Andrei Borzenkov wrote:
On Fri, Apr 21, 2023 at 11:14 AM Per Jessen <per@opensuse.org> wrote:
Andrei Borzenkov wrote:
On Fri, Apr 21, 2023 at 10:52 AM Per Jessen <per@opensuse.org> wrote:
Carlos E. R. wrote:
I'm asking how to block external internet in openSUSE, using SuSEfirewall2 or firewalld. On each computer.
ip6tables -A INPUT -p all -s yourpref/64 -j ACCEPT
What is not clear in "prefix will change every day"?
Andrei, that is very clear, but that's a hurdle Carlos will somehow have to live with / work around. Reload the firewall when the address changes ?
Do you have any practical suggestions on how it can be automated?
Heh, that is left as an exercise for the reader :-) Possible options - * some hook that could be called when the address changes. * maybe set up a file monitor on the lease file. * maybe an iptables rule that triggers on the new RA? I think the latter is my favourite.
And more importantly, do you have any idea how it can be done *before* prefix change,
With a modern crystal ball, that is not a problem ...
as otherwise you have a window where the firewall is configured for the old prefix which may have already been reused for some other customer and so allow external traffic.
Very true - but we are talking about a second or less. (estimated). -- Per Jessen, Zürich (7.2°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes