Carlos E. R. wrote:
(This is a thinking aloud post, so of course there is conflict in what I say)
I didn't see any conflicts, maybe I need to look again :-)
Isengard:/etc/firewalld/zones # firewall-cmd --list-all [snip - 80 rich rules] rule family="ipv6" source address="fe80::/64" port port="5353" protocol="udp" accept rule family="ipv6" source address="fc00::/64" port port="5353" protocol="udp" accept
1) isn't that the kind of rule - family="ipv6" - that made your firewalld explode yesterday? 2) 5353 is for mdns - you won't see any of that on fe80::. Are you actually using fc00:: ? 3) Personally, I would be unhappy with such a setup, 86 rich rules. I appreciate it is due to the conversion script, but a pile of "rich rules" is not much better than my old well-structured iptables script, with comments. Anyway, just an observation.
carlos@Friend:~ $curl http://[Ipv6_ADDR] <html><body> <h1>Welcome to Isengard</a></h1> <h3>Letras: \ | @ # € </h3> [snip]
Now, this is not correct, it is the response expected INSIDE the LAN. That means a problem in the Apache configuration for virtual hosts, but also that port 80 is not closed on IPv6.
You were presumably expecting the last rich rule rule priority="10" source mac="ROUTER_MAC" reject to cause that to be blocked.
Obviously, computers have their own mind, but I'm not familiar with the firewalld "mind".
My computers do _exactly_ what they are told :-)
It seems that:
services: dns http https mountd nfs nfs3 ntp rpc-bind ssh
takes precedence over the rich rule denying packets via router.
Aha, okay. (I didn't know the meaning of that line).
(Can I write comments in xml file /etc/firewalld/zones/external.xml?)
Yes, use "<!-- comment -->". Can span multiple lines. -- Per Jessen, Zürich (6.4°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes