Carlos E. R. wrote:
Yes, I use the public zone in all my machines, then I explicitly open the ports I need. For example, I always open SSH, but also NFS, sometimes http...
This worked while the router kept internet out, with NAT and firewall. Then comes IPv6, killing NAT,
To be precise - s/killing NAT/making NAT superfluous/
and then I discover my router firewall does not work on IPv6.
Still nothing from the beta test support?
With SuSEfirewalld I used this rule:
FW_TRUSTED_NETS=192.168.1.15,tcp,smtp \ 192.168.1.15,tcp,ftp 192.168.1.15,tcp,ftp-data \ 192.168.1.15,udp,syslog 192.168.1.15,tcp,514 \ 192.168.1.15,udp,6666 192.168.1.15,icmp \ 192.168.1.15,tcp,nfs 192.168.1.15,udp,sunrpc"
Which allowed those ports only if coming from that machine. I'd like to know if there is a similar trick with firewalld.
Yes there is "a similar trick" - firewalld hasn't changed the basics of firewalling, only how it is managed. Your definition above seems to translate to: "accept smtp from 192.168.1.15" (for instance). There will be some straight forward way of defining that with/in firewalld too.
However, even if it exists, on IPv6 the address used to enter is not one, but several, and the prefix changes.
What about your 192.168.1.15 - did that never change, i.e. was it a fixed allocation or did you just hope it never would? If the machine address (i.e. excluding the prefix) does not change, you don't have to specify the prefix. -- Per Jessen, Zürich (9.1°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes