[oS-en] Firewall and IPv6
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I discovered that my ISP provided "router" does not do any firewalling on IPv6. All my IPv6 capable machines are fully visible from internet. My Linux machines have a firewall. On some of them, I opened ports to be used in the intranet. It was obvious, an address such as 192.1.1.50 was in my intranet. Now, how the $%&# can the firewall that an incoming IPv6 address is actually in my intranet, or is external? Consider that my ISP provided prefix is not fixed, but is dynamic. I can not write the address in any script, because it changes when the router reboots. Ideas? - -- Cheers Carlos E. R. (from 15.4 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZEGwWxwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfV5REAoIRuza8qZ9ujSodV19fR 3ct3DQWAAKCXvRiIuzBRKmDm4QLg9gCnqEgnew== =RRvf -----END PGP SIGNATURE-----
On 2023-04-21 00:14, James Knott wrote:
On 2023-04-20 17:36, Carlos E. R. wrote:
Ideas?
Use your own firewall/router. I use pfSense.
Again? I can not. I'm asking how to block external internet in openSUSE, using SuSEfirewall2 or firewalld. On each computer. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
I'm asking how to block external internet in openSUSE, using SuSEfirewall2 or firewalld. On each computer.
ip6tables -A INPUT -p all -s yourpref/64 -j ACCEPT ip6tables -A INPUT -p all -j DROP That will accept all traffic coming from addresses in your prefix, and drop everything else. There is a couple of more entries needed to allow a machine to have working ipv6 traffic on the internet, if desired. -- Per Jessen, Zürich (6.4°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On Fri, Apr 21, 2023 at 10:52 AM Per Jessen <per@opensuse.org> wrote:
Carlos E. R. wrote:
I'm asking how to block external internet in openSUSE, using SuSEfirewall2 or firewalld. On each computer.
ip6tables -A INPUT -p all -s yourpref/64 -j ACCEPT
What is not clear in "prefix will change every day"?
Andrei Borzenkov wrote:
On Fri, Apr 21, 2023 at 10:52 AM Per Jessen <per@opensuse.org> wrote:
Carlos E. R. wrote:
I'm asking how to block external internet in openSUSE, using SuSEfirewall2 or firewalld. On each computer.
ip6tables -A INPUT -p all -s yourpref/64 -j ACCEPT
What is not clear in "prefix will change every day"?
Andrei, that is very clear, but that's a hurdle Carlos will somehow have to live with / work around. Reload the firewall when the address changes ? The rule could be specified without the prefix, but when the host address can also change ... -- Per Jessen, Zürich (6.6°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On Fri, Apr 21, 2023 at 11:14 AM Per Jessen <per@opensuse.org> wrote:
Andrei Borzenkov wrote:
On Fri, Apr 21, 2023 at 10:52 AM Per Jessen <per@opensuse.org> wrote:
Carlos E. R. wrote:
I'm asking how to block external internet in openSUSE, using SuSEfirewall2 or firewalld. On each computer.
ip6tables -A INPUT -p all -s yourpref/64 -j ACCEPT
What is not clear in "prefix will change every day"?
Andrei, that is very clear, but that's a hurdle Carlos will somehow have to live with / work around. Reload the firewall when the address changes ?
Do you have any practical suggestions on how it can be automated? And more importantly, do you have any idea how it can be done *before* prefix change, as otherwise you have a window where the firewall is configured for the old prefix which may have already been reused for some other customer and so allow external traffic.
Andrei Borzenkov wrote:
On Fri, Apr 21, 2023 at 11:14 AM Per Jessen <per@opensuse.org> wrote:
Andrei Borzenkov wrote:
On Fri, Apr 21, 2023 at 10:52 AM Per Jessen <per@opensuse.org> wrote:
Carlos E. R. wrote:
I'm asking how to block external internet in openSUSE, using SuSEfirewall2 or firewalld. On each computer.
ip6tables -A INPUT -p all -s yourpref/64 -j ACCEPT
What is not clear in "prefix will change every day"?
Andrei, that is very clear, but that's a hurdle Carlos will somehow have to live with / work around. Reload the firewall when the address changes ?
Do you have any practical suggestions on how it can be automated?
Heh, that is left as an exercise for the reader :-) Possible options - * some hook that could be called when the address changes. * maybe set up a file monitor on the lease file. * maybe an iptables rule that triggers on the new RA? I think the latter is my favourite.
And more importantly, do you have any idea how it can be done *before* prefix change,
With a modern crystal ball, that is not a problem ...
as otherwise you have a window where the firewall is configured for the old prefix which may have already been reused for some other customer and so allow external traffic.
Very true - but we are talking about a second or less. (estimated). -- Per Jessen, Zürich (7.2°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-21 10:40, Per Jessen wrote:
Andrei Borzenkov wrote:
On Fri, Apr 21, 2023 at 11:14 AM Per Jessen <per@opensuse.org> wrote:
Andrei Borzenkov wrote:
On Fri, Apr 21, 2023 at 10:52 AM Per Jessen <per@opensuse.org> wrote:
Carlos E. R. wrote:
I'm asking how to block external internet in openSUSE, using SuSEfirewall2 or firewalld. On each computer.
ip6tables -A INPUT -p all -s yourpref/64 -j ACCEPT
What is not clear in "prefix will change every day"?
Andrei, that is very clear, but that's a hurdle Carlos will somehow have to live with / work around. Reload the firewall when the address changes ?
Do you have any practical suggestions on how it can be automated?
Heh, that is left as an exercise for the reader :-)
Possible options -
* some hook that could be called when the address changes. * maybe set up a file monitor on the lease file. * maybe an iptables rule that triggers on the new RA?
I think the latter is my favourite.
And more importantly, do you have any idea how it can be done *before* prefix change,
With a modern crystal ball, that is not a problem ...
as otherwise you have a window where the firewall is configured for the old prefix which may have already been reused for some other customer and so allow external traffic.
Very true - but we are talking about a second or less. (estimated).
Five minutes. I can only think of a cron job running every five minutes that learns the profix and act. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
On 2023-04-21 10:40, Per Jessen wrote:
Andrei Borzenkov wrote:
On Fri, Apr 21, 2023 at 11:14 AM Per Jessen <per@opensuse.org> wrote:
Andrei Borzenkov wrote:
On Fri, Apr 21, 2023 at 10:52 AM Per Jessen <per@opensuse.org> wrote:
Carlos E. R. wrote:
> I'm asking how to block external internet in openSUSE, using > SuSEfirewall2 or firewalld. On each computer.
ip6tables -A INPUT -p all -s yourpref/64 -j ACCEPT
What is not clear in "prefix will change every day"?
Andrei, that is very clear, but that's a hurdle Carlos will somehow have to live with / work around. Reload the firewall when the address changes ?
Do you have any practical suggestions on how it can be automated?
Heh, that is left as an exercise for the reader :-)
Possible options -
* some hook that could be called when the address changes. * maybe set up a file monitor on the lease file. * maybe an iptables rule that triggers on the new RA?
I think the latter is my favourite.
And more importantly, do you have any idea how it can be done *before* prefix change,
With a modern crystal ball, that is not a problem ...
as otherwise you have a window where the firewall is configured for the old prefix which may have already been reused for some other customer and so allow external traffic.
Very true - but we are talking about a second or less. (estimated).
Five minutes. I can only think of a cron job running every five minutes that learns the profix and act.
It could be 32-37 minutes if you write the cron job for that. I guess you skipped the section "Possible options" above. Even with "bit-banging", e.g. querying the address in a tight loop, you can probably achieve a sub-second window. -- Per Jessen, Zürich (8.8°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023/4/21 15:52, Per Jessen wrote:
Carlos E. R. wrote:
I'm asking how to block external internet in openSUSE, using SuSEfirewall2 or firewalld. On each computer.
ip6tables -A INPUT -p all -s yourpref/64 -j ACCEPT ip6tables -A INPUT -p all -j DROP This line drops all other IPv6 inputs include the ICMPv6 from the link local address. I don't think this is a good idea.
It's better to ACCEPT the ICMPv6 from the link local address (eg. fe80::/64) and yourprefix(eg. 2a02:1234:5678:abcd::/64) before DROP all others.
That will accept all traffic coming from addresses in your prefix, and drop everything else. There is a couple of more entries needed to allow a machine to have working ipv6 traffic on the internet, if desired.
Nohk Two wrote:
On 2023/4/21 15:52, Per Jessen wrote:
Carlos E. R. wrote:
I'm asking how to block external internet in openSUSE, using SuSEfirewall2 or firewalld. On each computer.
ip6tables -A INPUT -p all -s yourpref/64 -j ACCEPT ip6tables -A INPUT -p all -j DROP
This line drops all other IPv6 inputs include the ICMPv6 from the link local address. I don't think this is a good idea.
It's better to ACCEPT the ICMPv6 from the link local address (eg. fe80::/64) and yourprefix(eg. 2a02:1234:5678:abcd::/64) before DROP all others.
I agree. I didn't mean to present an "only-add-water" solution, a complete iptables firewall certainly requires more. Looking at a random machine of my own, it has some 60 iptables rules. -- Per Jessen, Zürich (8.1°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On Fri, Apr 21, 2023 at 12:36 AM Carlos E. R. <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
I discovered that my ISP provided "router" does not do any firewalling on IPv6. All my IPv6 capable machines are fully visible from internet.
My Linux machines have a firewall. On some of them, I opened ports to be used in the intranet. It was obvious, an address such as 192.1.1.50 was in my intranet.
Now, how the $%&# can the firewall that an incoming IPv6 address is actually in my intranet, or is external?
Consider that my ISP provided prefix is not fixed, but is dynamic. I can not write the address in any script, because it changes when the router reboots.
Ideas?
Pragmatic answer - do not use IPv6 inside your LAN and simply block IPv6 except ports you want to make available from outside. You could also block all IPv6 packets from your router MAC address.
On 2023-04-21 09:11, Andrei Borzenkov wrote:
On Fri, Apr 21, 2023 at 12:36 AM Carlos E. R. <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
I discovered that my ISP provided "router" does not do any firewalling on IPv6. All my IPv6 capable machines are fully visible from internet.
My Linux machines have a firewall. On some of them, I opened ports to be used in the intranet. It was obvious, an address such as 192.1.1.50 was in my intranet.
Now, how the $%&# can the firewall that an incoming IPv6 address is actually in my intranet, or is external?
Consider that my ISP provided prefix is not fixed, but is dynamic. I can not write the address in any script, because it changes when the router reboots.
Ideas?
Pragmatic answer - do not use IPv6 inside your LAN and simply block IPv6 except ports you want to make available from outside.
Yes, I was considering that. Disable IPv6. As this is a Beta test, just ask the provider to drop IPv6 service.
You could also block all IPv6 packets from your router MAC address.
-- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On Fri, Apr 21, 2023 at 12:14 PM Carlos E. R. <robin.listas@telefonica.net> wrote:
On 2023-04-21 09:11, Andrei Borzenkov wrote:
On Fri, Apr 21, 2023 at 12:36 AM Carlos E. R. <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
I discovered that my ISP provided "router" does not do any firewalling on IPv6. All my IPv6 capable machines are fully visible from internet.
My Linux machines have a firewall. On some of them, I opened ports to be used in the intranet. It was obvious, an address such as 192.1.1.50 was in my intranet.
Now, how the $%&# can the firewall that an incoming IPv6 address is actually in my intranet, or is external?
Consider that my ISP provided prefix is not fixed, but is dynamic. I can not write the address in any script, because it changes when the router reboots.
Ideas?
Pragmatic answer - do not use IPv6 inside your LAN and simply block IPv6 except ports you want to make available from outside.
Yes, I was considering that. Disable IPv6. As this is a Beta test, just ask the provider to drop IPv6 service.
That is not what I said.
You could also block all IPv6 packets from your router MAC address.
On 2023-04-21 11:16, Andrei Borzenkov wrote:
On Fri, Apr 21, 2023 at 12:14 PM Carlos E. R. <robin.listas@telefonica.net> wrote:
On 2023-04-21 09:11, Andrei Borzenkov wrote:
On Fri, Apr 21, 2023 at 12:36 AM Carlos E. R. <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
I discovered that my ISP provided "router" does not do any firewalling on IPv6. All my IPv6 capable machines are fully visible from internet.
My Linux machines have a firewall. On some of them, I opened ports to be used in the intranet. It was obvious, an address such as 192.1.1.50 was in my intranet.
Now, how the $%&# can the firewall that an incoming IPv6 address is actually in my intranet, or is external?
Consider that my ISP provided prefix is not fixed, but is dynamic. I can not write the address in any script, because it changes when the router reboots.
Ideas?
Pragmatic answer - do not use IPv6 inside your LAN and simply block IPv6 except ports you want to make available from outside.
Yes, I was considering that. Disable IPv6. As this is a Beta test, just ask the provider to drop IPv6 service.
That is not what I said.
Hum. Still, I don't know how to do that in SuSEfirewall2 or firewalld. And that would only be temporary, there are machines in the intranet which I don't control, like the printer, the google chromecast...
You could also block all IPv6 packets from your router MAC address.
-- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On Fri, Apr 21, 2023 at 12:40 PM Carlos E. R. <robin.listas@telefonica.net> wrote: ...
Pragmatic answer - do not use IPv6 inside your LAN and simply block IPv6 except ports you want to make available from outside.
...
Still, I don't know how to do that in SuSEfirewall2 or firewalld.
firewalld by default blocks all incoming traffic unless you set zone target (policy) to ACCEPT. Which in zone definitions that come with firewalld is only set for the zone "trusted".
And that would only be temporary, there are machines in the intranet which I don't control, like the printer, the google chromecast...
As usual, you are shifting goalposts. You started with "I'm asking how to block external internet in openSUSE, using SuSEfirewall2 or firewalld". If you now talk about other devices, then either read the documentation for these other devices or ask on support channels for these other devices or install a box between your router and your LAN and configure a firewall on this box. Which will automatically solve the problem of changing prefixes as this box will have a fixed internal interface and a fixed external interface so it will make unambiguous what traffic comes from outside.
On 2023-04-21 12:27, Andrei Borzenkov wrote:
On Fri, Apr 21, 2023 at 12:40 PM Carlos E. R. <> wrote: ...
Pragmatic answer - do not use IPv6 inside your LAN and simply block IPv6 except ports you want to make available from outside.
...
Still, I don't know how to do that in SuSEfirewall2 or firewalld.
firewalld by default blocks all incoming traffic unless you set zone target (policy) to ACCEPT. Which in zone definitions that come with firewalld is only set for the zone "trusted".
The problem is, that before having IPv6, I simply opened port 22, or 80, or whatever, to intranet traffic. The firewall knew which was it. Now it doesn't. Those ports are open to Intranet and Internet. SuSEfirewall2 is deprecated, so I have to move to firewalld. And I simply do not know how to tell firewalld to open some ports to intranet and close them to internet. I tried googling, did not find anything suitable.
And that would only be temporary, there are machines in the intranet which I don't control, like the printer, the google chromecast...
As usual, you are shifting goalposts. You started with "I'm asking how to block external internet in openSUSE, using SuSEfirewall2 or firewalld". If you now talk about other devices, then either read the documentation for these other devices or ask on support channels for these other devices or install a box between your router and your LAN and configure a firewall on this box. Which will automatically solve the problem of changing prefixes as this box will have a fixed internal interface and a fixed external interface so it will make unambiguous what traffic comes from outside.
I know about that. I just comment on the situation. I can protect the computers, I hope, by doing something to each computer firewall. So far, I don't know what. To protect all, the only thing to do is ask the ISP to cease the IPv6 Beta for me. I will certainly do that if they don't answer my question. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023/4/21 17:16, Andrei Borzenkov wrote:
On Fri, Apr 21, 2023 at 12:14 PM Carlos E. R. <robin.listas@telefonica.net> wrote:
On 2023-04-21 09:11, Andrei Borzenkov wrote:
...
Pragmatic answer - do not use IPv6 inside your LAN and simply block IPv6 except ports you want to make available from outside.
Yes, I was considering that. Disable IPv6. As this is a Beta test, just ask the provider to drop IPv6 service.
I believe what Andrei suggested is that don't listen to the IPv6 addresses for your services. That is if you have a web server then just let the web server listen to IPv4 addresses.
If you did this, then the firewall might be easier to manage. You can just accept the necessary ICMPv6 inputs and drop all others.
That is not what I said.
On 2023-04-21 12:17, Nohk Two wrote:
On 2023/4/21 17:16, Andrei Borzenkov wrote:
On Fri, Apr 21, 2023 at 12:14 PM Carlos E. R. <robin.listas@telefonica.net> wrote:
On 2023-04-21 09:11, Andrei Borzenkov wrote:
...
Pragmatic answer - do not use IPv6 inside your LAN and simply block IPv6 except ports you want to make available from outside.
Yes, I was considering that. Disable IPv6. As this is a Beta test, just ask the provider to drop IPv6 service.
I believe what Andrei suggested is that don't listen to the IPv6 addresses for your services. That is if you have a web server then just let the web server listen to IPv4 addresses.
Far easier and safer to disable IPv6 entirely at the router or ISP. It is the only safe route, actually. I asked at the ISP Beta support forum, no answers yet. I don't know if the problem is only with this router or with all, and whether they decide they have to publish a patch or not, or perhaps there is some configuration I can do at the router. Meanwhile, what I'm contemplating is how to tell SuSEfirewall2 or firewalld how to distinguish intranet traffic from Internet traffic (on IPv6). There must be a way. Directly handling iptables myself is too complicated for me.
If you did this, then the firewall might be easier to manage. You can just accept the necessary ICMPv6 inputs and drop all others.
-- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
Far easier and safer to disable IPv6 entirely at the router or ISP. It is the only safe route, actually.
I asked at the ISP Beta support forum, no answers yet. I don't know if the problem is only with this router or with all, and whether they decide they have to publish a patch or not, or perhaps there is some configuration I can do at the router.
The problem being that the firewall doesn't work? Btw, to disable ipv6 in the router, see section 8.5 on page 65 of the manual. If you want to continue playing with ipv6, you can even unselect prefix delegation and just add your own. -- Per Jessen, Zürich (11.8°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-21 13:11, Per Jessen wrote:
Carlos E. R. wrote:
Far easier and safer to disable IPv6 entirely at the router or ISP. It is the only safe route, actually.
I asked at the ISP Beta support forum, no answers yet. I don't know if the problem is only with this router or with all, and whether they decide they have to publish a patch or not, or perhaps there is some configuration I can do at the router.
The problem being that the firewall doesn't work?
Right.
Btw, to disable ipv6 in the router, see section 8.5 on page 65 of the manual. If you want to continue playing with ipv6, you can even unselect prefix delegation and just add your own.
I'd just disable it, yes, but by sending an email to the Beta testing people so that they know the reason. That's why there is a Beta... -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023-04-21 03:11, Andrei Borzenkov wrote:
Pragmatic answer - do not use IPv6 inside your LAN and simply block IPv6 except ports you want to make available from outside.
You could also block all IPv6 packets from your router MAC address.
Then he might as well not even have IPv6. Maybe the solution is to move to a better country. 😉 He seems to have have had a lot of issues with his ISP, to the point I would have taken my business elsewhere long ago.
On Fri, Apr 21, 2023 at 3:23 PM James Knott <james.knott@jknott.net> wrote:
On 2023-04-21 03:11, Andrei Borzenkov wrote:
Pragmatic answer - do not use IPv6 inside your LAN and simply block IPv6 except ports you want to make available from outside.
You could also block all IPv6 packets from your router MAC address.
Then he might as well not even have IPv6.
He will have outgoing connectivity to IPv6 sites. Which is exactly what we have with IPv4 behind NAT.
On 2023-04-21 08:29, Andrei Borzenkov wrote:
You could also block all IPv6 packets from your router MAC address. Then he might as well not even have IPv6. He will have outgoing connectivity to IPv6 sites. Which is exactly what we have with IPv4 behind NAT.
Blocking the MAC address will block all IPv6 traffic, as there is no relationship between connections and it. A firewall normally uses sockets, that is source and destination addresses and ports to determine whether incoming packets are part of an existing connection.
On Fri, Apr 21, 2023 at 3:33 PM James Knott <james.knott@jknott.net> wrote:
On 2023-04-21 08:29, Andrei Borzenkov wrote:
You could also block all IPv6 packets from your router MAC address.
Then he might as well not even have IPv6.
He will have outgoing connectivity to IPv6 sites. Which is exactly what we have with IPv4 behind NAT.
Blocking the MAC address will block all IPv6 traffic,
Firewalls have multiple rules. Nowhere have I claimed this should be the only rule. I answered the question "how to distinguish Internet traffic".
Carlos E. R. wrote:
I discovered that my ISP provided "router" does not do any firewalling on IPv6. All my IPv6 capable machines are fully visible from internet.
My Linux machines have a firewall. On some of them, I opened ports to be used in the intranet. It was obvious, an address such as 192.1.1.50 was in my intranet.
Now, how the $%&# can the firewall that an incoming IPv6 address is actually in my intranet, or is external?
It doesn't matter, all of the addresses in your allocated prefix are yours.
