Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
Enable IPv6 support for SuSEfirewall2
  • From: Arjen Runsink <arjen@xxxxxxxxxxx>
  • Date: Wed, 2 Mar 2005 23:20:48 +0100
  • Message-id: <200503022320.48453.arjen@xxxxxxxxxxx>
Hi,

As far as I know not mentioned elsewhere yet.
I found this using the linux adagium "use the source".

The SuSEfirewall2 says that IPv6 is not supported in the script and that is
because connection tracking is not yet in the kernel.

Well, that is not exactly true. The kernel with 9.2 does support it (marked
experimental). And the script does too!

How to get it working.. easy:

in /etc/sysconfig/SuSEfirewall2 set:

FW_IPv6="yes"

or to anything else then "no", "drop" or "reject"
and

FW_IPv6_REJECT_OUTGOING="no"

This works if you have native IPv6 _and_ IPv4 on the same
device(s) (internal and or from isp)
If you have an IPv6 over IPv4 tunnel you need to do the
following extra items. This is necessary because the script
logic cannot handle device detection/verification for pure
IPv6 devices yet. So also change the following:

FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"

If that file is not there, you can copy it
from /usr/share/doc/packages/SuSEfirewall2

And in that file add the following lines in the section
fw_custom_before_antispoofing()

ip6tables -A INPUT -j input_ext -i <tunnel device name
goes here>
ip6tables -A FORWARD -j forward_ext -i <tunnel device
name goes here>

restart the firewall and that did it for me.
Your comments, remarks, are appreciated.

BB, Arjen

< Previous Next >
Follow Ups