Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
Re: [suse-security] Enable IPv6 support for SuSEfirewall2
  • From: Ludwig Nussel <ludwig.nussel@xxxxxxx>
  • Date: Thu, 3 Mar 2005 13:24:34 +0100
  • Message-id: <20050303122434.GA32441@xxxxxxx>
Arjen Runsink wrote:
> As far as I know not mentioned elsewhere yet.
> I found this using the linux adagium "use the source".
>
> The SuSEfirewall2 says that IPv6 is not supported in the script and that is
> because connection tracking is not yet in the kernel.
>
> Well, that is not exactly true. The kernel with 9.2 does support it (marked
> experimental). And the script does too!
>
> How to get it working.. easy:
>
> in /etc/sysconfig/SuSEfirewall2 set:
>
> FW_IPv6="yes"
>
> or to anything else then "no", "drop" or "reject"

SuSEfirwewall2 is supposed to automatically detect whether IPv6
support is available if FW_IPv6 is empty (which is the default).
Does that not work for you? Did you maybe update from some older
version and therefore have old comments in
/etc/sysconfig/SuSEfirewall2?

> and
>
> FW_IPv6_REJECT_OUTGOING="no"

This variable only matters if stateful ipv6 filtering is not
supported by the kernel/ip6tables.

> This works if you have native IPv6 _and_ IPv4 on the same
> device(s) (internal and or from isp)
> If you have an IPv6 over IPv4 tunnel you need to do the
> following extra items. This is necessary because the script
> logic cannot handle device detection/verification for pure
> IPv6 devices yet. So also change the following:

You can find SuSEfirewall2 beta versions in people/lnussel on the
ftp server btw. I changed the way interfaces are detected so v6-only
interfaces should work as well now. Feedback welcome.

cu
Ludwig

--
(o_ Ludwig Nussel
//\ SUSE LINUX Products GmbH, Development
V_/_ http://www.suse.de/

< Previous Next >
Follow Ups
References