Consider that my ISP provided prefix is not fixed, but is dynamic. I can not write the address in any script, because it changes when the router reboots.
Ideas?
Why not just set up the ipv6 firewall in your router? -- Per Jessen, Zürich (6.4°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-21 09:33, Per Jessen wrote:
Carlos E. R. wrote:
I discovered that my ISP provided "router" does not do any firewalling on IPv6. All my IPv6 capable machines are fully visible from internet.
My Linux machines have a firewall. On some of them, I opened ports to be used in the intranet. It was obvious, an address such as 192.1.1.50 was in my intranet.
Now, how the $%&# can the firewall that an incoming IPv6 address is actually in my intranet, or is external?
It doesn't matter, all of the addresses in your allocated prefix are yours.
Yes, but can SuSEfirewall2 or firewalld learn that prefix and act, automatically? Is it possible?
Consider that my ISP provided prefix is not fixed, but is dynamic. I can not write the address in any script, because it changes when the router reboots.
Ideas?
Why not just set up the ipv6 firewall in your router?
It is set. Doesn't work. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On Fri, 21 Apr 2023 11:16:06 +0200 "Carlos E. R." <robin.listas@telefonica.net> wrote:
On 2023-04-21 09:33, Per Jessen wrote:
Why not just set up the ipv6 firewall in your router?
It is set. Doesn't work.
It seems to me that the simplest and best answer is likely to be to put another small box between your ISP-supplied router and your internal network. It needs two ethernet ports. You can run whatever firewall you want on it (pfSense? opensuse? ?) but it can easily distinguish traffic to/from outside by which interface it arrives on and what its destination is.
On 4/21/23 03:22, Dave Howorth wrote:
On Fri, 21 Apr 2023 11:16:06 +0200 "Carlos E. R." <robin.listas@telefonica.net> wrote:
On 2023-04-21 09:33, Per Jessen wrote:
Why not just set up the ipv6 firewall in your router? It is set. Doesn't work. It seems to me that the simplest and best answer is likely to be to put another small box between your ISP-supplied router and your internal network. It needs two ethernet ports. You can run whatever firewall you want on it (pfSense? opensuse? ?) but it can easily distinguish traffic to/from outside by which interface it arrives on and what its destination is.
+1 That's what I do with a Zyxel USG40 router/firewall. This way you don't have to trust your ISP to get your security right. I personally don't see any reason to use IPv6 at this time, it's easy to just block everything at the router. Regards, Lew "If thy IPv6 offends thee; pluck it out!"
Carlos E. R. wrote:
Ideas?
Why not just set up the ipv6 firewall in your router?
It is set. Doesn't work.
Idea#2 - report problem to your beta test support group. -- Per Jessen, Zürich (11.6°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-21 13:01, Per Jessen wrote:
Carlos E. R. wrote:
Ideas?
Why not just set up the ipv6 firewall in your router?
It is set. Doesn't work.
Idea#2 - report problem to your beta test support group.
Of course, did that yesterday. No answer.- -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
On 2023-04-21 13:01, Per Jessen wrote:
Carlos E. R. wrote:
Ideas?
Why not just set up the ipv6 firewall in your router?
It is set. Doesn't work.
Idea#2 - report problem to your beta test support group.
Of course, did that yesterday. No answer.-
Well, we know Telefonica are a bit slow - took them more than ten years to start beta testing ipv6 with customers - maybe check back in a month or two :-) Maybe share the firewall rules with us? someone might spot something wrong. -- Per Jessen, Zürich (12.4°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-21 13:32, Per Jessen wrote:
Carlos E. R. wrote:
On 2023-04-21 13:01, Per Jessen wrote:
Carlos E. R. wrote:
Ideas?
Why not just set up the ipv6 firewall in your router?
It is set. Doesn't work.
Idea#2 - report problem to your beta test support group.
Of course, did that yesterday. No answer.-
Well, we know Telefonica are a bit slow - took them more than ten years to start beta testing ipv6 with customers - maybe check back in a month or two :-)
Oh, you know them that well, eh? :-DDD Took them months since they published the Beta till this week.
Maybe share the firewall rules with us? someone might spot something wrong.
I don't know how to do that. I have this: https://paste.opensuse.org/7c917032b05e https://paste.opensuse.org/0967b2472942 The ssh doesn't have a show firewall command that I know off. Only enable or disable. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
On 2023-04-21 13:32, Per Jessen wrote:
Maybe share the firewall rules with us? someone might spot something wrong.
I don't know how to do that. I have this:
https://paste.opensuse.org/7c917032b05e https://paste.opensuse.org/0967b2472942
It looks like that WAN_DEFAULT profile/rule ought to mean the router drops anything ipv6, because there aren't any rules to allow anything ipv6. I would be tempted to edit the WAN_DEFAULT rule, just to see if it has an ipv4/ipv6 setting. -- Per Jessen, Zürich (14.4°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-21 14:23, Per Jessen wrote:
Carlos E. R. wrote:
On 2023-04-21 13:32, Per Jessen wrote:
Maybe share the firewall rules with us? someone might spot something wrong.
I don't know how to do that. I have this:
https://paste.opensuse.org/7c917032b05e https://paste.opensuse.org/0967b2472942
It looks like that WAN_DEFAULT profile/rule ought to mean the router drops anything ipv6, because there aren't any rules to allow anything ipv6.
I would be tempted to edit the WAN_DEFAULT rule, just to see if it has an ipv4/ipv6 setting.
No such luck: https://paste.opensuse.org/5b464334c8fa -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
I would be tempted to edit the WAN_DEFAULT rule, just to see if it has an ipv4/ipv6 setting.
No such luck: https://paste.opensuse.org/5b464334c8fa
Odd - looking in the manual, page 99, there clearly is an ipv4/ipv6 setting for the default policy. -- Per Jessen, Zürich (12.4°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-21 15:32, Per Jessen wrote:
Carlos E. R. wrote:
I would be tempted to edit the WAN_DEFAULT rule, just to see if it has an ipv4/ipv6 setting.
No such luck: https://paste.opensuse.org/5b464334c8fa
Odd - looking in the manual, page 99, there clearly is an ipv4/ipv6 setting for the default policy.
Not the first bug I find in this router. It is crap. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
On 2023-04-21 15:32, Per Jessen wrote:
Carlos E. R. wrote:
I would be tempted to edit the WAN_DEFAULT rule, just to see if it has an ipv4/ipv6 setting.
No such luck: https://paste.opensuse.org/5b464334c8fa
Odd - looking in the manual, page 99, there clearly is an ipv4/ipv6 setting for the default policy.
Not the first bug I find in this router. It is crap.
Such a complete mismatch doesn't sound like bug to me. Does your hardware actually match the manual? Your screenshots don't look much like those in the manual either. Maybe your firmware is outdated? -- Per Jessen, Zürich (13.6°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 4/21/23 10:00, Per Jessen wrote:
Carlos E. R. wrote:
Carlos E. R. wrote:
I would be tempted to edit the WAN_DEFAULT rule, just to see if it has an ipv4/ipv6 setting. No such luck: https://paste.opensuse.org/5b464334c8fa Odd - looking in the manual, page 99, there clearly is an ipv4/ipv6 setting for the default policy. Not the first bug I find in this router. It is crap. Such a complete mismatch doesn't sound like bug to me. Does your hardware actually match the manual? Your screenshots don't look much
On 2023-04-21 15:32, Per Jessen wrote: like those in the manual either. Maybe your firmware is outdated?
Or maybe the ISP has installed their own firmware? Regards, Lew
On 2023-04-21 19:20, Lew Wolfgang wrote:
On 4/21/23 10:00, Per Jessen wrote:
Carlos E. R. wrote:
Carlos E. R. wrote:
I would be tempted to edit the WAN_DEFAULT rule, just to see if it has an ipv4/ipv6 setting. No such luck: https://paste.opensuse.org/5b464334c8fa Odd - looking in the manual, page 99, there clearly is an ipv4/ipv6 setting for the default policy. Not the first bug I find in this router. It is crap. Such a complete mismatch doesn't sound like bug to me. Does your hardware actually match the manual? Your screenshots don't look much
On 2023-04-21 15:32, Per Jessen wrote: like those in the manual either. Maybe your firmware is outdated?
Or maybe the ISP has installed their own firmware?
They certainly do. But we were also reading the wrong manual :-( -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023-04-21 19:00, Per Jessen wrote:
Carlos E. R. wrote:
On 2023-04-21 15:32, Per Jessen wrote:
Carlos E. R. wrote:
I would be tempted to edit the WAN_DEFAULT rule, just to see if it has an ipv4/ipv6 setting.
No such luck: https://paste.opensuse.org/5b464334c8fa
Odd - looking in the manual, page 99, there clearly is an ipv4/ipv6 setting for the default policy.
Not the first bug I find in this router. It is crap.
Such a complete mismatch doesn't sound like bug to me. Does your hardware actually match the manual? Your screenshots don't look much like those in the manual either. Maybe your firmware is outdated?
Router Web page says: Device Info Board ID: GPT-2541GNAC Symmetric CPU Threads: 2 Build Timestamp: 220106_1651 Software Version: ES_g7.7_100VNJ0b68 Bootloader (CFE) Version: 1.0.41-117.134 Wireless Driver Version: 6.37.14.4803.cpe4.14L04Apatch1.0 Voice Service Version: Uptime: 64D 3H 45M 26S A foto of the label confirms: Router Smart WiFi (HGU) GPT-2541GNAC. Hum, that doesn't match the PDF. You were right. Should be this one: <https://www.movistar.es/particulares/atencion-cliente/internet/adsl/equipamiento-adsl/routers/mitrastar-hgu> Those are small manuals with many colours and litle real knowledge, Spanish only. Someone in the forum published the actual manual: <https://comunidad.movistar.es/t5/Soporte-Fibra-y-ADSL/Manual-completo-del-MitraStar-GPT-2541GNAC/td-p/3515196> → <https://dl.dropboxusercontent.com/s/bus4tdsp4xz3592/MitraStar%20GPT-2541GNAC%20Users%20Manual.pdf> Which is a draft in English. This manual does match. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023-04-21 13:42, Carlos E. R. wrote:
Someone in the forum published the actual manual:
<https://comunidad.movistar.es/t5/Soporte-Fibra-y-ADSL/Manual-completo-del-MitraStar-GPT-2541GNAC/td-p/3515196> → <https://dl.dropboxusercontent.com/s/bus4tdsp4xz3592/MitraStar%20GPT-2541GNAC%20Users%20Manual.pdf>
Which is a draft in English. This manual does match.
I see it does support Unique Local Addresses (ULA), according to page 53. This will allow you to use the IPv6 equivalent of RFC 1918 addresses. You can then configure your DNS server to provide ULA addresses, instead of relying on a changing prefix. I didn't notice a DNS server in it, but it appears you can say what server to use, so you could create one in Linux and point to it. You'd configure a DNS forwarder on a Linux box.
On Fri, 21 Apr 2023 13:59:06 -0400 James Knott <james.knott@jknott.net> wrote:
On 2023-04-21 13:42, Carlos E. R. wrote:
Someone in the forum published the actual manual:
<https://comunidad.movistar.es/t5/Soporte-Fibra-y-ADSL/Manual-completo-del-MitraStar-GPT-2541GNAC/td-p/3515196> → <https://dl.dropboxusercontent.com/s/bus4tdsp4xz3592/MitraStar%20GPT-2541GNAC%20Users%20Manual.pdf>
Which is a draft in English. This manual does match.
I see it does support Unique Local Addresses (ULA), according to page 53. This will allow you to use the IPv6 equivalent of RFC 1918 addresses. You can then configure your DNS server to provide ULA addresses, instead of relying on a changing prefix. I didn't notice a DNS server in it, but it appears you can say what server to use, so you could create one in Linux and point to it. You'd configure a DNS forwarder on a Linux box.
There's another draft manual at https://www.manualslib.com/download/2066469/Mitrastar-Movistar-Gpt-2541gnac.... On page 54 that explicitly says: "Enable DHCPv6 Server "Select this to have the Router act as a DHCPv6 server and pass IPv6 addresses, DNS server and domain name information to DHCPv6 clients." which is why I think it may be a different manual.
On 2023-04-21 14:36, Dave Howorth wrote:
On page 54 that explicitly says:
"Enable DHCPv6 Server "Select this to have the Router act as a DHCPv6 server and pass IPv6 addresses, DNS server and domain name information to DHCPv6 clients."
which is why I think it may be a different manual.
If he has any Android devices, he doesn't want to use DHCPv6. Hopefully, it supports RDNSS in the router advertisements.
James Knott wrote:
On 2023-04-21 14:36, Dave Howorth wrote:
On page 54 that explicitly says:
"Enable DHCPv6 Server "Select this to have the Router act as a DHCPv6 server and pass IPv6 addresses, DNS server and domain name information to DHCPv6 clients."
which is why I think it may be a different manual.
If he has any Android devices, he doesn't want to use DHCPv6.
Hmm, why not - works fine here. You just use _both_ radvd and dhcpv6. -- Per Jessen, Zürich (10.2°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-22 08:34, Per Jessen wrote:
James Knott wrote:
On 2023-04-21 14:36, Dave Howorth wrote:
On page 54 that explicitly says:
"Enable DHCPv6 Server "Select this to have the Router act as a DHCPv6 server and pass IPv6 addresses, DNS server and domain name information to DHCPv6 clients."
which is why I think it may be a different manual.
If he has any Android devices, he doesn't want to use DHCPv6.
Hmm, why not - works fine here. You just use _both_ radvd and dhcpv6.
Yes, that's what I have and works. Hum, not today, my phone doesn't get an IPv6 on WiFI. Huh, one phone has it, one phone doesn't. My tablet, which is old, does. An old phone without SIM does. Ok, I disable WiFi, enable it back, on the recalcitrant phone, and it gets IPv6 again. Go figure. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023-04-21 19:59, James Knott wrote:
On 2023-04-21 13:42, Carlos E. R. wrote:
Someone in the forum published the actual manual:
<https://comunidad.movistar.es/t5/Soporte-Fibra-y-ADSL/Manual-completo-del-MitraStar-GPT-2541GNAC/td-p/3515196> → <https://dl.dropboxusercontent.com/s/bus4tdsp4xz3592/MitraStar%20GPT-2541GNAC%20Users%20Manual.pdf>
Which is a draft in English. This manual does match.
I see it does support Unique Local Addresses (ULA), according to page 53. This will allow you to use the IPv6 equivalent of RFC 1918 addresses. You can then configure your DNS server to provide ULA addresses, instead of relying on a changing prefix. I didn't notice a DNS server in it, but it appears you can say what server to use, so you could create one in Linux and point to it. You'd configure a DNS forwarder on a Linux box.
Sorry, I don't understand this at all. Anyway, the current status is the same as in the doc Figure 29: [X] Enable DHCPv6 Server (*) Stateless (*) Obtain IPv6 DNS info from a WAN interface. [X] Enable RADVD [X] Enable MLD Snooping (*) Blocking Mode Enable MLD LAN to LAN Multicast: Disabled. (LAN to LAN Multicast is enabled until the first WAN service is connected, regardless of this setting.) -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023-04-21 16:28, Carlos E. R. wrote:
I see it does support Unique Local Addresses (ULA), according to page 53. This will allow you to use the IPv6 equivalent of RFC 1918 addresses. You can then configure your DNS server to provide ULA addresses, instead of relying on a changing prefix. I didn't notice a DNS server in it, but it appears you can say what server to use, so you could create one in Linux and point to it. You'd configure a DNS forwarder on a Linux box.
Sorry, I don't understand this at all.
Earlier you said it didn't support ULA, which it apparently does. This avoids the problem of the changing prefix, when working with local devices. You'd use the ULA address, instead of the global address. I also didn't see anything about a local DNS in that manual, though I could be wrong (yeah, I know, unlikely but it does happen. 😁). If it does support a local DNS server, great. You'd then point the host names at the ULA address. If it doesn't have a local DNS server, then you'd create a DNS forwarder on a Linux box. You'd then configure that gateway with your DNS server address and then point your server at some outside DNS.
On 2023-04-21 22:34, James Knott wrote:
On 2023-04-21 16:28, Carlos E. R. wrote:
I see it does support Unique Local Addresses (ULA), according to page 53. This will allow you to use the IPv6 equivalent of RFC 1918 addresses. You can then configure your DNS server to provide ULA addresses, instead of relying on a changing prefix. I didn't notice a DNS server in it, but it appears you can say what server to use, so you could create one in Linux and point to it. You'd configure a DNS forwarder on a Linux box.
Sorry, I don't understand this at all.
Earlier you said it didn't support ULA, which it apparently does. This avoids the problem of the changing prefix, when working with local devices. You'd use the ULA address, instead of the global address. I also didn't see anything about a local DNS in that manual, though I could be wrong (yeah, I know, unlikely but it does happen. 😁). If it does support a local DNS server, great. You'd then point the host names at the ULA address. If it doesn't have a local DNS server, then you'd create a DNS forwarder on a Linux box. You'd then configure that gateway with your DNS server address and then point your server at some outside DNS.
The router has a DNS cache or forwarder, I think. It is not configurable. I have a local DNS of my own, yes. I don't know how to use those ULA things, I need a howto for dummies somewhere. And I have to find out if that thing interferes with Telefónica own setup. They reserve for themselves a portion of the IPv4 DHCP addresses, for instance. However, as this is a Beta Test, it is quite possible they pull everything off in a month, and don't redeploy for real for a year or two. So it would not be sane to invest too much time in a setup for now. And without a firewall in place, it is quite possible I pull the plug myself. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023-04-21 20:04, Carlos E. R. wrote:
I don't know how to use those ULA things, I need a howto for dummies somewhere.
And I have to find out if that thing interferes with Telefónica own setup. They reserve for themselves a portion of the IPv4 DHCP addresses, for instance.
Take a look on page 53 of the English manual. There's a checkbox for Enable ULA Prefix Advertisement. Enable that and Random Generate. That should generate a ULA prefix on your network, in addition to your global prefix. ULA is the IPv6 version of IPv4 RFC1918 addresses and will not interfere with anything your ISP provides. Since you have your own DNS, you can use it to point to the ULA for your devices. When you do that, do not use one of the temporary addresses. Use the consistent one, which is the only one that doesn't say temporary. Here's what ip -6 addr show displays for the consistent ULA on this computer: fd48:1a37:2160:0:76d4:fe5b:35ff:f5fa/64 scope global dynamic mngtmpaddr Find the address that's similar to this to use with the DNS. ULA addresses start with fc or fd. The prefix is determined by whatever appears with that random generation. It will not change until you change it.
On 2023-04-22 03:21, James Knott wrote:
On 2023-04-21 20:04, Carlos E. R. wrote:
I don't know how to use those ULA things, I need a howto for dummies somewhere.
And I have to find out if that thing interferes with Telefónica own setup. They reserve for themselves a portion of the IPv4 DHCP addresses, for instance.
Take a look on page 53 of the English manual. There's a checkbox for Enable ULA Prefix Advertisement. Enable that and Random Generate. That should generate a ULA prefix on your network, in addition to your global prefix. ULA is the IPv6 version of IPv4 RFC1918 addresses and will not interfere with anything your ISP provides.
Ok, it generates a random prefix. Who generates the "posfix" on each machine? Do they still get the global addresses?
Since you have your own DNS, you can use it to point to the ULA for your devices. When you do that, do not use one of the temporary addresses. Use the consistent one, which is the only one that doesn't say temporary.
Here's what ip -6 addr show displays for the consistent ULA on this computer: fd48:1a37:2160:0:76d4:fe5b:35ff:f5fa/64 scope global dynamic mngtmpaddr
Find the address that's similar to this to use with the DNS. ULA addresses start with fc or fd.
The prefix is determined by whatever appears with that random generation. It will not change until you change it.
Sorry, I don't see the advantage. My machines would get a "fixed" local only address, not routable. I can put those addresses in the DNS, ok. I can address machines on IPv6 by name, ok. Machines also get a global IPv6 address which is accessible from Internet, which I can not write to /etc/hosts or DNS because it changes. I don't see the advantage for accessing local machines on IPv6 by name, intranet only. I already can access the local machines by name on IPv4, thus IPv6 offers no advantage. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2023-04-22 at 11:48 +0200, Carlos E. R. wrote:
On 2023-04-22 03:21, James Knott wrote:
On 2023-04-21 20:04, Carlos E. R. wrote:
I don't know how to use those ULA things, I need a howto for dummies somewhere.
And I have to find out if that thing interferes with Telefónica own setup. They reserve for themselves a portion of the IPv4 DHCP addresses, for instance.
Take a look on page 53 of the English manual. There's a checkbox for Enable ULA Prefix Advertisement. Enable that and Random Generate. That should generate a ULA prefix on your network, in addition to your global prefix. ULA is the IPv6 version of IPv4 RFC1918 addresses and will not interfere with anything your ISP provides.
Ok, it generates a random prefix. Who generates the "posfix" on each machine?
Do they still get the global addresses?
