On 2023-04-21 12:27, Andrei Borzenkov wrote:
On Fri, Apr 21, 2023 at 12:40 PM Carlos E. R. <> wrote: ...
Pragmatic answer - do not use IPv6 inside your LAN and simply block IPv6 except ports you want to make available from outside.
...
Still, I don't know how to do that in SuSEfirewall2 or firewalld.
firewalld by default blocks all incoming traffic unless you set zone target (policy) to ACCEPT. Which in zone definitions that come with firewalld is only set for the zone "trusted".
The problem is, that before having IPv6, I simply opened port 22, or 80, or whatever, to intranet traffic. The firewall knew which was it. Now it doesn't. Those ports are open to Intranet and Internet. SuSEfirewall2 is deprecated, so I have to move to firewalld. And I simply do not know how to tell firewalld to open some ports to intranet and close them to internet. I tried googling, did not find anything suitable.
And that would only be temporary, there are machines in the intranet which I don't control, like the printer, the google chromecast...
As usual, you are shifting goalposts. You started with "I'm asking how to block external internet in openSUSE, using SuSEfirewall2 or firewalld". If you now talk about other devices, then either read the documentation for these other devices or ask on support channels for these other devices or install a box between your router and your LAN and configure a firewall on this box. Which will automatically solve the problem of changing prefixes as this box will have a fixed internal interface and a fixed external interface so it will make unambiguous what traffic comes from outside.
I know about that. I just comment on the situation. I can protect the computers, I hope, by doing something to each computer firewall. So far, I don't know what. To protect all, the only thing to do is ask the ISP to cease the IPv6 Beta for me. I will certainly do that if they don't answer my question. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)