02:17:33 2023 Isengard:/etc/firewalld/zones #
Now I don't know firewalld but from ip6tables-save I don't see that you reject or drop anything. Shouldn't the last filter rule be to drop everything? Like this: *filter :INPUT ACCEPT [14033:19362332] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [9470:17375360] -A INPUT -p udp -m udp --dport 546 -j ACCEPT -A INPUT -p udp -m udp --dport 5353 -m pkttype --pkt-type multicast -j ACCEPT -A INPUT -j DROP COMMIT Of course your ipv6 rules need to accept rules port 80 and anything else you want to be able to get through. -- /bengan