Ok, I enabled it. I get: 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:d8:61:a1:5a:bd brd ff:ff:ff:ff:ff:ff altname enp34s0 inet 192.168.1.14/16 brd 192.168.255.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fd81:a:b:0:9e5c:300d:c313:5004/64 scope global temporary dynamic valid_lft 604741sec preferred_lft 86002sec inet6 fd81:a:b:0:2d8:MAC/64 scope global dynamic mngtmpaddr <==== valid_lft forever preferred_lft forever inet6 2a02:A:B:0:8cfd:1160:9abb:a5e3/64 scope global temporary dynamic valid_lft 86394sec preferred_lft 1908sec inet6 2a02:A:B:0:bdf0:c597:538c:ccb7/64 scope global temporary deprecated dynamic valid_lft 86394sec preferred_lft 0sec inet6 2a02:A:B:0:634a:1bd5:5b95:13b6/64 scope global temporary deprecated dynamic valid_lft 86394sec preferred_lft 0sec inet6 2a02:A:B:0:2d8:MAC/64 scope global dynamic mngtmpaddr valid_lft 86394sec preferred_lft 86394sec inet6 fe80::2d8:MAC/64 scope link valid_lft forever preferred_lft forever ...
I don't see the advantage for accessing local machines on IPv6 by name, intranet only. I already can access the local machines by name on IPv4, thus IPv6 offers no advantage.
- -- Cheers, Carlos E. R. (from openSUSE 15.4 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHkEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZEPNYBwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVVmYAliOt1K6jNAQFHOnzjyjs MbDnqLYAn0LrkxQEcVui5aU7zc3HT1oRw8bP =k51C -----END PGP SIGNATURE-----
On 2023-04-22 05:48, Carlos E. R. wrote:
Ok, it generates a random prefix. Who generates the "posfix" on each machine?
Do they still get the global addresses?
Yes, you get both a global and unique local address. Both get the prefix from the router and the client provides the suffix.
The prefix is determined by whatever appears with that random generation. It will not change until you change it.
Sorry, I don't see the advantage.
The advantage is the prefix does not change for ULA, so that you can configure your DNS to point to those devices. I thought this thread started with you complaining about the changing address. With your ISP, the global prefix changes, but not the ULA prefix.
Machines also get a global IPv6 address which is accessible from Internet, which I can not write to /etc/hosts or DNS because it changes.
This is why I suggested ULA. It doesn't change until YOU change it.
I don't see the advantage for accessing local machines on IPv6 by name, intranet only. I already can access the local machines by name on IPv4, thus IPv6 offers no advantage.
I'm beginning to agree with others, who say it's hard to figure out what you want, as it keeps changing. I give up.
On 2023-04-22 14:22, James Knott wrote:
On 2023-04-22 05:48, Carlos E. R. wrote:
Ok, it generates a random prefix. Who generates the "posfix" on each machine?
Do they still get the global addresses?
Yes, you get both a global and unique local address. Both get the prefix from the router and the client provides the suffix.
The prefix is determined by whatever appears with that random generation. It will not change until you change it.
Sorry, I don't see the advantage.
The advantage is the prefix does not change for ULA, so that you can configure your DNS to point to those devices. I thought this thread started with you complaining about the changing address. With your ISP, the global prefix changes, but not the ULA prefix.
That complain was in another thread. This is about the non working firewall in the router, which leaves my entire LAN accessible to Internet at large. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023-04-22 13:13, Carlos E. R. wrote:
That complain was in another thread. This is about the non working firewall in the router, which leaves my entire LAN accessible to Internet at large.
IPv6 has a security advantage in that with such a huge address space, it's extremely difficult for an attacker to find anything to attack. For example, you have a /64 prefix, which is 18.2 billion, billion addresses. This is the entire IPv4 address space squared. Out of that you will have at most a few dozen addresses. An attacker can scan all day, every day and not find anything. In contrast, with IPv4, it's not hard to find a target.
On 4/22/23 12:00, James Knott wrote:
On 2023-04-22 13:13, Carlos E. R. wrote:
That complain was in another thread. This is about the non working firewall in the router, which leaves my entire LAN accessible to Internet at large.
IPv6 has a security advantage in that with such a huge address space, it's extremely difficult for an attacker to find anything to attack. For example, you have a /64 prefix, which is 18.2 billion, billion addresses. This is the entire IPv4 address space squared. Out of that you will have at most a few dozen addresses. An attacker can scan all day, every day and not find anything. In contrast, with IPv4, it's not hard to find a target.
Security through obscurity? Regards, Lew
On 2023-04-22 15:20, Lew Wolfgang wrote:
Security through obscurity?
Security through damn hard to find the target. 😉 As I mentioned, a single LAN has 18.4 billion, billion addresses. With something like nmap, how long would it take to scan through all those addresses? Then again, how do you know that prefix is in use? I get 256 of them from my ISP, but I'm only using a few. Add to that, most of the addresses are temporary, gone within a week. Even if you manage to find one, it won't last long, assuming the firewall is even configured to allow traffic in.
On 2023-04-22 21:20, Lew Wolfgang wrote:
On 4/22/23 12:00, James Knott wrote:
On 2023-04-22 13:13, Carlos E. R. wrote:
That complain was in another thread. This is about the non working firewall in the router, which leaves my entire LAN accessible to Internet at large.
IPv6 has a security advantage in that with such a huge address space, it's extremely difficult for an attacker to find anything to attack. For example, you have a /64 prefix, which is 18.2 billion, billion addresses. This is the entire IPv4 address space squared. Out of that you will have at most a few dozen addresses. An attacker can scan all day, every day and not find anything. In contrast, with IPv4, it's not hard to find a target.
Security through obscurity?
Passwords area also obscurity. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 4/22/23 13:26, Carlos E. R. wrote:
On 2023-04-22 21:20, Lew Wolfgang wrote:
On 4/22/23 12:00, James Knott wrote:
On 2023-04-22 13:13, Carlos E. R. wrote:
That complain was in another thread. This is about the non working firewall in the router, which leaves my entire LAN accessible to Internet at large.
IPv6 has a security advantage in that with such a huge address space, it's extremely difficult for an attacker to find anything to attack. For example, you have a /64 prefix, which is 18.2 billion, billion addresses. This is the entire IPv4 address space squared. Out of that you will have at most a few dozen addresses. An attacker can scan all day, every day and not find anything. In contrast, with IPv4, it's not hard to find a target.
Security through obscurity?
Passwords area also obscurity.
Yes they are, but there are mitigations. There are mitigations for port scanning too, but I doubt if your ISP firewall employs them. Are you not concerned about not having a firewall in place for IPv6? BTW, did you also run a scan with IPv4 just to be sure you're okay there? Regards, Lew
On 2023-04-22 22:56, Lew Wolfgang wrote:
On 4/22/23 13:26, Carlos E. R. wrote:
On 2023-04-22 21:20, Lew Wolfgang wrote:
On 4/22/23 12:00, James Knott wrote:
On 2023-04-22 13:13, Carlos E. R. wrote:
That complain was in another thread. This is about the non working firewall in the router, which leaves my entire LAN accessible to Internet at large.
IPv6 has a security advantage in that with such a huge address space, it's extremely difficult for an attacker to find anything to attack. For example, you have a /64 prefix, which is 18.2 billion, billion addresses. This is the entire IPv4 address space squared. Out of that you will have at most a few dozen addresses. An attacker can scan all day, every day and not find anything. In contrast, with IPv4, it's not hard to find a target.
Security through obscurity?
Passwords area also obscurity.
Yes they are, but there are mitigations. There are mitigations for port scanning too, but I doubt if your ISP firewall employs them. Are you not concerned about not having a firewall in place for IPv6?
I have a non working firewall on the ISP provided router.
BTW, did you also run a scan with IPv4 just to be sure you're okay there?
Not recently. And there is NAT. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 4/22/23 14:05, Carlos E. R. wrote:
On 2023-04-22 22:56, Lew Wolfgang wrote:
On 4/22/23 13:26, Carlos E. R. wrote:
On 2023-04-22 21:20, Lew Wolfgang wrote:
On 4/22/23 12:00, James Knott wrote:
On 2023-04-22 13:13, Carlos E. R. wrote:
That complain was in another thread. This is about the non working firewall in the router, which leaves my entire LAN accessible to Internet at large.
IPv6 has a security advantage in that with such a huge address space, it's extremely difficult for an attacker to find anything to attack. For example, you have a /64 prefix, which is 18.2 billion, billion addresses. This is the entire IPv4 address space squared. Out of that you will have at most a few dozen addresses. An attacker can scan all day, every day and not find anything. In contrast, with IPv4, it's not hard to find a target.
Security through obscurity?
Passwords area also obscurity.
Yes they are, but there are mitigations. There are mitigations for port scanning too, but I doubt if your ISP firewall employs them. Are you not concerned about not having a firewall in place for IPv6?
I have a non working firewall on the ISP provided router.
That's exactly why you need one of your own.
BTW, did you also run a scan with IPv4 just to be sure you're okay there?
Not recently. And there is NAT.
Was your IPv6 scan to an IPv4-natted host? Regards, Lew
On 2023-04-23 00:13, Lew Wolfgang wrote:
On 4/22/23 14:05, Carlos E. R. wrote:
On 2023-04-22 22:56, Lew Wolfgang wrote:
On 4/22/23 13:26, Carlos E. R. wrote:
On 2023-04-22 21:20, Lew Wolfgang wrote:
On 4/22/23 12:00, James Knott wrote:
On 2023-04-22 13:13, Carlos E. R. wrote: > That complain was in another thread. This is about the non > working firewall in the router, which leaves my entire LAN > accessible to Internet at large.
IPv6 has a security advantage in that with such a huge address space, it's extremely difficult for an attacker to find anything to attack. For example, you have a /64 prefix, which is 18.2 billion, billion addresses. This is the entire IPv4 address space squared. Out of that you will have at most a few dozen addresses. An attacker can scan all day, every day and not find anything. In contrast, with IPv4, it's not hard to find a target.
Security through obscurity?
Passwords area also obscurity.
Yes they are, but there are mitigations. There are mitigations for port scanning too, but I doubt if your ISP firewall employs them. Are you not concerned about not having a firewall in place for IPv6?
I have a non working firewall on the ISP provided router.
That's exactly why you need one of your own.
Which as I have said many times, it is nearly impossible, because Telefónica doesn't document the specs (which is against EU rules)- I have to reverse engineer the configuration. And if anything ever fails, they don't support me. Not even help.
BTW, did you also run a scan with IPv4 just to be sure you're okay there?
Not recently. And there is NAT.
Was your IPv6 scan to an IPv4-natted host?
Of course not. It was on the IPv6 address. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023-04-22 21:38, Carlos E. R. wrote:
Which as I have said many times, it is nearly impossible, because Telefónica doesn't document the specs (which is against EU rules)- I have to reverse engineer the configuration. And if anything ever fails, they don't support me. Not even help.
Have you tried searching? When I search on MitraStar GPT-2541GNAC bridge mode, I get a lot of hits, but they're all in Spanish.
On 2023-04-23 03:58, James Knott wrote:
On 2023-04-22 21:38, Carlos E. R. wrote:
Which as I have said many times, it is nearly impossible, because Telefónica doesn't document the specs (which is against EU rules)- I have to reverse engineer the configuration. And if anything ever fails, they don't support me. Not even help.
Have you tried searching? When I search on MitraStar GPT-2541GNAC bridge mode, I get a lot of hits, but they're all in Spanish.
Yes, like this: <https://comunidad.movistar.es/t5/Soporte-Fibra-y-ADSL/HGU-MitraStar-GPT-2541GNAC-modo-bridge/td-p/2900709> They apparently leave the router still serving phone and TV. No mention on how to configure the new router. Here: <https://foros.3dgames.com.ar/threads/1044033-problema-con-el-telefono-al-poner-el-router-en-modo-bridge> there is a user from Argentina that loses phone service after 2 minutes into the phone call. I'll translate the answer: «It is a mitrastar problem. Turff confirmed it to me at the time. It happens here and it happens in Movistar Spain. At least the Spaniards could downgrade to an old firmware version that didn't have this problem... The Askey RTF3505VW that they delivered along with this one has no problem keeping the VOIP session alive in bridge mode. We had the bad luck to get this one. It is not possible to buy an Askey in ML and connect it and that's it, the equipment identifies itself with the network when the optical link is lifted and the thing dies there. If or if it has to be a replacement approved by movistar. I have had the equipment since 2016/2017 they migrated me from ADSL to fiber, never worked this in the different firmware versions over the years. I don't see it changing anytime soon. When I asked to change equipment explaining the problem not long after installation, support told me that this was not a usual configuration (? and since doing a reset and going back to defaults where the equipment takes care of the PPPoE link everything works, no problem, so no reason to change and they can't approve it. So nothing, since I have fiber I use it with the dead VOIP and fuck it. Maybe we have to hit it with a hammer, or throw a bucket of water on it, simulating an accident, and with that excuse ask to change it for the Askey, I don't know. Maybe now they accept it as a reason to change this, we would have to try it. Translated with www.DeepL.com/Translator (free version)» And several more posts, confirming that with this router in bridge mode they lose phone service, and Telefónica refusing to help. So no thanks, I'm not going to go that route in hell. And much less this being a Beta. They can change something else and make things even worse. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 4/22/23 18:38, Carlos E. R. wrote:
On 2023-04-23 00:13, Lew Wolfgang wrote:
On 4/22/23 14:05, Carlos E. R. wrote:
On 2023-04-22 22:56, Lew Wolfgang wrote:
On 4/22/23 13:26, Carlos E. R. wrote:
On 2023-04-22 21:20, Lew Wolfgang wrote:
On 4/22/23 12:00, James Knott wrote: > On 2023-04-22 13:13, Carlos E. R. wrote: >> That complain was in another thread. This is about the non >> working firewall in the router, which leaves my entire LAN >> accessible to Internet at large. > > IPv6 has a security advantage in that with such a huge address > space, it's extremely difficult for an attacker to find anything > to attack. For example, you have a /64 prefix, which is 18.2 > billion, billion addresses. This is the entire IPv4 address > space squared. Out of that you will have at most a few dozen > addresses. An attacker can scan all day, every day and not find > anything. In contrast, with IPv4, it's not hard to find a target.
Security through obscurity?
Passwords area also obscurity.
Yes they are, but there are mitigations. There are mitigations for port scanning too, but I doubt if your ISP firewall employs them. Are you not concerned about not having a firewall in place for IPv6?
I have a non working firewall on the ISP provided router.
That's exactly why you need one of your own.
Which as I have said many times, it is nearly impossible, because Telefónica doesn't document the specs (which is against EU rules)- I have to reverse engineer the configuration. And if anything ever fails, they don't support me. Not even help.
Just leave the ISP's firewall alone and add your own in front of SW1.
BTW, did you also run a scan with IPv4 just to be sure you're okay there?
Not recently. And there is NAT.
Was your IPv6 scan to an IPv4-natted host?
Of course not. It was on the IPv6 address.
Is the host dual-stacked? Does it also have IPv4 capability? What's doing the natting? The ISP's router? It would be interesting to see the scan and might help to prove a point. Regards, Lew
On 2023-04-22 21:00, James Knott wrote:
On 2023-04-22 13:13, Carlos E. R. wrote:
That complain was in another thread. This is about the non working firewall in the router, which leaves my entire LAN accessible to Internet at large.
IPv6 has a security advantage in that with such a huge address space, it's extremely difficult for an attacker to find anything to attack. For example, you have a /64 prefix, which is 18.2 billion, billion addresses. This is the entire IPv4 address space squared. Out of that you will have at most a few dozen addresses. An attacker can scan all day, every day and not find anything. In contrast, with IPv4, it's not hard to find a target.
It is not that difficult. The suffix is the MAC address, which can be found by reading my posts from the past. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023-04-22 16:27, Carlos E. R. wrote:
IPv6 has a security advantage in that with such a huge address space, it's extremely difficult for an attacker to find anything to attack. For example, you have a /64 prefix, which is 18.2 billion, billion addresses. This is the entire IPv4 address space squared. Out of that you will have at most a few dozen addresses. An attacker can scan all day, every day and not find anything. In contrast, with IPv4, it's not hard to find a target.
It is not that difficult. The suffix is the MAC address, which can be found by reading my posts from the past.
The MAC is used only if you configure your computers to use it. Otherwise, a random number is used. Even if the MAC is used, it's not used on any outgoing traffic. Outgoing connections use a privacy address, which is based on a random number and changes daily The MAC address alone really doesn't get anything. The concern was that they could be used to track a portable device as it moves to different locations. However, since a MAC based address is not used for outgoing connections, that wouldn't happen.
On 2023-04-22 22:35, James Knott wrote:
On 2023-04-22 16:27, Carlos E. R. wrote:
IPv6 has a security advantage in that with such a huge address space, it's extremely difficult for an attacker to find anything to attack. For example, you have a /64 prefix, which is 18.2 billion, billion addresses. This is the entire IPv4 address space squared. Out of that you will have at most a few dozen addresses. An attacker can scan all day, every day and not find anything. In contrast, with IPv4, it's not hard to find a target.
It is not that difficult. The suffix is the MAC address, which can be found by reading my posts from the past.
The MAC is used only if you configure your computers to use it. Otherwise, a random number is used.
I configured nothing. All my (openSUSE) machines are apparently using the MAC suffix.
Even if the MAC is used, it's not used on any outgoing traffic. Outgoing connections use a privacy address, which is based on a random number and changes daily
The prefix could be obtained from my email headers, but postfix is using IPv4 still. Combine that with my known MAC, and they can poke at my machine.
The MAC address alone really doesn't get anything. The concern was that they could be used to track a portable device as it moves to different locations. However, since a MAC based address is not used for outgoing connections, that wouldn't happen.
-- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
On 2023-04-22 22:35, James Knott wrote:
On 2023-04-22 16:27, Carlos E. R. wrote:
IPv6 has a security advantage in that with such a huge address space, it's extremely difficult for an attacker to find anything to attack. For example, you have a /64 prefix, which is 18.2 billion, billion addresses. This is the entire IPv4 address space squared. Out of that you will have at most a few dozen addresses. An attacker can scan all day, every day and not find anything. In contrast, with IPv4, it's not hard to find a target.
It is not that difficult. The suffix is the MAC address, which can be found by reading my posts from the past.
The MAC is used only if you configure your computers to use it. Otherwise, a random number is used.
I configured nothing. All my (openSUSE) machines are apparently using the MAC suffix.
Check out the use_tempaddr setting, /proc/sys/net/ipv6/conf/*/use_tempaddr. 1 - use the EUI-64 (MAC-based) address for outbound traffic. 0 - don't generate a privacy address 2 - use the privacy/random address for outbound traffic., (okay, that's from memory, better double check).
Even if the MAC is used, it's not used on any outgoing traffic. Outgoing connections use a privacy address, which is based on a random number and changes daily
See above.
The prefix could be obtained from my email headers, but postfix is using IPv4 still.
If your machine has a public ipv6 address and an mx or your relay has ipv6, postfix will use ipv6, unless explicitly disabled. -- Per Jessen, Zürich (15.8°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-23 11:41, Per Jessen wrote:
Carlos E. R. wrote:
On 2023-04-22 22:35, James Knott wrote:
On 2023-04-22 16:27, Carlos E. R. wrote:
IPv6 has a security advantage in that with such a huge address space, it's extremely difficult for an attacker to find anything to attack. For example, you have a /64 prefix, which is 18.2 billion, billion addresses. This is the entire IPv4 address space squared. Out of that you will have at most a few dozen addresses. An attacker can scan all day, every day and not find anything. In contrast, with IPv4, it's not hard to find a target.
It is not that difficult. The suffix is the MAC address, which can be found by reading my posts from the past.
The MAC is used only if you configure your computers to use it. Otherwise, a random number is used.
I configured nothing. All my (openSUSE) machines are apparently using the MAC suffix.
Check out the use_tempaddr setting, /proc/sys/net/ipv6/conf/*/use_tempaddr.
1 - use the EUI-64 (MAC-based) address for outbound traffic. 0 - don't generate a privacy address 2 - use the privacy/random address for outbound traffic.,
(okay, that's from memory, better double check).
cer@Telcontar:~> cat /proc/sys/net/ipv6/conf/eth0/use_tempaddr 1 cer@Telcontar:~> cat /proc/sys/net/ipv6/conf/default/use_tempaddr 1 cer@Telcontar:~> cer@Isengard:~> cat /proc/sys/net/ipv6/conf/eth0/use_tempaddr 1 cer@Isengard:~> cat /proc/sys/net/ipv6/conf/default/use_tempaddr 1 cer@Isengard:~> cat /proc/sys/net/ipv6/conf/wlan0/use_tempaddr 1 cer@Isengard:~> My Beta machine has lost the IPv4 address, only has Ipv4. I'm not going to type an IPv6 to ssh to it! Clicking en NM, disable network, enable network. ip-addr hangs... the kernel driver hung :-( I type the command manually, two interfaces are zero, two are one, one is -1. eth and wlan are zero. Still no network. That's the new laptop, I left it running for days, and IPv4 died.
Even if the MAC is used, it's not used on any outgoing traffic. Outgoing connections use a privacy address, which is based on a random number and changes daily
See above.
The prefix could be obtained from my email headers, but postfix is using IPv4 still.
