On 2023-04-25 08:30, Andrei Borzenkov wrote:
On Tue, Apr 25, 2023 at 9:15 AM Carlos E. R. <robin.listas@telefonica.net> wrote:
Well, in all machines except one I think I can block both ipv4 and 6. But there is one machine, the server, that must accept incoming attempts on ssh and http on Ipv4 at least. And from what I have seen in my test machine, it will be blocked.
Maybe another rich rule to accept on those two ports?
Use
rule priority="10" ...
to order this rule after normal "allow" chain. Any positive number will do.
Or you can switch to iptables backend so that family="ipv6" works.
Actually, considering that the "public" zone blocks everything by default, you do not need any explicit rule at all.
Yes, I use the public zone in all my machines, then I explicitly open the ports I need. For example, I always open SSH, but also NFS, sometimes http... This worked while the router kept internet out, with NAT and firewall. Then comes IPv6, killing NAT, and then I discover my router firewall does not work on IPv6. With SuSEfirewalld I used this rule: FW_TRUSTED_NETS=192.168.1.15,tcp,smtp \ 192.168.1.15,tcp,ftp 192.168.1.15,tcp,ftp-data \ 192.168.1.15,udp,syslog 192.168.1.15,tcp,514 \ 192.168.1.15,udp,6666 192.168.1.15,icmp \ 192.168.1.15,tcp,nfs 192.168.1.15,udp,sunrpc" Which allowed those ports only if coming from that machine. I'd like to know if there is a similar trick with firewalld. However, even if it exists, on IPv6 the address used to enter is not one, but several, and the prefix changes. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)