On 2023-04-25 11:14, Per Jessen wrote:
Carlos E. R. wrote:
Yes there is "a similar trick" - firewalld hasn't changed the basics of firewalling, only how it is managed.
Your definition above seems to translate to:
"accept smtp from 192.168.1.15" (for instance).
Ok, and where in the GUI do you write that? :-) Another rich rule?
That is left as an exercise for the reader. I don't use firewalld myself, I speak iptables.
There will be some straight forward way of defining that with/in firewalld too.
I don't see it in the GUI.
Given that it is such a simple rule "accept this traffic from that machine", I'm sure you just need to look closer.
It is a rich rule. I'm running now the "susefirewall2-to-firewalld", and I saw the rich rules pass by. Taking a long time to convert. For the record, the documentation is in <https://en.opensuse.org/Firewalld> <https://github.com/openSUSE/susefirewall2-to-firewalld/blob/master/README.md>
An incoming connection can take any of those 13 addresses. Don't think "normally", think also bad actors.
Well, if you explain to us what you wish to permit, from where to where, I'm sure we can find a solution.
Oh, this is just hypothetical. Given a sample rule: FW_TRUSTED_NETS="192.168.1.15,tcp,smtp" it would be converted to 20 lines like: accept smtp from fe80::2d8:61ff:fea1:5abd and have a script to dynamically change it every time the prefix or one of the sufixes change. That is not practical. Instead, I would use the rule Andrei suggested blocking anything coming from the router (for IPv6 when the bug is corrected). (not wanting to change the default nftables to iptables because I know nothing about it) (I don't know how to find out if a machine is using one or the other, though)
Although, with (regularly?) changing addresses, any services (e.g. smtp) would need to listen on all addresses. You can fix the lower half (using EUI64), but not the upper.
Anyway, isn't it all a bit moot? You said you have cancelled your participation in the beta-test programme.
Which they haven't acknowledged. I can disable it myself in the router, but meanwhile I can test things. Like firewalld configs. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)