If your machine has a public ipv6 address and an mx or your relay has ipv6, postfix will use ipv6, unless explicitly disabled.
cer@Telcontar:~> host smtp.telefonica.net smtp.telefonica.net has address 86.109.99.70 cer@Telcontar:~> cer@Telcontar:~> host smtp.gmx.es smtp.gmx.es is an alias for smtp.gmx.com. smtp.gmx.com is an alias for mail.gmx.com. mail.gmx.com has address 212.227.17.184 mail.gmx.com has address 212.227.17.174 cer@Telcontar:~> gmail does have IPv6. I'll have to send myself an email using gmail. [...] Confirm, it used IPv6. And the received headers do contain my IPv6, the "scope global dynamic mngtmpaddr", ie, the one with my MAC. Bingo. :-( -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 22.04.2023 23:27, Carlos E. R. wrote:
On 2023-04-22 21:00, James Knott wrote:
On 2023-04-22 13:13, Carlos E. R. wrote:
That complain was in another thread. This is about the non working firewall in the router, which leaves my entire LAN accessible to Internet at large.
IPv6 has a security advantage in that with such a huge address space, it's extremely difficult for an attacker to find anything to attack. For example, you have a /64 prefix, which is 18.2 billion, billion addresses. This is the entire IPv4 address space squared. Out of that you will have at most a few dozen addresses. An attacker can scan all day, every day and not find anything. In contrast, with IPv4, it's not hard to find a target.
It is not that difficult. The suffix is the MAC address,
Not by default which is demonstrated by your own previous posts.
Carlos E. R. wrote: <https://dl.dropboxusercontent.com/s/bus4tdsp4xz3592/MitraStar%20GPT-2541GNAC%20Users%20Manual.pdf>
Which is a draft in English. This manual does match.
At least it does mention ipv6, but the general profile doesn't seem to have an ipv4/ipv6 setting. It doesn't have to, but in your case the default doesn't block any ipv6. It is slightly worrying when the manual says "source ipv6 address: enter the source ipv6 address in the dotted decimal notation". :-) Any answer from the beta test support yet? -- Per Jessen, Zürich (11.4°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-21 20:25, Per Jessen wrote:
Carlos E. R. wrote:
<https://dl.dropboxusercontent.com/s/bus4tdsp4xz3592/MitraStar%20GPT-2541GNAC%20Users%20Manual.pdf>
Which is a draft in English. This manual does match.
At least it does mention ipv6, but the general profile doesn't seem to have an ipv4/ipv6 setting. It doesn't have to, but in your case the default doesn't block any ipv6.
It is slightly worrying when the manual says "source ipv6 address: enter the source ipv6 address in the dotted decimal notation". :-)
Ah, yes, dotted decimals, yes. Right. I was worried by something else: how do I find the source ipv6 address?
Any answer from the beta test support yet?
Nope. And it is Friday. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
On 2023-04-21 20:25, Per Jessen wrote:
Carlos E. R. wrote:
<https://dl.dropboxusercontent.com/s/bus4tdsp4xz3592/MitraStar%20GPT-2541GNAC%20Users%20Manual.pdf>
Which is a draft in English. This manual does match.
At least it does mention ipv6, but the general profile doesn't seem to have an ipv4/ipv6 setting. It doesn't have to, but in your case the default doesn't block any ipv6.
It is slightly worrying when the manual says "source ipv6 address: enter the source ipv6 address in the dotted decimal notation". :-)
Ah, yes, dotted decimals, yes. Right.
I was worried by something else: how do I find the source ipv6 address?
Dunno - it is just an option for a rule, most often not needed.
Any answer from the beta test support yet?
Nope. And it is Friday.
Yeah. Perhaps also not the easiest question to answer. -- Per Jessen, Zürich (9.9°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-22 08:32, Per Jessen wrote:
Carlos E. R. wrote:
On 2023-04-21 20:25, Per Jessen wrote:
Carlos E. R. wrote:
<https://dl.dropboxusercontent.com/s/bus4tdsp4xz3592/MitraStar%20GPT-2541GNAC%20Users%20Manual.pdf>
Which is a draft in English. This manual does match.
At least it does mention ipv6, but the general profile doesn't seem to have an ipv4/ipv6 setting. It doesn't have to, but in your case the default doesn't block any ipv6.
It is slightly worrying when the manual says "source ipv6 address: enter the source ipv6 address in the dotted decimal notation". :-)
Ah, yes, dotted decimals, yes. Right.
I was worried by something else: how do I find the source ipv6 address?
Dunno - it is just an option for a rule, most often not needed.
Any answer from the beta test support yet?
Nope. And it is Friday.
Yeah. Perhaps also not the easiest question to answer.
Someone else posted a problem, that his router doesn't get IPv6 if the local IPv4 range is not 192.168.1.1/24. Apparently he sent an email and a forum post. Finally they said that they (Telefónica) had already contacted the manufacturer about this, but told not the client. Well, contacting the manufacturer is perfect, but do tell us, acknowledge it! -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 4/21/2023 12:53 PM, Carlos E. R. wrote:
On 2023-04-21 15:32, Per Jessen wrote:
Carlos E. R. wrote:
I would be tempted to edit the WAN_DEFAULT rule, just to see if it has an ipv4/ipv6 setting.
No such luck: https://paste.opensuse.org/5b464334c8fa
Odd - looking in the manual, page 99, there clearly is an ipv4/ipv6 setting for the default policy.
Not the first bug I find in this router. It is crap.
Sorry to be nosing in without having followed from the start, but, is that the ISP supplied router? I doubt my question as they normally do not allow end users to have administrative access. - if it is the ISP router, can it not be set to "bridge" mode and put in your own router between it and your LAN? - if it is not their router, why not change it?
On 2023-04-22 20:51, joe a wrote:
On 4/21/2023 12:53 PM, Carlos E. R. wrote:
On 2023-04-21 15:32, Per Jessen wrote:
Carlos E. R. wrote:
I would be tempted to edit the WAN_DEFAULT rule, just to see if it has an ipv4/ipv6 setting.
No such luck: https://paste.opensuse.org/5b464334c8fa
Odd - looking in the manual, page 99, there clearly is an ipv4/ipv6 setting for the default policy.
Not the first bug I find in this router. It is crap.
Sorry to be nosing in without having followed from the start, but, is that the ISP supplied router?
Yes.
I doubt my question as they normally do not allow end users to have administrative access.
We do have access, yes. We have to click somewhere to absolve the ISP of blame.
- if it is the ISP router, can it not be set to "bridge" mode and put in your own router between it and your LAN?
That could be a possibility, when this Beta phase ends and they finally deploy IPv6. But it is a real pain in the ass, because they do not publish the specs (which is against EU law), and I would have to cover all services properly on my own. If something stops working, they would refuse to do anything (not even advice). After the Beta, I can request change of router because this one is broken. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 4/22/2023 4:33 PM, Carlos E. R. wrote:
. . . That could be a possibility, when this Beta phase ends and they finally deploy IPv6. But it is a real pain in the ass, because they do not
On 2023-04-22 20:51, joe a wrote: publish the specs (which is against EU law), and I would have to cover all services properly on my own. If something stops working, they would refuse to do anything (not even advice).
After the Beta, I can request change of router because this one is broken.
Ah, I missed the Beta part. "I plead infirmity of years".
On 21.04.2023 12:16, Carlos E. R. wrote:
Why not just set up the ipv6 firewall in your router?
It is set. Doesn't work.
According to documentation for your router a) default is to accept everything b) firewall policy and rules are per-interface What makes you think the same interface (ppp0.1 on your screenshots) is used for both IPv4 and IPv6? Find out how you router is configured, what interfaces are there, what addresses they have, what router entries there are. Then it is possible to make educated guess how to configure firewall.
On 2023-04-22 08:46, Andrei Borzenkov wrote:
On 21.04.2023 12:16, Carlos E. R. wrote:
Why not just set up the ipv6 firewall in your router?
It is set. Doesn't work.
According to documentation for your router
a) default is to accept everything b) firewall policy and rules are per-interface
What makes you think the same interface (ppp0.1 on your screenshots) is used for both IPv4 and IPv6? Find out how you router is configured, what interfaces are there, what addresses they have, what router entries there are. Then it is possible to make educated guess how to configure firewall.
Both IPv4 and IPv6 enter via ppp0.1 https://paste.opensuse.org/36375d7206e5 -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 22.04.2023 13:03, Carlos E. R. wrote:
On 2023-04-22 08:46, Andrei Borzenkov wrote:
On 21.04.2023 12:16, Carlos E. R. wrote:
Why not just set up the ipv6 firewall in your router?
It is set. Doesn't work.
According to documentation for your router
a) default is to accept everything b) firewall policy and rules are per-interface
What makes you think the same interface (ppp0.1 on your screenshots) is used for both IPv4 and IPv6? Find out how you router is configured, what interfaces are there, what addresses they have, what router entries there are. Then it is possible to make educated guess how to configure firewall.
Both IPv4 and IPv6 enter via ppp0.1
How did you test that firewall does not work?
On 2023-04-22 17:39, Andrei Borzenkov wrote:
On 22.04.2023 13:03, Carlos E. R. wrote:
On 2023-04-22 08:46, Andrei Borzenkov wrote:
On 21.04.2023 12:16, Carlos E. R. wrote:
Why not just set up the ipv6 firewall in your router?
It is set. Doesn't work.
According to documentation for your router
a) default is to accept everything b) firewall policy and rules are per-interface
What makes you think the same interface (ppp0.1 on your screenshots) is used for both IPv4 and IPv6? Find out how you router is configured, what interfaces are there, what addresses they have, what router entries there are. Then it is possible to make educated guess how to configure firewall.
Both IPv4 and IPv6 enter via ppp0.1
How did you test that firewall does not work?
I sshed to the machine of a friend, and from there I sshed to two machines inside my LAN. One of them is (intentionally) accessible via IPv4 on a high port, which the router translates to 22. But on IPv6, both machines are accessible on 22, no translation on the router. Another friend did an nmap on my machine from his house: office24:~ # nmap -6 -p1-65535 2a02:... Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-19 08:16 CEST Nmap scan report for 2a02:....customerbaf.ipv6.rima-tde.net (2a02:...) Host is up (0.060s latency). Not shown: 65524 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 443/tcp closed https 2049/tcp open nfs 12854/tcp closed unknown 20048/tcp open mountd 38000/tcp closed unknown 40000/tcp closed unknown 50000/tcp open unknown -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 4/22/23 10:18, Carlos E. R. wrote:
On 2023-04-22 17:39, Andrei Borzenkov wrote:
On 22.04.2023 13:03, Carlos E. R. wrote:
On 2023-04-22 08:46, Andrei Borzenkov wrote:
On 21.04.2023 12:16, Carlos E. R. wrote:
Why not just set up the ipv6 firewall in your router?
It is set. Doesn't work.
According to documentation for your router
a) default is to accept everything b) firewall policy and rules are per-interface
What makes you think the same interface (ppp0.1 on your screenshots) is used for both IPv4 and IPv6? Find out how you router is configured, what interfaces are there, what addresses they have, what router entries there are. Then it is possible to make educated guess how to configure firewall.
Both IPv4 and IPv6 enter via ppp0.1
How did you test that firewall does not work?
I sshed to the machine of a friend, and from there I sshed to two machines inside my LAN.
One of them is (intentionally) accessible via IPv4 on a high port, which the router translates to 22. But on IPv6, both machines are accessible on 22, no translation on the router. Another friend did an nmap on my machine from his house:
office24:~ # nmap -6 -p1-65535 2a02:... Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-19 08:16 CEST Nmap scan report for 2a02:....customerbaf.ipv6.rima-tde.net (2a02:...) Host is up (0.060s latency). Not shown: 65524 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 443/tcp closed https 2049/tcp open nfs 12854/tcp closed unknown 20048/tcp open mountd 38000/tcp closed unknown 40000/tcp closed unknown 50000/tcp open unknown
Gad! You need to get a working firewall, Carlos! You've got NFS open to the broad Internet, including mountd! What could possibly go wrong? I remember when I first started using SuSE 5.2, the firewall documentation was in German. So I didn't set up the firewall right away, and darned if I didn't get pwned through a mountd vulnerability. I noticed it right away, so no damage, but still. You at least limit NFS mounts with entries in /etc/exports, right? Why don't you get a cheap firewall appliance and put it between your ISP's router and SW1? Regards, Lew
On 2023-04-22 21:24, Lew Wolfgang wrote:
On 4/22/23 10:18, Carlos E. R. wrote:
On 2023-04-22 17:39, Andrei Borzenkov wrote:
On 22.04.2023 13:03, Carlos E. R. wrote:
On 2023-04-22 08:46, Andrei Borzenkov wrote:
On 21.04.2023 12:16, Carlos E. R. wrote:
> > Why not just set up the ipv6 firewall in your router?
It is set. Doesn't work.
According to documentation for your router
a) default is to accept everything b) firewall policy and rules are per-interface
What makes you think the same interface (ppp0.1 on your screenshots) is used for both IPv4 and IPv6? Find out how you router is configured, what interfaces are there, what addresses they have, what router entries there are. Then it is possible to make educated guess how to configure firewall.
Both IPv4 and IPv6 enter via ppp0.1
How did you test that firewall does not work?
I sshed to the machine of a friend, and from there I sshed to two machines inside my LAN.
One of them is (intentionally) accessible via IPv4 on a high port, which the router translates to 22. But on IPv6, both machines are accessible on 22, no translation on the router. Another friend did an nmap on my machine from his house:
office24:~ # nmap -6 -p1-65535 2a02:... Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-19 08:16 CEST Nmap scan report for 2a02:....customerbaf.ipv6.rima-tde.net (2a02:...) Host is up (0.060s latency). Not shown: 65524 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 443/tcp closed https 2049/tcp open nfs 12854/tcp closed unknown 20048/tcp open mountd 38000/tcp closed unknown 40000/tcp closed unknown 50000/tcp open unknown
Gad! You need to get a working firewall, Carlos! You've got NFS open to the broad Internet, including mountd! What could possibly go wrong?
The machine runs SuSEfirewall2, which is open to the intranet. It is not aware that IPv6 is internet and doesn't close it. I can change to firewalld, but I don't know if it is better in this respect, or how to coach it. And the router firewall is faulty.
I remember when I first started using SuSE 5.2, the firewall documentation was in German. So I didn't set up the firewall right away, and darned if I didn't get pwned through a mountd vulnerability. I noticed it right away, so no damage, but still.
You at least limit NFS mounts with entries in /etc/exports, right?
Yes.
Why don't you get a cheap firewall appliance and put it between your ISP's router and SW1?
Because it is a Beta. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023-04-22 16:37, Carlos E. R. wrote:
The machine runs SuSEfirewall2, which is open to the intranet. It is not aware that IPv6 is internet and doesn't close it. I can change to firewalld, but I don't know if it is better in this respect, or how to coach it.
You can configure your firewall to allow only ULA addresses. I used to run a firewall with SUSE firewall, before I switched to pfSense.
On 2023-04-22 22:46, James Knott wrote:
On 2023-04-22 16:37, Carlos E. R. wrote:
The machine runs SuSEfirewall2, which is open to the intranet. It is not aware that IPv6 is internet and doesn't close it. I can change to firewalld, but I don't know if it is better in this respect, or how to coach it.
You can configure your firewall to allow only ULA addresses. I used to run a firewall with SUSE firewall, before I switched to pfSense.
Do you you know how? cer@Telcontar:~> grep ULA /etc/sysconfig/SuSEfirewall2 cer@Telcontar:~> I have already sent an email to my ISP requesting out of the Beta, stop IPv6 service. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023-04-22 16:52, Carlos E. R. wrote:
Do you you know how?
Chapter 7 in the manual is all about setting up rules. For example, I see source !Pv6 address and prefix length. I would expect that would be what you need. With firwalls, the default should be to block all and a rule ahead of it would allow what you want.
On 2023-04-23 04:21, James Knott wrote:
On 2023-04-22 16:52, Carlos E. R. wrote:
Do you you know how?
Chapter 7 in the manual is all about setting up rules. For example, I see source !Pv6 address and prefix length. I would expect that would be what you need. With firwalls, the default should be to block all and a rule ahead of it would allow what you want.
It already has a rule to block all, and it doesn't. https://paste.opensuse.org/pastes/36375d7206e5 -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
I have already sent an email to my ISP requesting out of the Beta, stop IPv6 service.
Problem solved then :-) -- Per Jessen, Zürich (13.2°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 4/22/23 13:37, Carlos E. R. wrote:
Gad! You need to get a working firewall, Carlos! You've got NFS open to the broad Internet, including mountd! What could possibly go wrong?
The machine runs SuSEfirewall2, which is open to the intranet. It is not aware that IPv6 is internet and doesn't close it. I can change to firewalld, but I don't know if it is better in this respect, or how to coach it.
Wait, I believe that SuSEfirewall2 is IPv6 aware. Please correct me if I'm wrong.
And the router firewall is faulty.
That's why you need your own, even after the beta period ends. Regards, Lew
On 2023-04-22 23:18, Lew Wolfgang wrote:
On 4/22/23 13:37, Carlos E. R. wrote:
Gad! You need to get a working firewall, Carlos! You've got NFS open to the broad Internet, including mountd! What could possibly go wrong?
The machine runs SuSEfirewall2, which is open to the intranet. It is not aware that IPv6 is internet and doesn't close it. I can change to firewalld, but I don't know if it is better in this respect, or how to coach it.
Wait, I believe that SuSEfirewall2 is IPv6 aware. Please correct me if I'm wrong.
I suppose it is.
And the router firewall is faulty.
That's why you need your own, even after the beta period ends.
Again, and thousand times again, it is nearly impossible. I'm getting tired of saying that. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
And the router firewall is faulty.
That's why you need your own, even after the beta period ends.
Again, and thousand times again, it is nearly impossible. I'm getting tired of saying that.
I think Lew meant your own firewall, not your own router. Of course, there is always a bit more effort involved when you roll-your-own. -- Per Jessen, Zürich (12.2°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 4/23/23 00:15, Per Jessen wrote:
Carlos E. R. wrote:
And the router firewall is faulty. That's why you need your own, even after the beta period ends. Again, and thousand times again, it is nearly impossible. I'm getting tired of saying that. I think Lew meant your own firewall, not your own router. Of course, there is always a bit more effort involved when you roll-your-own.
Certainly true, but it's better than trusting an incompetent ISP. Regards, Lew
On 2023-04-23 09:15, Per Jessen wrote:
Carlos E. R. wrote:
And the router firewall is faulty.
That's why you need your own, even after the beta period ends.
Again, and thousand times again, it is nearly impossible. I'm getting tired of saying that.
I think Lew meant your own firewall, not your own router. Of course, there is always a bit more effort involved when you roll-your-own.
And where do I put that firewall? In a new router, purchased and maintained by me? That's a huge problem! They don't document the router specs. /I/ would have to support myself, for phone service, TV service, and internet service! ANY ISSUE I get with telefónica would be met with NO SUPPORT, you are on your own! DAMN IT! All that to test a Beta. What do I do when they roll IPv6 for final in a different way? Reverse engineer it? Now look at the biggest local provider of copmputer hardware. Routers section: https://www.pccomponentes.com/routers It is in Spanish, so use Google Translate, or just look at the "Conectividad" table on the left. Do you see any one listing "fibra" (fibre)? THERE ARE NO FIBER ROUTERS ON SALE! I would have to buy two things, the ONT and a router. Two purchases. For example: "Ubiquiti Spain Networks UFiber Nano G - Punto de Acceso (1000 Mbit/s, 2,488 Gbit/s, 77 x 77 x 28 mm, 110 g, 7 W, -10-45 °C)", 81€ "AVM FRITZBox 6890 LTE International - Modem Router LTE, VDSL, ADSL2, WiFi AC MU-MIMO, Mesh, WAN Gigabit, 4 x LAN Gigabit, USB 3.0, centralita telefónica, Base DECT, Interfaz en Español, Blanco/Rojo", 400€ https://www.amazon.es/dp/B076KHSXTB https://www.amazon.es/dp/B077Z481SC <https://www.compartirwifi.com/blog/como-sustituir-o-reemplazar-el-router-hgu-de-movistar-y-o2-por-otro-router-neutro-mas-potente-configuracion-manual-tutorial/> So, a total of 500€ and no guarantee of success. Or perhaps another router, leaving the Telefónica one in bridge mode, but maybe still serving the TV and the phone. I see in the Beta forum people that do that and are stuck with no IPv6, no answers from Telefónica, only from other people. NO THANK YOU. :-/ -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
On 2023-04-23 09:15, Per Jessen wrote:
Carlos E. R. wrote:
And the router firewall is faulty.
That's why you need your own, even after the beta period ends.
Again, and thousand times again, it is nearly impossible. I'm getting tired of saying that.
I think Lew meant your own firewall, not your own router. Of course, there is always a bit more effort involved when you roll-your-own.
And where do I put that firewall? In a new router, purchased and maintained by me?
Well, any box with two interfaces will do. Plenty of small inexpensive boards for that sort of thing. There is probably even a Raspi with two interfaces.
That's a huge problem!
Hardly huge. It's a bit of effort, yes.
