On 2023-04-26 08:45, Per Jessen wrote:
Carlos E. R. wrote:
(This is a thinking aloud post, so of course there is conflict in what I say)
I didn't see any conflicts, maybe I need to look again :-)
Isengard:/etc/firewalld/zones # firewall-cmd --list-all [snip - 80 rich rules] rule family="ipv6" source address="fe80::/64" port port="5353" protocol="udp" accept rule family="ipv6" source address="fc00::/64" port port="5353" protocol="udp" accept
1) isn't that the kind of rule - family="ipv6" - that made your firewalld explode yesterday?
Yes, but a different rule. family="ipv6" source mac="MAC..." reject
2) 5353 is for mdns - you won't see any of that on fe80::. Are you actually using fc00:: ?
You ask details I don't remember :-D My notes in "/etc/sysconfig/SuSEfirewall2" say: # fe80::/64,udp,5353 - autoconf broadcast from printer
3) Personally, I would be unhappy with such a setup, 86 rich rules.
Me too.
I appreciate it is due to the conversion script, but a pile of "rich rules" is not much better than my old well-structured iptables script, with comments. Anyway, just an observation.
Yes, I intend to clear them, but time is limited and I have to decide how. If rich rules accepted multiple IPs or multiple ports, it would be easier. Maybe I have to apply them to the entire LAN range.
carlos@Friend:~ $curl http://[Ipv6_ADDR] <html><body> <h1>Welcome to Isengard</a></h1> <h3>Letras: \ | @ # € </h3> [snip]
Now, this is not correct, it is the response expected INSIDE the LAN. That means a problem in the Apache configuration for virtual hosts, but also that port 80 is not closed on IPv6.
You were presumably expecting the last rich rule
rule priority="10" source mac="ROUTER_MAC" reject
to cause that to be blocked.
Yep.
Obviously, computers have their own mind, but I'm not familiar with the firewalld "mind".
My computers do _exactly_ what they are told :-)
Mine too, but what they are actually told is not exactly what I meant to tell them :-p Do wwat I mean, not what I say DWIMNWIS Turn left! No, the other left! :-)
It seems that:
services: dns http https mountd nfs nfs3 ntp rpc-bind ssh
takes precedence over the rich rule denying packets via router.
Aha, okay. (I didn't know the meaning of that line).
(Can I write comments in xml file /etc/firewalld/zones/external.xml?)
Yes, use "<!-- comment -->". Can span multiple lines.
Ah. Thanks. Ah, Andrei notes that perhaps they will not be preserved. Ok, I can only try. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)