[opensuse] IPv6 and SuSEfirewall2 question
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, I saw this entry in the firewall log: <0.4> 2015-05-08 15:16:05 minas-tirith kernel - - - [175655.346891] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= MAC=33:33:00:00:00:fb:00:1e:0b:08:4c:cb:86:dd SRC=fe80:0000:0000:0000:021e:0bff:fe08:4ccb DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=667 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=UDP SPT=5353 DPT=5353 LEN=627 Port 5353 is mdns. I want to allow this and see what happens. So I added a line to FW_TRUSTED_NETS, like this: FW_TRUSTED_NETS="192.168.1.14,tcp,ftp 192.168.1.14,tcp,ftp-data \ 192.168.1.14,tcp,imap 192.168.1.14,tcp,imaps \ 192.168.1.14,tcp,nfs \ fe80:0000:0000:0000:021e:0bff:fe08:4ccb,udp,mdns" But it produces an error: minas-tirith:~ # SuSEfirewall2 SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... iptables-batch v1.4.21: host/network `fe80:0000:0000:0000:021e:0bff:fe08:4ccb' not found Try `iptables-batch -h' or 'iptables-batch --help' for more information. SuSEfirewall2: Error: iptables-batch failed, re-running using iptables iptables v1.4.21: host/network `fe80:0000:0000:0000:021e:0bff:fe08:4ccb' not found Try `iptables -h' or 'iptables --help' for more information. iptables v1.4.21: host/network `fe80:0000:0000:0000:021e:0bff:fe08:4ccb' not found Try `iptables -h' or 'iptables --help' for more information. SuSEfirewall2: Firewall rules successfully set minas-tirith:~ # I also tried fe80:0:0:0::/64,udp,mdns" and I got: minas-tirith:~ # SuSEfirewall2 SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... iptables-batch v1.4.21: invalid mask `64' specified Try `iptables-batch -h' or 'iptables-batch --help' for more information. SuSEfirewall2: Error: iptables-batch failed, re-running using iptables iptables v1.4.21: invalid mask `64' specified Try `iptables -h' or 'iptables --help' for more information. iptables v1.4.21: invalid mask `64' specified Try `iptables -h' or 'iptables --help' for more information. SuSEfirewall2: Firewall rules successfully set minas-tirith:~ # Doesn't SuSEfirewall accept IPv6 rules, or is support incomplete, or am I doing it wrong? It is the first time I try to add a rule for IPv6, and I know very little about it. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlVNDyAACgkQja8UbcUWM1y7DAD/adKkFtntp2w5X3VcJy4puH9t b76egBph1iVv8DPzwEIA/RNivRNmuipUU/9IJFSCrwqSvvGCMOpEgm4f9ABEP6y2 =MvxG -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/08/2015 03:31 PM, Carlos E. R. wrote:
Doesn't SuSEfirewall accept IPv6 rules, or is support incomplete, or am I doing it wrong?
It is the first time I try to add a rule for IPv6, and I know very little about it.
It looks like it's choking on the link local address. You normally filter on a regular IPv6 address. One big difference is that it knows what network a regular address is on, but not with a link local address. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-05-08 22:39, James Knott wrote:
On 05/08/2015 03:31 PM, Carlos E. R. wrote:
It looks like it's choking on the link local address. You normally filter on a regular IPv6 address. One big difference is that it knows what network a regular address is on, but not with a link local address.
It is my HP printer address, I found out. Maybe I could set it up to a regular address :-? [...] No. The web control page allows to define the IPv4 address, but not the IPv6 one. [...] Just looked at the printer physical panel, and it is not possible to configure IPv6, just allow or disallow services. So... how can I tell my computer to accept those packets, without opening it to the world? - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlVNIxsACgkQja8UbcUWM1wl1wD/d4LcGFgvK9Q5De4QuzB+HzHk xqZE/DYBNLz3aCEqikwA/1+P0TPFYqQ7UM1qnhRmTPzlRbVls3FVMbM3Lx2Z2rcS =DKpA -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 В Fri, 08 May 2015 22:56:59 +0200 "Carlos E. R." <robin.listas@telefonica.net> пишет:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2015-05-08 22:39, James Knott wrote:
On 05/08/2015 03:31 PM, Carlos E. R. wrote:
It looks like it's choking on the link local address. You normally filter on a regular IPv6 address. One big difference is that it knows what network a regular address is on, but not with a link local address.
It is my HP printer address, I found out. Maybe I could set it up to a regular address :-? [...] No. The web control page allows to define the IPv4 address, but not the IPv6 one. [...] Just looked at the printer physical panel, and it is not possible to configure IPv6, just allow or disallow services.
So... how can I tell my computer to accept those packets, without opening it to the world?
FW_TRUSTED_NETS appears to be IPv4 only (as other configuration variables). As far as I can tell there is only support for basic generic rules for IPv6. You probably need to use custom functions and call ip6tables directly. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlVNld8ACgkQR6LMutpd94ynxwCffGJPtDyX2dTxi42M6MUWgidq OR4AoKCAQREU9HD0GsTWrRPd7vkDcdSP =OvsM -----END PGP SIGNATURE-----
On Sat, May 09, 2015 at 08:06:39AM +0300, Andrei Borzenkov wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
В Fri, 08 May 2015 22:56:59 +0200 "Carlos E. R." <robin.listas@telefonica.net> пишет:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2015-05-08 22:39, James Knott wrote:
On 05/08/2015 03:31 PM, Carlos E. R. wrote:
It looks like it's choking on the link local address. You normally filter on a regular IPv6 address. One big difference is that it knows what network a regular address is on, but not with a link local address.
It is my HP printer address, I found out. Maybe I could set it up to a regular address :-? [...] No. The web control page allows to define the IPv4 address, but not the IPv6 one. [...] Just looked at the printer physical panel, and it is not possible to configure IPv6, just allow or disallow services.
So... how can I tell my computer to accept those packets, without opening it to the world?
FW_TRUSTED_NETS appears to be IPv4 only (as other configuration variables). As far as I can tell there is only support for basic generic rules for IPv6. You probably need to use custom functions and call ip6tables directly.
Hi, Yes, FW_TRUSTED_NETS is v4 only. But you could add a rule allowing port 5353 UDP, although not network limited. FW_SERVICES_EXT_UDP="5353" Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Op zaterdag 9 mei 2015 08:06:39 schreef Andrei Borzenkov:
FW_TRUSTED_NETS appears to be IPv4 only (as other configuration variables). As far as I can tell there is only support for basic generic rules for IPv6. You probably need to use custom functions and call ip6tables directly.
I use FW_SERVICES_ACCEPT_EXT="fe80::/64,udp,5353", but also "2xxx:yyyy:zzzz::/48,udp,5353" where 2xxx:yyy:zzz is my assigned global IPv6 address, because I also saw packages having that address using wireshark. In my view the standard should be that udp,5353 packages from the local network should always be accepted by the firewall. -- fr.gr. member openSUSE Freek de Kruijf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (6)
-
Andrei Borzenkov
-
Carlos E. R.
-
Carlos E. R.
-
Freek de Kruijf
-
James Knott
-
Marcus Meissner