They don't document the router specs.
You don't need them for this box. Your Mitrastar router stays where it is and essentially becomes a bridge.
/I/ would have to support myself, for phone service, TV service, and internet service! ANY ISSUE I get with telefónica would be met with NO SUPPORT, you are on your own!
You have totally misread what people have been suggesting.
All that to test a Beta.
Yes and no. It is also an exercise for yourself, to gain experience and familiarity with such a setup. It will also be useful once Telefonica goes live with their ipv6 setup. [snip 45 lines of huffing and puffing] -- Per Jessen, Zürich (17.6°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 23.04.2023 15:06, Per Jessen wrote: ...
They don't document the router specs.
You don't need them for this box. Your Mitrastar router stays where it is and essentially becomes a bridge.
You need to establish PPPoE connection over this bridge and it requires at least user/password. Details on L2 (VLAN numbers etc) are also provider dependent. Even if equipment is capable of working in bridge mode, details how to setup ONT itself and how to use it to actually establish connection are not there. This is exactly the same situation as with most providers here. You get zero support if you deviate from the default setup. Not because they are evil, but because they do not want to invest in supporting it (and it *does* require resources and hence money) and so nobody knows how to set it up and even less - how to troubleshoot it. Actually, private customers get zero guarantees about anything - at most you could try to get refund for the period of total outage.
On 2023-04-23 14:23, Andrei Borzenkov wrote:
On 23.04.2023 15:06, Per Jessen wrote: ...
They don't document the router specs.
You don't need them for this box. Your Mitrastar router stays where it is and essentially becomes a bridge.
You need to establish PPPoE connection over this bridge and it requires at least user/password. Details on L2 (VLAN numbers etc) are also provider dependent. Even if equipment is capable of working in bridge mode, details how to setup ONT itself and how to use it to actually establish connection are not there. This is exactly the same situation as with most providers here. You get zero support if you deviate from the default setup. Not because they are evil, but because they do not want to invest in supporting it (and it *does* require resources and hence money) and so nobody knows how to set it up and even less - how to troubleshoot it. Actually, private customers get zero guarantees about anything - at most you could try to get refund for the period of total outage.
Exactly. Apparently the trick is to bridge only the ppp0.1 interface, leaving voip0.2 and voip0.3 <https://comunidad.movistar.es/t5/Soporte-Fibra-y-ADSL/HGU-MitraStar-GPT-2541GNAC-modo-bridge/td-p/2900709> But I found reports that setting my router in bridge mode makes it fail for phone service (see post "Telefonica router in bridge mode: no way in hell!" for references. <https://foros.3dgames.com.ar/threads/1044033-problema-con-el-telefono-al-poner-el-router-en-modo-bridge> I found also references saying that TV service gets disrupted or problematic. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Andrei Borzenkov wrote:
On 23.04.2023 15:06, Per Jessen wrote: ...
They don't document the router specs.
You don't need them for this box. Your Mitrastar router stays where it is and essentially becomes a bridge.
You need to establish PPPoE connection over this bridge and it requires at least user/password. Details on L2 (VLAN numbers etc) are also provider dependent. Even if equipment is capable of working in bridge mode, details how to setup ONT itself and how to use it to actually establish connection are not there. This is exactly the same situation as with most providers here.
Well, between 2006 and 2012, I used two, maybe three ADSL routers/modems (before we switched to fibre) - granted, they were all Zyxel, but they had the option of just enabling rfc1483 bridging. I obviously have little to no idea what may or may not be possible with Carlos' Mitrastar, hence I added "essentially". -- Per Jessen, Zürich (18.2°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-23 15:45, Per Jessen wrote:
Andrei Borzenkov wrote:
On 23.04.2023 15:06, Per Jessen wrote: ...
They don't document the router specs.
You don't need them for this box. Your Mitrastar router stays where it is and essentially becomes a bridge.
You need to establish PPPoE connection over this bridge and it requires at least user/password. Details on L2 (VLAN numbers etc) are also provider dependent. Even if equipment is capable of working in bridge mode, details how to setup ONT itself and how to use it to actually establish connection are not there. This is exactly the same situation as with most providers here.
Well, between 2006 and 2012, I used two, maybe three ADSL routers/modems (before we switched to fibre) - granted, they were all Zyxel, but they had the option of just enabling rfc1483 bridging. I obviously have little to no idea what may or may not be possible with Carlos' Mitrastar, hence I added "essentially".
Yes, that was then, this is now. I also replaced Telefónica ADSL router with my own. I'm not doing that on fibre, it is too scary (google confirms) and I want a tranquil old age. >:-) -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
On 2023-04-23 15:45, Per Jessen wrote:
Andrei Borzenkov wrote:
On 23.04.2023 15:06, Per Jessen wrote: ...
They don't document the router specs.
You don't need them for this box. Your Mitrastar router stays where it is and essentially becomes a bridge.
You need to establish PPPoE connection over this bridge and it requires at least user/password. Details on L2 (VLAN numbers etc) are also provider dependent. Even if equipment is capable of working in bridge mode, details how to setup ONT itself and how to use it to actually establish connection are not there. This is exactly the same situation as with most providers here.
Well, between 2006 and 2012, I used two, maybe three ADSL routers/modems (before we switched to fibre) - granted, they were all Zyxel, but they had the option of just enabling rfc1483 bridging. I obviously have little to no idea what may or may not be possible with Carlos' Mitrastar, hence I added "essentially".
Yes, that was then, this is now.
I also replaced Telefónica ADSL router with my own. I'm not doing that on fibre, it is too scary (google confirms) and I want a tranquil old age. >:-)
I don't think you are listening, but I'm getting tired of saying it. Nobody is suggesting you replace your Mitrastar with a router of your own. Me, I initially (March 2012) had some Zyxel fibre modem, it is still sat on a wall in my lab, but it was replaced by a Mikrotik when I changed my uplink provider. -- Per Jessen, Zürich (18.1°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-23 15:56, Per Jessen wrote:
Carlos E. R. wrote:
On 2023-04-23 15:45, Per Jessen wrote:
Andrei Borzenkov wrote:
On 23.04.2023 15:06, Per Jessen wrote: ...
They don't document the router specs.
You don't need them for this box. Your Mitrastar router stays where it is and essentially becomes a bridge.
You need to establish PPPoE connection over this bridge and it requires at least user/password. Details on L2 (VLAN numbers etc) are also provider dependent. Even if equipment is capable of working in bridge mode, details how to setup ONT itself and how to use it to actually establish connection are not there. This is exactly the same situation as with most providers here.
Well, between 2006 and 2012, I used two, maybe three ADSL routers/modems (before we switched to fibre) - granted, they were all Zyxel, but they had the option of just enabling rfc1483 bridging. I obviously have little to no idea what may or may not be possible with Carlos' Mitrastar, hence I added "essentially".
Yes, that was then, this is now.
I also replaced Telefónica ADSL router with my own. I'm not doing that on fibre, it is too scary (google confirms) and I want a tranquil old age. >:-)
I don't think you are listening, but I'm getting tired of saying it.
Nobody is suggesting you replace your Mitrastar with a router of your own.
No, you are saying to put a second machine acting as firewall in between. The original router is set in bridge mode. And I am saying that even in this role the Telefónica router is still a disaster and kills phone service. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Op zondag 23 april 2023 15:49:36 CEST schreef Carlos E. R.:
On 2023-04-23 15:45, Per Jessen wrote:
Well, between 2006 and 2012, I used two, maybe three ADSL routers/modems (before we switched to fibre) - granted, they were all Zyxel, but they had the option of just enabling rfc1483 bridging. I obviously have little to no idea what may or may not be possible with Carlos' Mitrastar, hence I added "essentially".
Yes, that was then, this is now.
I also replaced Telefónica ADSL router with my own. I'm not doing that on fibre, it is too scary (google confirms) and I want a tranquil old age. >:-)
At my age of 80 I replaced the fiber modem with a FritzBox 5530 and I am very pleased. It has a sophisticated firewall for both IPv4 and IPv6, which is standard completely closed from the outside. AVM, the manufacturer, was very helpful in configuring the modem for my supplier. -- fr.gr. member openSUSE Freek de Kruijf
On 2023-04-23 17:05, Freek de Kruijf wrote:
Op zondag 23 april 2023 15:49:36 CEST schreef Carlos E. R.:
On 2023-04-23 15:45, Per Jessen wrote:
Well, between 2006 and 2012, I used two, maybe three ADSL routers/modems (before we switched to fibre) - granted, they were all Zyxel, but they had the option of just enabling rfc1483 bridging. I obviously have little to no idea what may or may not be possible with Carlos' Mitrastar, hence I added "essentially".
Yes, that was then, this is now.
I also replaced Telefónica ADSL router with my own. I'm not doing that on fibre, it is too scary (google confirms) and I want a tranquil old age. >:-)
At my age of 80 I replaced the fiber modem with a FritzBox 5530 and I am very pleased. It has a sophisticated firewall for both IPv4 and IPv6, which is standard completely closed from the outside. AVM, the manufacturer, was very helpful in configuring the modem for my supplier.
Even the main/bigger computer supplier of the area doesn't sell routers designed to replace the Telefónica fibre router. If there were a company supplying such a hardware and doing support, I would think of it fast. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
On 2023-04-23 17:05, Freek de Kruijf wrote:
Op zondag 23 april 2023 15:49:36 CEST schreef Carlos E. R.:
On 2023-04-23 15:45, Per Jessen wrote:
Well, between 2006 and 2012, I used two, maybe three ADSL routers/modems (before we switched to fibre) - granted, they were all Zyxel, but they had the option of just enabling rfc1483 bridging. I obviously have little to no idea what may or may not be possible with Carlos' Mitrastar, hence I added "essentially".
Yes, that was then, this is now.
I also replaced Telefónica ADSL router with my own. I'm not doing that on fibre, it is too scary (google confirms) and I want a tranquil old age. >:-)
At my age of 80 I replaced the fiber modem with a FritzBox 5530 and I am very pleased. It has a sophisticated firewall for both IPv4 and IPv6, which is standard completely closed from the outside. AVM, the manufacturer, was very helpful in configuring the modem for my supplier.
Even the main/bigger computer supplier of the area doesn't sell routers designed to replace the Telefónica fibre router.
I think it is highly unlikely that anyone does. No matter how poor the Mitrastar router may be, there is probably little to no demand for replacing it. AVM doesn't sell "routers designed to replace <anything>" nor does Zyxel, they design/manufacture/sell _standard_ equipment.
If there were a company supplying such a hardware and doing support, I would think of it fast.
Above, Freek suggested that AVM was such a company :-) AVM does have a good reputation in general. -- Per Jessen, Zürich (10.3°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
Op maandag 24 april 2023 08:42:08 CEST schreef Per Jessen:
Carlos E. R. wrote:
On 2023-04-23 17:05, Freek de Kruijf wrote:
Op zondag 23 april 2023 15:49:36 CEST schreef Carlos E. R.:
On 2023-04-23 15:45, Per Jessen wrote:
Well, between 2006 and 2012, I used two, maybe three ADSL routers/modems (before we switched to fibre) - granted, they were all Zyxel, but they had the option of just enabling rfc1483 bridging. I obviously have little to no idea what may or may not be possible with Carlos' Mitrastar, hence I added "essentially".
Yes, that was then, this is now.
I also replaced Telefónica ADSL router with my own. I'm not doing that on fibre, it is too scary (google confirms) and I want a tranquil old age. >:-)
At my age of 80 I replaced the fiber modem with a FritzBox 5530 and I am very pleased. It has a sophisticated firewall for both IPv4 and IPv6, which is standard completely closed from the outside. AVM, the manufacturer, was very helpful in configuring the modem for my supplier.
Even the main/bigger computer supplier of the area doesn't sell routers designed to replace the Telefónica fibre router.
I think it is highly unlikely that anyone does. No matter how poor the Mitrastar router may be, there is probably little to no demand for replacing it. AVM doesn't sell "routers designed to replace <anything>" nor does Zyxel, they design/manufacture/sell _standard_ equipment.
If there were a company supplying such a hardware and doing support, I would think of it fast.
Above, Freek suggested that AVM was such a company :-) AVM does have a good reputation in general.
At least in The Netherlands ISPs need to allow and support the use of modems owned by the client. I believe this is even a requirement in the EU. The support means that they must provide information needed to configure the modem for access to the network of the ISP. -- fr.gr. member openSUSE Freek de Kruijf
Freek de Kruijf wrote:
Op maandag 24 april 2023 08:42:08 CEST schreef Per Jessen:
Carlos E. R. wrote:
If there were a company supplying such a hardware and doing support, I would think of it fast.
Above, Freek suggested that AVM was such a company :-) AVM does have a good reputation in general.
At least in The Netherlands ISPs need to allow and support the use of modems owned by the client. I believe this is even a requirement in the EU. The support means that they must provide information needed to configure the modem for access to the network of the ISP.
The same here in Switzerland - for about twenty years. I also think it is an EU regulation, it is part of telecomms liberalisation. AFAIU, the provider is in charge of everything up until the housewall. [1] Since 2001, I have had four providers - Swisscom, Solnet, iWay and now Init7. None have imposed any hardware, although all have offered it. For the fibre access with iWay and Init7 I accepted the proposed hardware - first Zyxel, later Mikrotik. As Carlos have explained to us at length, it is clearly very different in Spain. [1] Around 2004, I ordered four new ISDN lines for my new office - Swisscom turned up with three guys and a digger. They dug a narrow trench in our vegetable garden, then put a small box on the wall and wired it up. "The rest is up to you, bye". -- Per Jessen, Zürich (13.4°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-24 10:17, Freek de Kruijf wrote:
Op maandag 24 april 2023 08:42:08 CEST schreef Per Jessen:
Carlos E. R. wrote:
On 2023-04-23 17:05, Freek de Kruijf wrote:
Op zondag 23 april 2023 15:49:36 CEST schreef Carlos E. R.:
On 2023-04-23 15:45, Per Jessen wrote:
Well, between 2006 and 2012, I used two, maybe three ADSL routers/modems (before we switched to fibre) - granted, they were all Zyxel, but they had the option of just enabling rfc1483 bridging. I obviously have little to no idea what may or may not be possible with Carlos' Mitrastar, hence I added "essentially".
Yes, that was then, this is now.
I also replaced Telefónica ADSL router with my own. I'm not doing that on fibre, it is too scary (google confirms) and I want a tranquil old age. >:-)
At my age of 80 I replaced the fiber modem with a FritzBox 5530 and I am very pleased. It has a sophisticated firewall for both IPv4 and IPv6, which is standard completely closed from the outside. AVM, the manufacturer, was very helpful in configuring the modem for my supplier.
Even the main/bigger computer supplier of the area doesn't sell routers designed to replace the Telefónica fibre router.
I think it is highly unlikely that anyone does. No matter how poor the Mitrastar router may be, there is probably little to no demand for replacing it. AVM doesn't sell "routers designed to replace <anything>" nor does Zyxel, they design/manufacture/sell _standard_ equipment.
Well, with ADSL they did. The router I bought back them had a wizard that asked what ISP I had, and configured itself accordingly. But even if they don't do autoconfiguration, the hardware itself does not exist. It has to be a router with a fibre input. It must have WiFi, support VoIP and have a phone output, and the typical ethernet outputs. There exist a combination of ONT and Router, and my searches found it is a 500€ deployment! So pay that and risk it doesn't work any day.
If there were a company supplying such a hardware and doing support, I would think of it fast.
Above, Freek suggested that AVM was such a company :-) AVM does have a good reputation in general.
At least in The Netherlands ISPs need to allow and support the use of modems owned by the client. I believe this is even a requirement in the EU. The support means that they must provide information needed to configure the modem for access to the network of the ISP.
They do allow it, but they do not help AT ALL. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
On 2023-04-24 10:17, Freek de Kruijf wrote:
Op maandag 24 april 2023 08:42:08 CEST schreef Per Jessen:
Carlos E. R. wrote:
On 2023-04-23 17:05, Freek de Kruijf wrote: Even the main/bigger computer supplier of the area doesn't sell routers designed to replace the Telefónica fibre router.
I think it is highly unlikely that anyone does. No matter how poor the Mitrastar router may be, there is probably little to no demand for replacing it. AVM doesn't sell "routers designed to replace <anything>" nor does Zyxel, they design/manufacture/sell _standard_ equipment.
Well, with ADSL they did. The router I bought back them had a wizard that asked what ISP I had, and configured itself accordingly.
Wow. Somehow I don't imagine that to have worked with 100 different providers. Even today with only 20 (xdsl) it seems a bit of a stretch.
But even if they don't do autoconfiguration, the hardware itself does not exist. It has to be a router with a fibre input. It must have WiFi, support VoIP and have a phone output, and the typical ethernet outputs.
Well, no, it does not _have_ to. Putting it all in the same box is for consumer convenience (or lock-in). Besides, the hardware _does_ exist - the Fritz!box 5530 that Freek already mentioned, for instance. It even has DECT and a small PABX. -- Per Jessen, Zürich (11.0°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
Op maandag 24 april 2023 12:10:36 CEST schreef Per Jessen:
Carlos E. R. wrote:
But even if they don't do autoconfiguration, the hardware itself does not exist. It has to be a router with a fibre input. It must have WiFi, support VoIP and have a phone output, and the typical ethernet outputs.
Well, no, it does not _have_ to. Putting it all in the same box is for consumer convenience (or lock-in).
Besides, the hardware _does_ exist - the Fritz!box 5530 that Freek already mentioned, for instance. It even has DECT and a small PABX.
I paid less than € 200 for this modem, finding the right fiber cable took some time. The fiber cable of their modem was not of the right type. The main reason for me was that my previous ADSL modem with another ISP was a FritzBox and I use two FritzPhone telephones, but also much easier configuration of firewall and forwarding is a pro. AFAIK the ISP MUST, EU rules, provide you with the necessary information, so also in Spain. They do not need to reduce the cost of the regular payment, because you do not use their modem. In case of trouble they require to reinstall their modem. But I don't believe this will ever happen. -- fr.gr. member openSUSE Freek de Kruijf
On 2023-04-24 05:51, Carlos E. R. wrote:
But even if they don't do autoconfiguration, the hardware itself does not exist. It has to be a router with a fibre input. It must have WiFi, support VoIP and have a phone output, and the typical ethernet outputs.
There exist a combination of ONT and Router, and my searches found it is a 500€ deployment! So pay that and risk it doesn't work any day.
With my ISP, they terminate the fibre at an Optical Network Terminal (ONT), which has an Ethernet connection on it. While they provide a gateway that connects to that ONT, customers are allowed to connect anything they want, just as with the cable modem in bridge mode. In fact, if you get the 8 Gb service, they'll even toss in an unmanaged Ethernet switch, which in turn can be used with anything.
Carlos E. R. wrote:
On 2023-04-22 21:24, Lew Wolfgang wrote:
Gad! You need to get a working firewall, Carlos! You've got NFS open to the broad Internet, including mountd! What could possibly go wrong?
The machine runs SuSEfirewall2, which is open to the intranet. It is not aware that IPv6 is internet and doesn't close it.
Whilst I have zero experience with SFW2, I feel quite certain it supports ipv6, so that is surely mostly a configuration issue. https://en.opensuse.org/SuSEfirewall2#IPv6 That page does list some non-working keywords though.
I can change to firewalld, but I don't know if it is better in this respect,
I have no doubt it is just as good, likely better. IPv6 firewalling is not rocket science, no more than ipv4 firewalling is.
And the router firewall is faulty.
Yes, it very much looks that way. -- Per Jessen, Zürich (11.6°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-23 09:10, Per Jessen wrote:
Carlos E. R. wrote:
On 2023-04-22 21:24, Lew Wolfgang wrote:
Gad! You need to get a working firewall, Carlos! You've got NFS open to the broad Internet, including mountd! What could possibly go wrong?
The machine runs SuSEfirewall2, which is open to the intranet. It is not aware that IPv6 is internet and doesn't close it.
Whilst I have zero experience with SFW2, I feel quite certain it supports ipv6, so that is surely mostly a configuration issue.
https://en.opensuse.org/SuSEfirewall2#IPv6
That page does list some non-working keywords though.
I can change to firewalld, but I don't know if it is better in this respect,
I have no doubt it is just as good, likely better. IPv6 firewalling is not rocket science, no more than ipv4 firewalling is.
Well, so far nobody has chimed in on how to configure firewalld to refuse incoming connections from internet on IPv6, and I have no idea how to achieve that. I also googled, no hits.
And the router firewall is faulty.
Yes, it very much looks that way.
-- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
On 2023-04-23 09:10, Per Jessen wrote:
Carlos E. R. wrote:
On 2023-04-22 21:24, Lew Wolfgang wrote:
Gad! You need to get a working firewall, Carlos! You've got NFS open to the broad Internet, including mountd! What could possibly go wrong?
The machine runs SuSEfirewall2, which is open to the intranet. It is not aware that IPv6 is internet and doesn't close it.
Whilst I have zero experience with SFW2, I feel quite certain it supports ipv6, so that is surely mostly a configuration issue.
https://en.opensuse.org/SuSEfirewall2#IPv6
That page does list some non-working keywords though.
