On 2023-04-22 21:24, Lew Wolfgang wrote:
On 4/22/23 10:18, Carlos E. R. wrote:
On 2023-04-22 17:39, Andrei Borzenkov wrote:
On 22.04.2023 13:03, Carlos E. R. wrote:
On 2023-04-22 08:46, Andrei Borzenkov wrote:
On 21.04.2023 12:16, Carlos E. R. wrote:
> > Why not just set up the ipv6 firewall in your router?
It is set. Doesn't work.
According to documentation for your router
a) default is to accept everything b) firewall policy and rules are per-interface
What makes you think the same interface (ppp0.1 on your screenshots) is used for both IPv4 and IPv6? Find out how you router is configured, what interfaces are there, what addresses they have, what router entries there are. Then it is possible to make educated guess how to configure firewall.
Both IPv4 and IPv6 enter via ppp0.1
How did you test that firewall does not work?
I sshed to the machine of a friend, and from there I sshed to two machines inside my LAN.
One of them is (intentionally) accessible via IPv4 on a high port, which the router translates to 22. But on IPv6, both machines are accessible on 22, no translation on the router. Another friend did an nmap on my machine from his house:
office24:~ # nmap -6 -p1-65535 2a02:... Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-19 08:16 CEST Nmap scan report for 2a02:....customerbaf.ipv6.rima-tde.net (2a02:...) Host is up (0.060s latency). Not shown: 65524 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 443/tcp closed https 2049/tcp open nfs 12854/tcp closed unknown 20048/tcp open mountd 38000/tcp closed unknown 40000/tcp closed unknown 50000/tcp open unknown
Gad! You need to get a working firewall, Carlos! You've got NFS open to the broad Internet, including mountd! What could possibly go wrong?
The machine runs SuSEfirewall2, which is open to the intranet. It is not aware that IPv6 is internet and doesn't close it. I can change to firewalld, but I don't know if it is better in this respect, or how to coach it. And the router firewall is faulty.
I remember when I first started using SuSE 5.2, the firewall documentation was in German. So I didn't set up the firewall right away, and darned if I didn't get pwned through a mountd vulnerability. I noticed it right away, so no damage, but still.
You at least limit NFS mounts with entries in /etc/exports, right?
Yes.
Why don't you get a cheap firewall appliance and put it between your ISP's router and SW1?
Because it is a Beta. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)