On 2023-04-21 10:40, Per Jessen wrote:
Andrei Borzenkov wrote:
On Fri, Apr 21, 2023 at 11:14 AM Per Jessen <per@opensuse.org> wrote:
Andrei Borzenkov wrote:
On Fri, Apr 21, 2023 at 10:52 AM Per Jessen <per@opensuse.org> wrote:
Carlos E. R. wrote:
I'm asking how to block external internet in openSUSE, using SuSEfirewall2 or firewalld. On each computer.
ip6tables -A INPUT -p all -s yourpref/64 -j ACCEPT
What is not clear in "prefix will change every day"?
Andrei, that is very clear, but that's a hurdle Carlos will somehow have to live with / work around. Reload the firewall when the address changes ?
Do you have any practical suggestions on how it can be automated?
Heh, that is left as an exercise for the reader :-)
Possible options -
* some hook that could be called when the address changes. * maybe set up a file monitor on the lease file. * maybe an iptables rule that triggers on the new RA?
I think the latter is my favourite.
And more importantly, do you have any idea how it can be done *before* prefix change,
With a modern crystal ball, that is not a problem ...
as otherwise you have a window where the firewall is configured for the old prefix which may have already been reused for some other customer and so allow external traffic.
Very true - but we are talking about a second or less. (estimated).
Five minutes. I can only think of a cron job running every five minutes that learns the profix and act. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)