I can change to firewalld, but I don't know if it is better in this respect,
I have no doubt it is just as good, likely better. IPv6 firewalling is not rocket science, no more than ipv4 firewalling is.
Well, so far nobody has chimed in on how to configure firewalld to refuse incoming connections from internet on IPv6, and I have no idea how to achieve that.
Here is a good starting point: https://firewalld.org/documentation A very quick look at the above, and it looks like you need to assign ipv6 on your incoming interface to the 'block' zone. Presumably you would also assign your ipv6 addresses to the 'internal' zone. -- Per Jessen, Zürich (17.3°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 23.04.2023 14:54, Per Jessen wrote:
you need to assign ipv6 on your incoming interface to the 'block' zone.
You cannot "assign ipv6 to zone".
Presumably you would also assign your ipv6 addresses to the 'internal' zone.
This is becoming ridiculous. Not only you cannot "assign address to zone" (this is not how firewalld works), you will need to change configuration every time this address changes and so far you did not explain how to do it. Do you suggest to start every day with manually changing firewall configuration?
Andrei Borzenkov wrote:
On 23.04.2023 14:54, Per Jessen wrote:
you need to assign ipv6 on your incoming interface to the 'block' zone.
You cannot "assign ipv6 to zone".
Presumably you would also assign your ipv6 addresses to the 'internal' zone.
This is becoming ridiculous. Not only you cannot "assign address to zone" (this is not how firewalld works), you will need to change configuration every time this address changes and so far you did not explain how to do it.
Andrei, calm down. Maybe I should have added a disclaimer - that I know nothing about firewalld. All I did was suggest to Carlos to read the documentation and add a couple of hints, however useless they may have been. I _did_ make suggestions on how to approach the issue of reloading the firewall when the addresses change, maybe you missed it.
Do you suggest to start every day with manually changing firewall configuration?
I suggest you quit that condescending attitude. -- Per Jessen, Zürich (18.1°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 23.04.2023 14:06, Carlos E. R. wrote:
Well, so far nobody has chimed in on how to configure firewalld to refuse incoming connections from internet on IPv6,
I already told you - block incoming connections with source MAC address of your router.
and I have no idea how to achieve that.
I also googled, no hits.
And the router firewall is faulty.
Yes, it very much looks that way.
On 2023-04-23 13:56, Andrei Borzenkov wrote:
On 23.04.2023 14:06, Carlos E. R. wrote:
Well, so far nobody has chimed in on how to configure firewalld to refuse incoming connections from internet on IPv6,
I already told you - block incoming connections with source MAC address of your router.
You did, but not with firewalld. I don't know how to do that. I just looked in my laptop with Beta, and could not find the GUI to configure firewalld, only the YaST module which is way too simple. firewall-config is missing. Installed. I see that the zone is set to "public". ssh service is enabled. I tested that I can reach this machine from Internet to ssh. Sorry, I have no idea how to achieve what you say. I had a look at <https://firewalld.org/documentation/>. No clue how to do anything. I look for example, at an example section: <https://firewalld.org/documentation/zone/examples.html> with a bunch of XML things, instead of click on this menu, do this or that. Useless. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 23.04.2023 15:56, Carlos E. R. wrote:
On 2023-04-23 13:56, Andrei Borzenkov wrote:
On 23.04.2023 14:06, Carlos E. R. wrote:
Well, so far nobody has chimed in on how to configure firewalld to refuse incoming connections from internet on IPv6,
I already told you - block incoming connections with source MAC address of your router.
You did, but not with firewalld. I don't know how to do that.
I just looked in my laptop with Beta, and could not find the GUI to configure firewalld, only the YaST module which is way too simple.
firewall-config is missing. Installed.
I see that the zone is set to "public".
ssh service is enabled. I tested that I can reach this machine from Internet to ssh.
Sorry, I have no idea how to achieve what you say.
You use rich rules. firewall-cmd --permanent --zone=public --add-rich-rule='rule source mac="AA:BB:CC:DD:EE:FF" reject' This will reject any new packet coming from router. It will do it before accepting SSH on port 22. This will still allow IPv6 RA from your router. It will block ICMPv4 so you may consider explicitly allowing it. Personally I simply do not use IPv6 on the LAN (what's the point if I have IPv4 anyway) and block it except for a couple of ports.
I had a look at <https://firewalld.org/documentation/>. No clue how to do anything. I look for example, at an example section:
<https://firewalld.org/documentation/zone/examples.html>
with a bunch of XML things, instead of click on this menu, do this or that. Useless.
The GUI is nothing more than rather simplistic XML editor so if you understand (XML) configuration you should have no problem with GUI.
On 2023-04-23 16:01, Andrei Borzenkov wrote:
On 23.04.2023 15:56, Carlos E. R. wrote:
On 2023-04-23 13:56, Andrei Borzenkov wrote:
On 23.04.2023 14:06, Carlos E. R. wrote:
Well, so far nobody has chimed in on how to configure firewalld to refuse incoming connections from internet on IPv6,
I already told you - block incoming connections with source MAC address of your router.
You did, but not with firewalld. I don't know how to do that.
I just looked in my laptop with Beta, and could not find the GUI to configure firewalld, only the YaST module which is way too simple.
firewall-config is missing. Installed.
I see that the zone is set to "public".
ssh service is enabled. I tested that I can reach this machine from Internet to ssh.
Sorry, I have no idea how to achieve what you say.
You use rich rules.
firewall-cmd --permanent --zone=public --add-rich-rule='rule source mac="AA:BB:CC:DD:EE:FF" reject'
This will reject any new packet coming from router. It will do it before accepting SSH on port 22.
This will still allow IPv6 RA from your router. It will block ICMPv4 so you may consider explicitly allowing it.
Personally I simply do not use IPv6 on the LAN (what's the point if I have IPv4 anyway) and block it except for a couple of ports.
Ok, trying. ssh is enabled in the section "zone public" "service: ssh" of firewalld. This is what YaST did during install when I said to activate the firewall and sshd. I try to find the MAC of the router. I do, in two machines, one using ethernet and the other using wifi: Telcontar:~ # ip neigh | grep 192.168.1.1 192.168.1.1 dev eth0 lladdr ...:d4 REACHABLE <=== 192.168.1.16 dev eth0 lladdr ...:a1 STALE Telcontar:~ # Beta:~ # ip neigh | grep 192.168.1.1 192.168.1.16 dev wlan0 lladdr ...:a1 STALE 192.168.1.1 dev wlan0 lladdr ...:d4 DELAY <=== 192.168.1.14 dev wlan0 lladdr ...:bd DELAY Beta:~ # It is the same in both places. I run the command Beta:~ # firewall-cmd --permanent --zone=public \ --add-rich-rule='rule source mac="...:d4" reject'\ success Beta:~ # Then I try to ssh from Isengard to Beta, both IPv4 and IPv6. It works, as I expected. Then I ssh to a machine of a friend, and from there I ssh to the Beta machine using IPv6. It also connects. I don't have access to run nmap on mi friend's machine, so I can not check other ports. But Beta only has the ssh service and port open, AFAIK. And other machines I have do not run firewalld yet. If I try a traceroute to my machine from outside, I see: traceroute 2a02:ZZZ:298b
12 * * * 13 2a02:XXX:64 (2a02:XXX:64) 45.349 ms 2a02:YYY:80d5 (2a02:YYY:80d5) 47.862 ms 2a02:XXX:64 (2a02:XXX:64) 47.080 ms 14 2a02:ZZZ:298b (2a02:ZZZ:298b) 50.020 ms !X 50.106 ms !X 50.330 ms !X
(if you want to see the exact, unedited output, I'll send that off-list) AFAICS 2a02:XXX:64 is not my router. 2a02:YYY:80d5 could be, but doesn't have my prefix. Similar, but not mine. If I ping6 it, it doesn't appear in "ip -6 neigh".
Telcontar:~ # ping6 2a02:YYY:80d5 PING 2a02:YYY:80d5(2a02:YYY:80d5) 56 data bytes 64 bytes from 2a02:YYY:80d5: icmp_seq=1 ttl=64 time=1.29 ms 64 bytes from 2a02:YYY:80d5: icmp_seq=2 ttl=64 time=0.468 ms ^C --- 2a02:YYY:80d5 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.468/0.879/1.291/0.411 ms Telcontar:~ # ping router PING router.valinor (192.168.1.1) 56(84) bytes of data. 64 bytes from router.valinor (192.168.1.1): icmp_seq=1 ttl=64 time=0.526 ms 64 bytes from router.valinor (192.168.1.1): icmp_seq=2 ttl=64 time=0.348 ms 64 bytes from router.valinor (192.168.1.1): icmp_seq=3 ttl=64 time=0.313 ms ^C --- router.valinor ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2031ms rtt min/avg/max/mdev = 0.313/0.395/0.526/0.093 ms Telcontar:~ #
-- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 23.04.2023 23:41, Carlos E. R. wrote:
Beta:~ # firewall-cmd --permanent --zone=public \ --add-rich-rule='rule source mac="...:d4" reject'\ success Beta:~ #
Then I try to ssh from Isengard to Beta, both IPv4 and IPv6. It works, as I expected.
You need to reload firewalld after changing permanent configuration. And I probably missed family=ipv6 firewall-cmd --permanent --zone=public --add-rich-rule='rule familty="ipv6" source mac="AA:BB:CC:DD:EE:FF" reject'
On 2023-04-24 06:04, Andrei Borzenkov wrote:
On 23.04.2023 23:41, Carlos E. R. wrote:
Beta:~ # firewall-cmd --permanent --zone=public \ --add-rich-rule='rule source mac="...:d4" reject'\ success Beta:~ #
Then I try to ssh from Isengard to Beta, both IPv4 and IPv6. It works, as I expected.
You need to reload firewalld after changing permanent configuration.
Ah.
And I probably missed family=ipv6
I did that using the GUI "firewall-config" (I found the place) and the app crashed with a series of pop-up messages, one a python traceback. And firewalld daemon died. (in Leap 15.5 Beta)
Beta:~ # systemctl status firewalld.service × firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled) Active: failed (Result: core-dump) since Mon 2023-04-24 12:16:19 CEST; 3min 1s ago Docs: man:firewalld(1) Process: 1398 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=dumped, signal=ABRT) Main PID: 1398 (code=dumped, signal=ABRT)
Apr 23 13:30:07 Beta systemd[1]: Starting firewalld - dynamic firewall daemon... Apr 23 13:30:08 Beta systemd[1]: Started firewalld - dynamic firewall daemon. Apr 24 12:16:19 Beta.valinor systemd[1]: firewalld.service: Main process exited, code=dumped, status=6/ABRT Apr 24 12:16:19 Beta.valinor systemd[1]: firewalld.service: Failed with result 'core-dump'. Beta:~ # systemctl restart firewalld.service Beta:~ # systemctl status firewalld.service ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2023-04-24 12:19:36 CEST; 2s ago Docs: man:firewalld(1) Main PID: 5848 (firewalld) Tasks: 2 (limit: 4915) CGroup: /system.slice/firewalld.service └─ 5848 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
Apr 24 12:19:36 Beta.valinor systemd[1]: Starting firewalld - dynamic firewall daemon... Apr 24 12:19:36 Beta.valinor systemd[1]: Started firewalld - dynamic firewall daemon. Beta:~ #
I tried to do it again, crashed again. First popup says, failed to connect to firewalld. Ie, the daemon dies. It core-dumps. But systemd fails to collect coredumps, and I don't know how to enable that.
2023-04-24T12:20:58.107669+02:00 Beta systemd[1]: Started Process Core Dump (PID 5934/UID 0). 2023-04-24T12:20:58.327771+02:00 Beta systemd-coredump[5935]: Process 5848 (firewalld) of user 0 dumped core.#012#012Found module linux-vdso.so.1 with build-id: aeed43cac86ff3306758cc568ea67268c684a13a#012Found module libnss_files.so.2 with build-id: 7e5a4e95d0be096ac88c8dc79ed61280fd2aee3f#012Found module libgmp.so.10 with build-id: 9e11b2a675e3fd8af6d9ae9328dc8f105f15292f#012Found module libjansson.so.4 with build-id: 2c01c1afbecc51ebf7ee7e0c211fea689e21b164#012Found module libnftnl.so.11 with build-id: e71ecfff2a02247ff9f304df77a72c47aafa332e#012Found module libmnl.so.0 with build-id: ab081ad4d1866cc87da0f0aff815bcd4658a018f#012Found module libnftables.so.1 with build-id: 7f222c20dbd68b45556cfa2571d9de6fb3468b77#012Found module libssl.so.1.1 with build-id: 48aaf0038ad298ff200e404ab8536e17d2cd438d#012Found module _ssl.cpython-36m-x86_64-linux-gnu.so with build-id: f04399ca29c9aaccd4d0665aacd8d522dcdcbd1c#012Found module _datetime.cpython-36m-x86_64-linux-gnu.so with build-id: 632914ae39e61e2925860f3dfc24bfb611adc402#012Found module binascii.cpython-36m-x86_64-linux-gnu.so with build-id: ca6b2737ca466c326a166cdf8f4fdf91c7fe16e6#012Found module _ctypes.cpython-36m-x86_64-linux-gnu.so with build-id: ad20d1aa4f9e9d0a73b4720babc4f79b0fa06584#012Found module _json.cpython-36m-x86_64-linux-gnu.so with build-id: f93e3bf55d0b96c5c6e281538f24d06d9fa194fd#012Found module _posixsubprocess.cpython-36m-x86_64-linux-gnu.so with build-id: 6a5ac1ec1d5753ba667ee451d7c9d428f60be546#012Found module _dbus_glib_bindings.so with build-id: b769fa2252c6523664436cdf0b2af0af273874b7#012Found module _cairo.cpython-36m-x86_64-linux-gnu.so with build-id: 49f8784e17578a84d4b0a2df7530dfd712d2acc6#012Found module libGLX.so.0 with build-id: 4cc3a878d412de67757aff9308158dc98951e75b#012Found module libXau.so.6 with build-id: 7f7563c2e3af15370c200ce7ac1707fb085eb610#012Found module libGLdispatch.so.0 with build-id: d4dbc4caeab1b82a4468a5b61ca44cfd1a1b9b21#012Found module libuuid.so.1 with build-id: dc2c66e0451ba8ac9a8c7ec5630b4f44c152a3f2#012Found module libGL.so.1 with build-id: ef4ad99ca8fae225e647c0f007d81dc9105a8cac#012Found module libXext.so.6 with build-id: cf6a629d03d9cfad61f259ff380a6b4bd6f7cb51#012Found module libX11.so.6 with build-id: ff6a9a2323c87f03b36077e5824a6682bc626377#012Found module libXrender.so.1 with build-id: fb4d733856da6d89b203ebc957086b015d1b9543#012Found module libxcb-render.so.0 with build-id: 2453a26d05b03239e8b3b2e766141abf9baf3083#012Found module libxcb.so.1 with build-id: 20583630b867511565bcc4a09fe53cd8126628c4#012Found module libxcb-shm.so.0 with build-id: b36157ad90e44a1544bcef14d429e0bd7ba8f0bc#012Found module libpng16.so.16 with build-id: 5f75035c3b165fede9a1e071c20259bf6d8d9389#012Found module libEGL.so.1 with build-id: efb12e0ccaa2e2dfc3eb86008cf61ec944a398a9#012Found module libfreetype.so.6 with build-id: 654bb6f7c4ff183332d883354e4a6937bae8903f#012Found module libfontconfig.so.1 with build-id: 764bace0bb80d723090d40f6059cbfcdd3f89c2d#012Found module libpixman-1.so.0 with build-id: d6f203b2433f6392d37a2c834789e76b1cbdce9f#012Found module libcairo-gobject.so.2 with build-id: 2c7bf0169850d1cadf6116ade430bc3c4ca06068#012Found module libcairo.so.2 with build-id: 36a4c2c0ae554e7848f5da995cebba96c6824375#012Found module _gi_cairo.cpython-36m-x86_64-linux-gnu.so with build-id: 395f8e5f054ef1745c7fa0902a71981166d5d8db#012Found module libblkid.so.1 with build-id: f1e9696e51c35fa4e15fc71b3663799c6e8b18ba#012Found module libresolv.so.2 with build-id: e42810d28240c9a071d143ac34efc1db577e5bfa#012Found module libselinux.so.1 with build-id: 58d24c02a015417be0c526fa565cfb868164ab7a#012Found module libmount.so.1 with build-id: 67c1cee55f70dd74fbc7664cb4820d4c6d22183b#012Found module libgio-2.0.so.0 with build-id: 6f1ac0a3d5327606e35256a6b0a0169d730b0936#012Found module libgmodule-2.0.so.0 with build-id: 8f9d1e080e3f4faf62e25dfaca499fdc2fac1afa#012Found module libpcre.so.1 with build-id: bd429ac11a685687f7f0c381af53a33aec2d3f41#012Found module libffi.so.7 with build-id: 62ece4f953ed6d967d46a60ce7979803ce3f51c3#012Found module libgirepository-1.0.so.1 with build-id: 8c1d3ca4e7086eae08d8bf75000a0cec5c78272c#012Found module libgobject-2.0.so.0 with build-id: 4be74fa589c8a5ba64f88f2a609985b600cec4ad#012Found module libglib-2.0.so.0 with build-id: 1cc9eddc41e62a45d74d4ac2c149f824d8cbea68#012Found module _gi.cpython-36m-x86_64-linux-gnu.so with build-id: 735ff4293649c344586385496ba75983c5fee9af#012Found module fcntl.cpython-36m-x86_64-linux-gnu.so with build-id: 0360acf3840b1be1f21964e07dcb6bdb3b5499c4#012Found module syslog.cpython-36m-x86_64-linux-gnu.so with build-id: b081dfb5599f4597ec3ec167dd5b17d604e41c10#012Found module _opcode.cpython-36m-x86_64-linux-gnu.so with build-id: a5109473121ec69bfec7c03ce3f05ba6ebf2969d#012Found module _random.cpython-36m-x86_64-linux-gnu.so with build-id: f0c2f3f21a499e866d0dfa766af6651968d1eb39#012Found module _bisect.cpython-36m-x86_64-linux-gnu.so with build-id: ed07de53bf7699bd351466e72cadd4abf20dd547#012Found module _sha3.cpython-36m-x86_64-linux-gnu.so with build-id: f35f728c2b518241a50bf60ce44db5addba6c012#012Found module _blake2.cpython-36m-x86_64-linux-gnu.so with build-id: e37129c10ec8f1d52f643364119e075b4691d369#012Found module libjitterentropy.so.3 with build-id: 6cd5111426fb5f10ef2d5fb9109ef901dd6a67f5#012Found module libcrypto.so.1.1 with build-id: 497b13206e47cbdae3a1a44040a5e9635fa8ead1#012Found module _hashlib.cpython-36m-x86_64-linux-gnu.so with build-id: dc1d747d2b1c3627f637514bf5cbddcd622ede06#012Found module grp.cpython-36m-x86_64-linux-gnu.so with build-id: e382be6daea2fbedac631b4e37a90b5b18e5fbee#012Found module _lzma.cpython-36m-x86_64-linux-gnu.so with build-id: 38d4a29488be0945520b09bc5ab7de2ce450bb23#012Found module libbz2.so.1 with build-id: ab3bf32de28e526bb13f12afa0084170fa8ea51e#012Found module _bz2.cpython-36m-x86_64-linux-gnu.so with build-id: 425cd57ad5ce728f0bd499113d51950be1f0e082#012Found module libz.so.1 with build-id: f664b54d69e8427feb0c9251bd9f88fbbaf1897e#012Found module zlib.cpython-36m-x86_64-linux-gnu.so with build-id: 0b18a716b0817ed251bced39818e21c71303104e#012Found module select.cpython-36m-x86_64-linux-gnu.so with build-id: 70747260a2c7c1aae73f902ce0ea4bb516c8f2f5#012Found module math.cpython-36m-x86_64-linux-gnu.so with build-id: 56c08d005d728e6c5a993dd5f930b76920016728#012Found module _socket.cpython-36m-x86_64-linux-gnu.so with build-id: 7cab0ecdc6c7e50babb14d0a0cd955d6e940b132#012Found module _struct.cpython-36m-x86_64-linux-gnu.so with build-id: cd812f933a58cc989f9f43e5d3c7c9385818b7bf#012Found module libexpat.so.1 with build-id: 335cb65db76c2fcfe35c0f681636e3f35017f03f#012Found module pyexpat.cpython-36m-x86_64-linux-gnu.so with build-id: 14367af8b4a09c95277ee74e7dc2d2d0ab8d2079#012Found module _heapq.cpython-36m-x86_64-linux-gnu.so with build-id: a90b0b9f7902882780e8d1add96e226a14c86f5a#012Found module libgpg-error.so.0 with build-id: 7703a2c38d4dc0cb40e4b1943f4d3dea9d7b1cae#012Found module libgcrypt.so.20 with build-id: 1c102ce6d868a3aaa87e77fdedb2c46f47e20d8d#012Found module libcap.so.2 with build-id: 99405ab6633a66ccf29924793bf6ae8d8212ac9e#012Found module liblz4.so.1 with build-id: ef9ad25a65c1623b33a365c00c3bc781492e7eaf#012Found module libzstd.so.1 with build-id: d1fb4855c1f72b5941faa9ffac3edff26a2da3bb#012Found module liblzma.so.5 with build-id: 2d656c3bd393d5f9e95fdbbfe4fbbdc19e0cf0ba#012Found module librt.so.1 with build-id: 928a20e94e2b575919ada526ac5d5b5153aa4d3f#012Found module libsystemd.so.0 with build-id: 73c1ab2b97ff31b21bfcfc29a2e0f6f62a759a13#012Found module libdbus-1.so.3 with build-id: 50c3179e033ded09b2464af5f963953a9d1d8c82#012Found module _dbus_bindings.so with build-id: 4f8319971967ee0b72e28511192eb2f00ee4e78d#012Found module ld-linux-x86-64.so.2 with build-id: 306fa1f1f4692920c5a650484a28bc6ccdc99902#012Found module libm.so.6 with build-id: 02848bab8c741aab67ab26460506dc26bb93cc6b#012Found module libutil.so.1 with build-id: bfaa86041cd3eaa393a69741cc10f1c620e53796#012Found module libdl.so.2 with build-id: 3a7f65fd4552d07229d8985f6b5e20cae5016274#012Found module 2023-04-24T12:20:58.331874+02:00 Beta systemd[1]: systemd-coredump@2-5934-0.service: Deactivated successfully. 2023-04-24T12:20:58.348605+02:00 Beta systemd[1]: firewalld.service: Main process exited, code=dumped, status=6/ABRT 2023-04-24T12:20:58.348843+02:00 Beta systemd[1]: firewalld.service: Failed with result 'core-dump'.
firewall-cmd --permanent --zone=public --add-rich-rule='rule familty="ipv6" source mac="AA:BB:CC:DD:EE:FF" reject'
Wild guessing: Beta:~ # firewall-cmd --list-rich-rules rule source mac="...:d4" reject Beta:~ # Beta:~ # firewall-cmd --remove-rich-rule=source mac="...:d4" reject usage: see firewall-cmd man page firewall-cmd: error: unrecognized arguments: mac=...:d4 reject Beta:~ # Beta:~ # firewall-cmd --remove-rich-rule='source mac="...:d4" reject' Error: INVALID_RULE: 'source' outside of rule. Use 'rule ... source ...'. Beta:~ # Ok, but the man page only says: [--permanent] [--zone=zone] [--permanent] [--policy=policy] --remove-rich-rule='rule' Remove rich language rule 'rule'. This option can be specified multiple times. No examples on how to delete a rule. I assume I have to delete it, then apply the new/changed rule Ok, editing file /etc/firewalld/zones/public.xml and removing the rule.
Beta:/etc/firewalld/zones # firewall-cmd --reload success Beta:/etc/firewalld/zones # firewall-cmd --list-rich-rules
Beta:/etc/firewalld/zones #
Beta:/etc/firewalld/zones # firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" source mac="...:d4" reject' success Beta:/etc/firewalld/zones # firewall-cmd --list-rich-rules
Beta:/etc/firewalld/zones # less public.xml
Beta:/etc/firewalld/zones # firewall-cmd --reload Error: Message recipient disconnected from message bus without replying Beta:/etc/firewalld/zones #
Beta:/etc/firewalld/zones # systemctl status firewalld.service × firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled) Active: failed (Result: core-dump) since Mon 2023-04-24 12:37:36 CEST; 3min 17s ago Docs: man:firewalld(1) Process: 6046 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=dumped, signal=ABRT) Main PID: 6046 (code=dumped, signal=ABRT)
Apr 24 12:25:42 Beta.valinor systemd[1]: Starting firewalld - dynamic firewall daemon... Apr 24 12:25:42 Beta.valinor systemd[1]: Started firewalld - dynamic firewall daemon. Apr 24 12:31:12 Beta.valinor firewalld[6046]: ERROR: INVALID_RULE: 'source' outside of rule. Use 'rule ... source ...'. Apr 24 12:36:18 Beta.valinor firewalld[6046]: ERROR: INVALID_RULE: bad attribute 'familty' Apr 24 12:37:36 Beta.valinor systemd[1]: firewalld.service: Main process exited, code=dumped, status=6/ABRT Apr 24 12:37:36 Beta.valinor systemd[1]: firewalld.service: Failed with result 'core-dump'. Beta:/etc/firewalld/zones #
Can't be done :-/
Beta:/etc/firewalld/zones # systemctl restart firewalld.service Beta:/etc/firewalld/zones # systemctl status firewalld.service × firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled) Active: failed (Result: core-dump) since Mon 2023-04-24 12:42:02 CEST; 1s ago Docs: man:firewalld(1) Process: 6710 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=dumped, signal=ABRT) Main PID: 6710 (code=dumped, signal=ABRT)
Apr 24 12:42:02 Beta.valinor systemd[1]: Starting firewalld - dynamic firewall daemon... Apr 24 12:42:02 Beta.valinor systemd[1]: Started firewalld - dynamic firewall daemon. Apr 24 12:42:02 Beta.valinor systemd[1]: firewalld.service: Main process exited, code=dumped, status=6/ABRT Apr 24 12:42:02 Beta.valinor systemd[1]: firewalld.service: Failed with result 'core-dump'. Beta:/etc/firewalld/zones #
I have to edit out the rule, the firewall crashes, core dumps, and can not be started. Oh, and my wifi is inestable after a few days running, the driver crashes. Before that, it becomes unresponsive. How can a firewall crash and leave the machine not protected? -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023-04-24 12:47, Carlos E. R. wrote:
I have to edit out the rule, the firewall crashes, core dumps, and can not be started.
Hum. I have a zypper dup pending to apply. Rebooting. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023-04-24 12:57, Carlos E. R. wrote:
On 2023-04-24 12:47, Carlos E. R. wrote:
I have to edit out the rule, the firewall crashes, core dumps, and can not be started.
Hum. I have a zypper dup pending to apply. Rebooting.
Nah, issue continues.
cer@Telcontar:~> ssh -X root@192.168.2.18 Password: Last login: Sun Apr 23 13:31:15 2023 from 192.168.1.14 Have a lot of fun... dbus-update-activation-environment: warning: error sending to systemd: org.freedesktop.DBus.Error.InvalidArgs: Invalid environment assignments Beta:~ # firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" source mac="...:d4" reject' success Beta:~ # firewall-cmd --reload Error: Message recipient disconnected from message bus without replying Beta:~ # systemctl status firewalld.service × firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled) Active: failed (Result: core-dump) since Mon 2023-04-24 13:04:49 CEST; 11s ago Docs: man:firewalld(1) Process: 1394 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=dumped, signal=ABRT) Main PID: 1394 (code=dumped, signal=ABRT)
Apr 24 13:03:19 Beta systemd[1]: Starting firewalld - dynamic firewall daemon... Apr 24 13:03:19 Beta systemd[1]: Started firewalld - dynamic firewall daemon. Apr 24 13:04:49 Beta.valinor systemd[1]: firewalld.service: Main process exited, code=dumped, status=6/ABRT Apr 24 13:04:49 Beta.valinor systemd[1]: firewalld.service: Failed with result 'core-dump'. Beta:~ #
Can't capture the log, the connection died. Both wlan and eth. Have to reboot the machine. Actually, power cycle it, it locks hard. [...] <https://paste.opensuse.org/pastes/afa8b5010e7d> Is this an error from me, or a bug that deserves a bugzilla? Ah, systemd coredumps are working now. Some good news today. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On Mon, Apr 24, 2023 at 2:30 PM Carlos E. R. <robin.listas@telefonica.net> wrote:
Is this an error from me, or a bug that deserves a bugzilla?
In general no user actions should result in program crash. Any crash is a bug. But without a reliable way to reproduce it chances it will be fixed are rather slim.
On 2023-04-24 13:46, Andrei Borzenkov wrote:
On Mon, Apr 24, 2023 at 2:30 PM Carlos E. R. <> wrote:
Is this an error from me, or a bug that deserves a bugzilla?
In general no user actions should result in program crash. Any crash is a bug. But without a reliable way to reproduce it chances it will be fixed are rather slim.
It can be reproduced at will in my machine... >:-) -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023-04-24 13:58, Carlos E. R. wrote:
On 2023-04-24 13:46, Andrei Borzenkov wrote:
On Mon, Apr 24, 2023 at 2:30 PM Carlos E. R. <> wrote:
Is this an error from me, or a bug that deserves a bugzilla?
In general no user actions should result in program crash. Any crash is a bug. But without a reliable way to reproduce it chances it will be fixed are rather slim.
It can be reproduced at will in my machine... >:-)
They reproduced it, and there is a patch. :-) -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
How can a firewall crash and leave the machine not protected?
It isn't necessarily what happened - afaiu, firewalld is a management daemon, that's all. If it crashes, your firewall is still in place. Check with "iptables --list -nv" or whatever the nftables equivalent is. -- Per Jessen, Zürich (12.6°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-24 13:18, Per Jessen wrote:
Carlos E. R. wrote:
How can a firewall crash and leave the machine not protected?
It isn't necessarily what happened - afaiu, firewalld is a management daemon, that's all. If it crashes, your firewall is still in place. Check with "iptables --list -nv" or whatever the nftables equivalent is.
If the rule is written to zone file, firewall doesn't even start on boot. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023-04-24 13:59, Carlos E. R. wrote:
On 2023-04-24 13:18, Per Jessen wrote:
Carlos E. R. wrote:
How can a firewall crash and leave the machine not protected?
It isn't necessarily what happened - afaiu, firewalld is a management daemon, that's all. If it crashes, your firewall is still in place. Check with "iptables --list -nv" or whatever the nftables equivalent is.
If the rule is written to zone file, firewall doesn't even start on boot.
[Bug 1210773] New: firewalld crashes when trying to apply a rich rule -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 24.04.2023 13:47, Carlos E. R. wrote:
Beta:/etc/firewalld/zones # firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" source mac="...:d4" reject' success Beta:/etc/firewalld/zones # firewall-cmd --list-rich-rules
Beta:/etc/firewalld/zones # less public.xml
Beta:/etc/firewalld/zones # firewall-cmd --reload Error: Message recipient disconnected from message bus without replying Beta:/etc/firewalld/zones #
In Tumbleweed it works correctly. In Leap 15.4 with default nftables backend firewalld gets "unsupported family" and aborts. It does not happen in firewalld itself, but rather in supporting library used by firewalld. It works when using iptables backend. Apparently nobody tried to define ipv6 rules so far in Leap.
On 2023-04-24 19:25, Andrei Borzenkov wrote:
On 24.04.2023 13:47, Carlos E. R. wrote:
Beta:/etc/firewalld/zones # firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" source mac="...:d4" reject' success Beta:/etc/firewalld/zones # firewall-cmd --list-rich-rules
Beta:/etc/firewalld/zones # less public.xml
Beta:/etc/firewalld/zones # firewall-cmd --reload Error: Message recipient disconnected from message bus without replying Beta:/etc/firewalld/zones #
In Tumbleweed it works correctly.
In Leap 15.4 with default nftables backend firewalld gets "unsupported family" and aborts. It does not happen in firewalld itself, but rather in supporting library used by firewalld. It works when using iptables backend.
Apparently nobody tried to define ipv6 rules so far in Leap.
Well, in all machines except one I think I can block both ipv4 and 6. But there is one machine, the server, that must accept incoming attempts on ssh and http on Ipv4 at least. And from what I have seen in my test machine, it will be blocked. Maybe another rich rule to accept on those two ports? -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 24.04.2023 22:00, Carlos E. R. wrote:
On 2023-04-24 19:25, Andrei Borzenkov wrote:
On 24.04.2023 13:47, Carlos E. R. wrote:
Beta:/etc/firewalld/zones # firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" source mac="...:d4" reject' success Beta:/etc/firewalld/zones # firewall-cmd --list-rich-rules
Beta:/etc/firewalld/zones # less public.xml
Beta:/etc/firewalld/zones # firewall-cmd --reload Error: Message recipient disconnected from message bus without replying Beta:/etc/firewalld/zones #
In Tumbleweed it works correctly.
In Leap 15.4 with default nftables backend firewalld gets "unsupported family" and aborts. It does not happen in firewalld itself, but rather in supporting library used by firewalld. It works when using iptables backend.
Apparently nobody tried to define ipv6 rules so far in Leap.
Well, in all machines except one I think I can block both ipv4 and 6. But there is one machine, the server, that must accept incoming attempts on ssh and http on Ipv4 at least. And from what I have seen in my test machine, it will be blocked.
Maybe another rich rule to accept on those two ports?
Use rule priority="10" ... to order this rule after normal "allow" chain. Any positive number will do. Or you can switch to iptables backend so that family="ipv6" works.
On 2023-04-25 06:30, Andrei Borzenkov wrote:
On 24.04.2023 22:00, Carlos E. R. wrote:
On 2023-04-24 19:25, Andrei Borzenkov wrote:
On 24.04.2023 13:47, Carlos E. R. wrote:
Beta:/etc/firewalld/zones # firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" source mac="...:d4" reject' success Beta:/etc/firewalld/zones # firewall-cmd --list-rich-rules
Beta:/etc/firewalld/zones # less public.xml
Beta:/etc/firewalld/zones # firewall-cmd --reload Error: Message recipient disconnected from message bus without replying Beta:/etc/firewalld/zones #
In Tumbleweed it works correctly.
In Leap 15.4 with default nftables backend firewalld gets "unsupported family" and aborts. It does not happen in firewalld itself, but rather in supporting library used by firewalld. It works when using iptables backend.
Apparently nobody tried to define ipv6 rules so far in Leap.
Well, in all machines except one I think I can block both ipv4 and 6. But there is one machine, the server, that must accept incoming attempts on ssh and http on Ipv4 at least. And from what I have seen in my test machine, it will be blocked.
Maybe another rich rule to accept on those two ports?
Use
rule priority="10" ...
to order this rule after normal "allow" chain. Any positive number will do.
Or you can switch to iptables backend so that family="ipv6" works.
Thanks. First I have to migrate from SuSEfirewall2. There was a migration tool... I have forgotten its name. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On Tue, Apr 25, 2023 at 9:15 AM Carlos E. R. <robin.listas@telefonica.net> wrote:
Well, in all machines except one I think I can block both ipv4 and 6. But there is one machine, the server, that must accept incoming attempts on ssh and http on Ipv4 at least. And from what I have seen in my test machine, it will be blocked.
Maybe another rich rule to accept on those two ports?
Use
rule priority="10" ...
to order this rule after normal "allow" chain. Any positive number will do.
Or you can switch to iptables backend so that family="ipv6" works.
Actually, considering that the "public" zone blocks everything by default, you do not need any explicit rule at all.
On 2023-04-25 08:30, Andrei Borzenkov wrote:
On Tue, Apr 25, 2023 at 9:15 AM Carlos E. R. <robin.listas@telefonica.net> wrote:
Well, in all machines except one I think I can block both ipv4 and 6. But there is one machine, the server, that must accept incoming attempts on ssh and http on Ipv4 at least. And from what I have seen in my test machine, it will be blocked.
Maybe another rich rule to accept on those two ports?
Use
rule priority="10" ...
to order this rule after normal "allow" chain. Any positive number will do.
Or you can switch to iptables backend so that family="ipv6" works.
Actually, considering that the "public" zone blocks everything by default, you do not need any explicit rule at all.
Yes, I use the public zone in all my machines, then I explicitly open the ports I need. For example, I always open SSH, but also NFS, sometimes http... This worked while the router kept internet out, with NAT and firewall. Then comes IPv6, killing NAT, and then I discover my router firewall does not work on IPv6. With SuSEfirewalld I used this rule: FW_TRUSTED_NETS=192.168.1.15,tcp,smtp \ 192.168.1.15,tcp,ftp 192.168.1.15,tcp,ftp-data \ 192.168.1.15,udp,syslog 192.168.1.15,tcp,514 \ 192.168.1.15,udp,6666 192.168.1.15,icmp \ 192.168.1.15,tcp,nfs 192.168.1.15,udp,sunrpc" Which allowed those ports only if coming from that machine. I'd like to know if there is a similar trick with firewalld. However, even if it exists, on IPv6 the address used to enter is not one, but several, and the prefix changes. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
Yes, I use the public zone in all my machines, then I explicitly open the ports I need. For example, I always open SSH, but also NFS, sometimes http...
This worked while the router kept internet out, with NAT and firewall. Then comes IPv6, killing NAT,
To be precise - s/killing NAT/making NAT superfluous/
and then I discover my router firewall does not work on IPv6.
Still nothing from the beta test support?
With SuSEfirewalld I used this rule:
FW_TRUSTED_NETS=192.168.1.15,tcp,smtp \ 192.168.1.15,tcp,ftp 192.168.1.15,tcp,ftp-data \ 192.168.1.15,udp,syslog 192.168.1.15,tcp,514 \ 192.168.1.15,udp,6666 192.168.1.15,icmp \ 192.168.1.15,tcp,nfs 192.168.1.15,udp,sunrpc"
Which allowed those ports only if coming from that machine. I'd like to know if there is a similar trick with firewalld.
Yes there is "a similar trick" - firewalld hasn't changed the basics of firewalling, only how it is managed. Your definition above seems to translate to: "accept smtp from 192.168.1.15" (for instance). There will be some straight forward way of defining that with/in firewalld too.
However, even if it exists, on IPv6 the address used to enter is not one, but several, and the prefix changes.
What about your 192.168.1.15 - did that never change, i.e. was it a fixed allocation or did you just hope it never would? If the machine address (i.e. excluding the prefix) does not change, you don't have to specify the prefix. -- Per Jessen, Zürich (9.1°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-25 10:28, Per Jessen wrote:
Carlos E. R. wrote:
Yes, I use the public zone in all my machines, then I explicitly open the ports I need. For example, I always open SSH, but also NFS, sometimes http...
This worked while the router kept internet out, with NAT and firewall. Then comes IPv6, killing NAT,
To be precise - s/killing NAT/making NAT superfluous/
Ok :-)
and then I discover my router firewall does not work on IPv6.
Still nothing from the beta test support?
Not yesterday. The forum page dies of timeout even if permanently open and computer running, and it is a chore to login again. Doing so now to check. [...] No answer on forum, nor to direct email.
With SuSEfirewalld I used this rule:
FW_TRUSTED_NETS=192.168.1.15,tcp,smtp \ 192.168.1.15,tcp,ftp 192.168.1.15,tcp,ftp-data \ 192.168.1.15,udp,syslog 192.168.1.15,tcp,514 \ 192.168.1.15,udp,6666 192.168.1.15,icmp \ 192.168.1.15,tcp,nfs 192.168.1.15,udp,sunrpc"
Which allowed those ports only if coming from that machine. I'd like to know if there is a similar trick with firewalld.
Yes there is "a similar trick" - firewalld hasn't changed the basics of firewalling, only how it is managed.
Your definition above seems to translate to:
"accept smtp from 192.168.1.15" (for instance).
Ok, and where in the GUI do you write that? :-) Another rich rule?
There will be some straight forward way of defining that with/in firewalld too.
I don't see it in the GUI.
However, even if it exists, on IPv6 the address used to enter is not one, but several, and the prefix changes.
What about your 192.168.1.15 - did that never change, i.e. was it a fixed allocation or did you just hope it never would?
On IPv4 there is no problem, I control the IP numbers completely. Yes, the low IP numbers, 1..32 are static (from memory, up to 32). Some were DHCP fixated numbers, which are now gone with the router change.
If the machine address (i.e. excluding the prefix) does not change, you don't have to specify the prefix.
If I do "ip addr" on my machine now, ... wait, look: cer@Telcontar:~> ip addr | grep inet6 | wc -l 13 cer@Telcontar:~> Some sufixes are temporary, ie, they change. cer@Telcontar:~> ip addr | grep inet6 | grep temporary | wc -l 9 cer@Telcontar:~> An incoming connection can take any of those 13 addresses. Don't think "normally", think also bad actors. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
Yes there is "a similar trick" - firewalld hasn't changed the basics of firewalling, only how it is managed.
Your definition above seems to translate to:
"accept smtp from 192.168.1.15" (for instance).
Ok, and where in the GUI do you write that? :-) Another rich rule?
That is left as an exercise for the reader. I don't use firewalld myself, I speak iptables.
There will be some straight forward way of defining that with/in firewalld too.
I don't see it in the GUI.
Given that it is such a simple rule "accept this traffic from that machine", I'm sure you just need to look closer.
An incoming connection can take any of those 13 addresses. Don't think "normally", think also bad actors.
Well, if you explain to us what you wish to permit, from where to where, I'm sure we can find a solution. Although, with (regularly?) changing addresses, any services (e.g. smtp) would need to listen on all addresses. You can fix the lower half (using EUI64), but not the upper. Anyway, isn't it all a bit moot? You said you have cancelled your participation in the beta-test programme. -- Per Jessen, Zürich (10.6°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-25 11:14, Per Jessen wrote:
Carlos E. R. wrote:
Yes there is "a similar trick" - firewalld hasn't changed the basics of firewalling, only how it is managed.
Your definition above seems to translate to:
"accept smtp from 192.168.1.15" (for instance).
Ok, and where in the GUI do you write that? :-) Another rich rule?
That is left as an exercise for the reader. I don't use firewalld myself, I speak iptables.
There will be some straight forward way of defining that with/in firewalld too.
I don't see it in the GUI.
Given that it is such a simple rule "accept this traffic from that machine", I'm sure you just need to look closer.
It is a rich rule. I'm running now the "susefirewall2-to-firewalld", and I saw the rich rules pass by. Taking a long time to convert. For the record, the documentation is in <https://en.opensuse.org/Firewalld> <https://github.com/openSUSE/susefirewall2-to-firewalld/blob/master/README.md>
An incoming connection can take any of those 13 addresses. Don't think "normally", think also bad actors.
Well, if you explain to us what you wish to permit, from where to where, I'm sure we can find a solution.
Oh, this is just hypothetical. Given a sample rule: FW_TRUSTED_NETS="192.168.1.15,tcp,smtp" it would be converted to 20 lines like: accept smtp from fe80::2d8:61ff:fea1:5abd and have a script to dynamically change it every time the prefix or one of the sufixes change. That is not practical. Instead, I would use the rule Andrei suggested blocking anything coming from the router (for IPv6 when the bug is corrected). (not wanting to change the default nftables to iptables because I know nothing about it) (I don't know how to find out if a machine is using one or the other, though)
Although, with (regularly?) changing addresses, any services (e.g. smtp) would need to listen on all addresses. You can fix the lower half (using EUI64), but not the upper.
Anyway, isn't it all a bit moot? You said you have cancelled your participation in the beta-test programme.
Which they haven't acknowledged. I can disable it myself in the router, but meanwhile I can test things. Like firewalld configs. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
On 2023-04-25 11:14, Per Jessen wrote:
Given that it is such a simple rule "accept this traffic from that machine", I'm sure you just need to look closer.
It is a rich rule. I'm running now the "susefirewall2-to-firewalld", and I saw the rich rules pass by. Taking a long time to convert.
Okay, that _does_ surprise me. It seems like a perfectly trivial rule. I have to wonder if it is just a shortcoming of that migration script.
Well, if you explain to us what you wish to permit, from where to where, I'm sure we can find a solution.
Oh, this is just hypothetical. Given a sample rule:
FW_TRUSTED_NETS="192.168.1.15,tcp,smtp" it would be converted to 20 lines like:
accept smtp from fe80::2d8:61ff:fea1:5abd
Well, first of all, LL addresses are only used for routing. Second, the problem is that while your "192.168.1.15" is static, the ipv6 address is not. Even if you use the EUI64 address, the prefix might still change.
and have a script to dynamically change it every time the prefix or one of the sufixes change.
To keep track of the prefix, I think(!) the easiest would be to monitor the lease file, hint: "inotify-tools". I did wonder about using the firewall to watch for router annoncements, but it becomes unnecessarily complex. Instead of "192.168.1.15", you would need to use the EUI64 address, and disable privacy extensions.
(I don't know how to find out if a machine is using one or the other, though)
It is a firewalld setting.
Anyway, isn't it all a bit moot? You said you have cancelled your participation in the beta-test programme.
Which they haven't acknowledged.
I can disable it myself in the router, but meanwhile I can test things. Like firewalld configs.
Sure, but why bother. As others have already said - when you don't have an actual need, why bother - _unless_ you think it is fun. -- Per Jessen, Zürich (9.5°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-25 11:57, Per Jessen wrote:
Carlos E. R. wrote:
On 2023-04-25 11:14, Per Jessen wrote:
Given that it is such a simple rule "accept this traffic from that machine", I'm sure you just need to look closer.
It is a rich rule. I'm running now the "susefirewall2-to-firewalld", and I saw the rich rules pass by. Taking a long time to convert.
Okay, that _does_ surprise me. It seems like a perfectly trivial rule. I have to wonder if it is just a shortcoming of that migration script.
Well, if you explain to us what you wish to permit, from where to where, I'm sure we can find a solution.
Oh, this is just hypothetical. Given a sample rule:
FW_TRUSTED_NETS="192.168.1.15,tcp,smtp" it would be converted to 20 lines like:
accept smtp from fe80::2d8:61ff:fea1:5abd
Well, first of all, LL addresses are only used for routing.
Per, that's an example. I used that line for the paste because i don't have to edit out for privacy. Or maybe I should have, what the heck. There are 13 IP6 addresses.
Second, the problem is that while your "192.168.1.15" is static, the ipv6 address is not. Even if you use the EUI64 address, the prefix might still change.
Right.
and have a script to dynamically change it every time the prefix or one of the sufixes change.
To keep track of the prefix, I think(!) the easiest would be to monitor the lease file, hint: "inotify-tools". I did wonder about using the firewall to watch for router annoncements, but it becomes unnecessarily complex.
Right.
Instead of "192.168.1.15", you would need to use the EUI64 address, and disable privacy extensions.
(I don't know how to find out if a machine is using one or the other, though)
It is a firewalld setting.
Anyway, isn't it all a bit moot? You said you have cancelled your participation in the beta-test programme.
Which they haven't acknowledged.
I can disable it myself in the router, but meanwhile I can test things. Like firewalld configs.
Sure, but why bother. As others have already said - when you don't have an actual need, why bother - _unless_ you think it is fun.
Well, I'm investigating. It is some fun (not much), and I don't know how many years it will take them to correct the bug firmware, or change my router. Nor do I know if the next router will not have a similar bug. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
On 2023-04-25 11:57, Per Jessen wrote:
FW_TRUSTED_NETS="192.168.1.15,tcp,smtp" it would be converted to 20 lines like:
accept smtp from fe80::2d8:61ff:fea1:5abd
Well, first of all, LL addresses are only used for routing.
Per, that's an example.
I'm only saying - it was a poorly chosen example. LL addresses are special.
I used that line for the paste because i don't have to edit out for privacy. Or maybe I should have, what the heck. There are 13 IP6 addresses.
You don't have to edit anything - your prefix changes every day. However, this will do it: sed -e 's/yourprefix/2001:db8::/g'
To keep track of the prefix, I think(!) the easiest would be to monitor the lease file, hint: "inotify-tools". I did wonder about using the firewall to watch for router annoncements, but it becomes unnecessarily complex.
Right.
I don't know how easy those inotify tools are to use, but it ought to be fairly easy to monitor for a file called 'dhclient6.*ethX.lease' being written to '/var/lib/NetworkManager/'.
As others have already said - when you don't have an actual need, why bother - _unless_ you think it is fun.
Well, I'm investigating. It is some fun (not much), and I don't know how many years it will take them to correct the bug firmware, or change my router. Nor do I know if the next router will not have a similar bug.
If it isn't fun, just disable ipv6 in your machines, then you're safe. At most, someone might gain access to your washing machine and turn your underwear pink, but that's all. -- Per Jessen, Zürich (10.7°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-25 05:57, Per Jessen wrote:
Well, first of all, LL addresses are only used for routing.
They're used for a lot more than routing. They're also used neighbor and router solicitation and advertisement. They were also used for a Windows home network.
On Tue, Apr 25, 2023 at 11:02 AM Carlos E. R. <robin.listas@telefonica.net> wrote:
With SuSEfirewalld I used this rule:
FW_TRUSTED_NETS=192.168.1.15,tcp,smtp \ 192.168.1.15,tcp,ftp 192.168.1.15,tcp,ftp-data \ 192.168.1.15,udp,syslog 192.168.1.15,tcp,514 \ 192.168.1.15,udp,6666 192.168.1.15,icmp \ 192.168.1.15,tcp,nfs 192.168.1.15,udp,sunrpc"
Which allowed those ports only if coming from that machine.
And goalposts have been shifted again. First you wanted ports open to LAN but not WAN. Next you wanted ports open to WAN and LAN. And now you want ports opened to one specific address only.
I'd like to know if there is a similar trick with firewalld.
Yes.
However, even if it exists, on IPv6 the address used to enter is not one, but several, and the prefix changes.
You apparently indulge in beating the dead horse. Anybody forces you to use IPv6 at all? They took away IPv4 and it is no longer functional?
On 2023-04-25 11:23, Andrei Borzenkov wrote:
On Tue, Apr 25, 2023 at 11:02 AM Carlos E. R. <robin.listas@telefonica.net> wrote:
With SuSEfirewalld I used this rule:
FW_TRUSTED_NETS=192.168.1.15,tcp,smtp \ 192.168.1.15,tcp,ftp 192.168.1.15,tcp,ftp-data \ 192.168.1.15,udp,syslog 192.168.1.15,tcp,514 \ 192.168.1.15,udp,6666 192.168.1.15,icmp \ 192.168.1.15,tcp,nfs 192.168.1.15,udp,sunrpc"
Which allowed those ports only if coming from that machine.
And goalposts have been shifted again. First you wanted ports open to LAN but not WAN. Next you wanted ports open to WAN and LAN. And now you want ports opened to one specific address only.
I don't change goalposts, I simply realize I forget some thing, or talk about different machines. On the Beta machine, I only need to close to the WAN. On the "server" machine, I also need some ports open to the WAN. On my normally machine, I simply remembered that, when possible, I open ports not to the entire LAN, but to specific addresses in the LAN.
I'd like to know if there is a similar trick with firewalld.
Yes.
Yes, I have found that "susefirewall2-to-firewalld" is converting them.
However, even if it exists, on IPv6 the address used to enter is not one, but several, and the prefix changes.
You apparently indulge in beating the dead horse. Anybody forces you to use IPv6 at all? They took away IPv4 and it is no longer functional?
I'm just commenting on the hypothetical case of wanting to create such a rule for IPv6. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023-04-24 06:04, Andrei Borzenkov wrote:
On 23.04.2023 23:41, Carlos E. R. wrote:
Beta:~ # firewall-cmd --permanent --zone=public \ --add-rich-rule='rule source mac="...:d4" reject'\ success Beta:~ #
Then I try to ssh from Isengard to Beta, both IPv4 and IPv6. It works, as I expected.
You need to reload firewalld after changing permanent configuration.
And I probably missed family=ipv6
firewall-cmd --permanent --zone=public --add-rich-rule='rule familty="ipv6" source mac="AA:BB:CC:DD:EE:FF" reject'
Without 'family="ipv6"', the rule works. An attempt to ssh from outside doesn't work (it stalls). On LAN, it works. It is something. Thanks. Well, I'll have to migrate my machines to firewalld from SuSEfirewall2, now I have a good reason. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023-04-24 14:16, Carlos E. R. wrote:
firewall-cmd --permanent --zone=public --add-rich-rule='rule familty="ipv6" source mac="AA:BB:CC:DD:EE:FF" reject'
Without 'family="ipv6"', the rule works. An attempt to ssh from outside doesn't work (it stalls). On LAN, it works.
Really hope you prefaced the "family" with --. Neither you nor Andrei did. -- /bengan
On 2023-04-24 14:48, Bengt Gördén wrote:
On 2023-04-24 14:16, Carlos E. R. wrote:
firewall-cmd --permanent --zone=public --add-rich-rule='rule familty="ipv6" source mac="AA:BB:CC:DD:EE:FF" reject'
Without 'family="ipv6"', the rule works. An attempt to ssh from outside doesn't work (it stalls). On LAN, it works.
Really hope you prefaced the "family" with --. Neither you nor Andrei did.
Well, I really have no idea about the syntax, but a syntax error should produce a message about a syntax error, not a coredump of the firewall daemon. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023-04-24 15:24, Carlos E. R. wrote:
On 2023-04-24 14:48, Bengt Gördén wrote:
On 2023-04-24 14:16, Carlos E. R. wrote:
firewall-cmd --permanent --zone=public --add-rich-rule='rule familty="ipv6" source mac="AA:BB:CC:DD:EE:FF" reject'
Without 'family="ipv6"', the rule works. An attempt to ssh from outside doesn't work (it stalls). On LAN, it works.
Really hope you prefaced the "family" with --. Neither you nor Andrei did.
Well, I really have no idea about the syntax, but a syntax error should produce a message about a syntax error, not a coredump of the firewall daemon.
And, if I use the GUI to change the default family to IPv6, it also crashes the daemon. Surely the GUI knows the proper syntax. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Op maandag 24 april 2023 14:48:42 CEST schreef Bengt Gördén:
On 2023-04-24 14:16, Carlos E. R. wrote:
firewall-cmd --permanent --zone=public --add-rich-rule='rule familty="ipv6" source mac="AA:BB:CC:DD:EE:FF" reject'
Without 'family="ipv6"', the rule works. An attempt to ssh from outside doesn't work (it stalls). On LAN, it works.
Really hope you prefaced the "family" with --. Neither you nor Andrei did.
Between the quotes after --add-rich-rule=, you don't use --. So the used syntax of the rule by Carlos is right. I studied the manual and found that ordering of these rules is important. But I believe that implementing this rule is faulty. It should check whether the packet contains a field which indicates IPv6 and if so if the source mac address contains the given value, if so the package should be dropped. -- fr.gr. member openSUSE Freek de Kruijf
On 2023-04-24 15:33, Freek de Kruijf wrote:
Between the quotes after --add-rich-rule=, you don't use --. So the used syntax of the rule by Carlos is right.
Ah. Understood.
I studied the manual and found that ordering of these rules is important. But I believe that implementing this rule is faulty. It should check whether the packet contains a field which indicates IPv6 and if so if the source mac address contains the given value, if so the package should be dropped.
-- /bengan
On 4/23/23 07:01, Andrei Borzenkov wrote:
You use rich rules.
firewall-cmd --permanent --zone=public --add-rich-rule='rule source mac="AA:BB:CC:DD:EE:FF" reject'
This will reject any new packet coming from router. It will do it before accepting SSH on port 22.
This will still allow IPv6 RA from your router. It will block ICMPv4 so you may consider explicitly allowing it.
Personally I simply do not use IPv6 on the LAN (what's the point if I have IPv4 anyway) and block it except for a couple of ports.
Which IPv6 ports do you allow? My Zyxel router has one check box to enable/disable IPv6, I've seen no reason to enable it myself. I played around with it a couple of years ago but could only get a /64 address from my ISP. I wanted at least a 62 because I use three subnets and I want them completely isolated except for a router management port. Maybe it can be done witha /64 but I couldn't figure it out, so why bother when IPv4 works fine. Regards, Lew
On 24.04.2023 05:24, Lew Wolfgang wrote:
On 4/23/23 07:01, Andrei Borzenkov wrote:
You use rich rules.
firewall-cmd --permanent --zone=public --add-rich-rule='rule source mac="AA:BB:CC:DD:EE:FF" reject'
This will reject any new packet coming from router. It will do it before accepting SSH on port 22.
This will still allow IPv6 RA from your router. It will block ICMPv4 so you may consider explicitly allowing it.
Personally I simply do not use IPv6 on the LAN (what's the point if I have IPv4 anyway) and block it except for a couple of ports.
Which IPv6 ports do you allow?
I hoped to get better torrent connectivity (incoming connections) but I do not see much IPv6 torrent traffic. Other than that I do not have any services that need access from outside.
Lew Wolfgang wrote:
My Zyxel router has one check box to enable/disable IPv6, I've seen no reason to enable it myself. I played around with it a couple of years ago but could only get a /64 address from my ISP. I wanted at least a 62 because I use three subnets and I want them completely isolated except for a router management port. Maybe it can be done witha /64 but I couldn't figure it out
You do it exactly as you would with IPv4 - classless subnetting. That /64 can be subdivided into virtually whatever you want. Let's say you are given 2001:db8:11:22 As you complete isolation, I presume physical networks, on your router with the four nics: nic0 = 2001:db8:11:22::/64 nic1 = 2001:db8:11:22:a::/80 nic2 = 2001:db8:11:22:b::/80 nic3 = 2001:db8:11:22:c::/80 For instance, on my own network (at home), I use 2001:db8:4c68:1:ff99::/112 - known wifi clients 2001:db8:4c68:1:ff99:ffff::/112 - guest/unknown wifi clients (not physical, just separate vlans). -- Per Jessen, Zürich (12.0°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On Mon, Apr 24, 2023 at 10:03 AM Per Jessen <per@opensuse.org> wrote:
Lew Wolfgang wrote:
My Zyxel router has one check box to enable/disable IPv6, I've seen no reason to enable it myself. I played around with it a couple of years ago but could only get a /64 address from my ISP. I wanted at least a 62 because I use three subnets and I want them completely isolated except for a router management port. Maybe it can be done witha /64 but I couldn't figure it out
You do it exactly as you would with IPv4 - classless subnetting. That /64 can be subdivided into virtually whatever you want.
/64 prefix is ingrained deeply in all IPv6 protocols, anything else will make normal autoconfiguration using RA (SLAAC) impossible. So, you will need to use manual configuration or DHCPv6 to assign addresses. Something to keep in mind.
Andrei Borzenkov wrote:
On Mon, Apr 24, 2023 at 10:03 AM Per Jessen <per@opensuse.org> wrote:
Lew Wolfgang wrote:
My Zyxel router has one check box to enable/disable IPv6, I've seen no reason to enable it myself. I played around with it a couple of years ago but could only get a /64 address from my ISP. I wanted at least a 62 because I use three subnets and I want them completely isolated except for a router management port. Maybe it can be done witha /64 but I couldn't figure it out
You do it exactly as you would with IPv4 - classless subnetting. That /64 can be subdivided into virtually whatever you want.
/64 prefix is ingrained deeply in all IPv6 protocols, anything else will make normal autoconfiguration using RA (SLAAC) impossible. So, you will need to use manual configuration or DHCPv6 to assign addresses. Something to keep in mind.
+1 - it is too easy to forget those things we did long ago and now take for granted. -- Per Jessen, Zürich (12.7°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-24 03:03, Per Jessen wrote:
You do it exactly as you would with IPv4 - classless subnetting. That /64 can be subdivided into virtually whatever you want.
That's a bad idea for LANs. It'll break stuff like SLAAC. LANs are supposed to have a 64 bit suffix. You can subnet for things like point to point links, where a /127 can be used.
On 4/24/23 00:03, Per Jessen wrote:
Lew Wolfgang wrote:
My Zyxel router has one check box to enable/disable IPv6, I've seen no reason to enable it myself. I played around with it a couple of years ago but could only get a /64 address from my ISP. I wanted at least a 62 because I use three subnets and I want them completely isolated except for a router management port. Maybe it can be done witha /64 but I couldn't figure it out You do it exactly as you would with IPv4 - classless subnetting. That /64 can be subdivided into virtually whatever you want.
Let's say you are given 2001:db8:11:22
As you complete isolation, I presume physical networks, on your router with the four nics:
nic0 = 2001:db8:11:22::/64 nic1 = 2001:db8:11:22:a::/80 nic2 = 2001:db8:11:22:b::/80 nic3 = 2001:db8:11:22:c::/80
For instance, on my own network (at home), I use
2001:db8:4c68:1:ff99::/112 - known wifi clients 2001:db8:4c68:1:ff99:ffff::/112 - guest/unknown wifi clients
(not physical, just separate vlans).
Yes, I tried all of that Per. I just couldn't get it working with the Zyxel router that I had at the time. I remember documenting my saga on the OT list. It was one of those problems that had too many variables, so I just abandoned the effort. I don't see any clear reason to attack it again, except maybe for the challenge. IIRC dhcpv6 was part of the issue, not sure. Maybe James Knott can get me motivated again? Regards, Lew
Lew Wolfgang wrote:
On 4/24/23 00:03, Per Jessen wrote:
Lew Wolfgang wrote:
My Zyxel router has one check box to enable/disable IPv6, I've seen no reason to enable it myself. I played around with it a couple of years ago but could only get a /64 address from my ISP. I wanted at least a 62 because I use three subnets and I want them completely isolated except for a router management port. Maybe it can be done witha /64 but I couldn't figure it out You do it exactly as you would with IPv4 - classless subnetting. That /64 can be subdivided into virtually whatever you want.
Let's say you are given 2001:db8:11:22
As you complete isolation, I presume physical networks, on your router with the four nics:
nic0 = 2001:db8:11:22::/64 nic1 = 2001:db8:11:22:a::/80 nic2 = 2001:db8:11:22:b::/80 nic3 = 2001:db8:11:22:c::/80
For instance, on my own network (at home), I use
2001:db8:4c68:1:ff99::/112 - known wifi clients 2001:db8:4c68:1:ff99:ffff::/112 - guest/unknown wifi clients
(not physical, just separate vlans).
Yes, I tried all of that Per. I just couldn't get it working with the Zyxel router that I had at the time. I remember documenting my saga on the OT list. It was one of those problems that had too many variables, so I just abandoned the effort.
It might well have been lack of dhcpv6. I forget we have one.
I don't see any clear reason to attack it again, except maybe for the challenge.
That is almost always the best and often the only reason :-) -- Per Jessen, Zürich (11.3°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
participants (10)
-
Andrei Borzenkov -
Bengt Gördén -
Carlos E. R. -
Dave Howorth -
Freek de Kruijf -
James Knott -
joe a -
Lew Wolfgang -
Nohk Two -
Per Jessen