[SLUG] IPv6 using ufw on Debian stable
My hosting provider, Linode, now has IPv6 support as standard, so I thought I'd give it a go. The firewall script I've been using, firehol, seems to be unmaintained and doesn't support it, so I switched to ufw, which I've found to be excellent but despite supposedly supporting v6, I'm getting no data when it's enabled. I've enabled it in /etc/default/ufw: IPV6=yes Now when I try this with logging set to medium: ping6 ipv6.google.com I get this in the logs: Jun 7 11:56:23 stout kernel: [UFW ALLOW] IN= OUT=eth0 SRC=2600:3c00:::f03c:91ff:fe96:7edf DST=2001:4860:4002:0802::::1012 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=25190 SEQ=1 Jun 7 11:56:23 stout kernel: [UFW AUDIT INVALID] IN=eth0 OUT= MAC=f2:3c:91:96:7e:df:c8:4c:75:f5:c4:ff:86:dd SRC=2001:4860:4002:0802::::1012 DST=2600:3c00:::f03c:91ff:fe96:7edf LEN=104 TC=0 HOPLIMIT=55 FLOWLBL=0 PROTO=ICMPv6 TYPE=129 CODE=0 ID=25190 SEQ=1 Jun 7 11:56:23 stout kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:96:7e:df:c8:4c:75:f5:c4:ff:86:dd SRC=2001:4860:4002:0802::::1012 DST=2600:3c00:::f03c:91ff:fe96:7edf LEN=104 TC=0 HOPLIMIT=55 FLOWLBL=0 PROTO=ICMPv6 TYPE=129 CODE=0 ID=25190 SEQ=1 Going there with a browser times out: lynx http://ipv6.google.com/ However if I disable the firewall, these things all work: simon@stout:~$ sudo ufw disable Firewall stopped and disabled on system startup simon@stout:~$ ping6 ipv6.google.com -c 3 PING ipv6.google.com(2001:4860:4002:802::1012) 56 data bytes 64 bytes from 2001:4860:4002:802::1012: icmp_seq=1 ttl=55 time=0.676 ms 64 bytes from 2001:4860:4002:802::1012: icmp_seq=2 ttl=55 time=0.719 ms 64 bytes from 2001:4860:4002:802::1012: icmp_seq=3 ttl=55 time=0.718 ms --- ipv6.google.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 1999ms rtt min/avg/max/mdev = 0.676/0.704/0.719/0.029 ms Any thoughts on where I look next? The "INVALID" part of the logs just before BLOCK seems ominous, but I don't really know what it means. -- Simon Rumble -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] IPv6 using ufw on Debian stable
On Tue, Jun 07, 2011 at 12:03:50PM +1000, Simon Rumble wrote: > Jun 7 11:56:23 stout kernel: [UFW AUDIT INVALID] IN=eth0 OUT= > MAC=f2:3c:91:96:7e:df:c8:4c:75:f5:c4:ff:86:dd > SRC=2001:4860:4002:0802::::1012 > DST=2600:3c00:::f03c:91ff:fe96:7edf LEN=104 TC=0 HOPLIMIT=55 > FLOWLBL=0 PROTO=ICMPv6 TYPE=129 CODE=0 ID=25190 SEQ=1 I guess it just means the firewall is blocking incoming ipv6 traffic. The firewall allowed your outbound packet through, but not the inbound response. Nick. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] IPv6 using ufw on Debian stable
On 7 June 2011 12:39, Nick Andrew wrote: > I guess it just means the firewall is blocking incoming ipv6 traffic. > The firewall allowed your outbound packet through, but not the inbound > response. > Yeah that's right. But not how it should work, according to what I've been reading. Here's the rules I have in place, which I should have included in the original email: simon@stout:~$ sudo ufw status verbose [sudo] password for simon: Status: active Logging: on (medium) Default: deny (incoming), allow (outgoing) New profiles: skip To Action From -- -- 22/tcp (OpenSSH) ALLOW INAnywhere 25/tcp (SMTP) ALLOW INAnywhere 80/tcp (WWW) ALLOW INAnywhere 25/tcp (Postfix) ALLOW INAnywhere 587/tcp (Postfix Submission) ALLOW INAnywhere 22/tcp (OpenSSH (v6)) ALLOW INAnywhere (v6) 25/tcp (SMTP (v6)) ALLOW INAnywhere (v6) 80/tcp (WWW (v6)) ALLOW INAnywhere (v6) 25/tcp (Postfix (v6)) ALLOW INAnywhere (v6) 587/tcp (Postfix Submission (v6)) ALLOW INAnywhere (v6) -- Simon Rumble -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] IPv6 using ufw on Debian stable
On 7 June 2011 12:47, Simon Rumble wrote: > On 7 June 2011 12:39, Nick Andrew wrote: > >> I guess it just means the firewall is blocking incoming ipv6 traffic. >> The firewall allowed your outbound packet through, but not the inbound >> response. >> > > Yeah that's right. But not how it should work, according to what I've been > reading. > You need a rule to allow packages for existing connections in - something like this: $IPT6 -A INPUT -i $PUB_IF -m state --state RELATED,ESTABLISHED -j ACCEPT I'm not sure if you need any special setup to tell to the kernel that connections should be tracked for v6 as well. I'm not familiar with ufw so I'm not sure how it's called there. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] IPv6 using ufw on Debian stable
On Tue, Jun 7, 2011 at 1:56 PM, miloska wrote: > You need a rule to allow packages for existing connections in - > something like this: > > $IPT6 -A INPUT -i $PUB_IF -m state --state RELATED,ESTABLISHED -j ACCEPT > > I'm not sure if you need any special setup to tell to the kernel that > connections should be tracked for v6 as well. > > I'm not familiar with ufw so I'm not sure how it's called there. I believe the old stable 2.6.18 kernel on linode doesn't support ipv6 connection tracking. If you're running that kernel, swapping to the new linode kernel will solve that. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] IPv6 using ufw on Debian stable
On Tue, Jun 07, 2011 at 12:47:05PM +1000, Simon Rumble wrote: > To Action From > -- -- > 22/tcp (OpenSSH) ALLOW INAnywhere > 25/tcp (SMTP) ALLOW INAnywhere > 80/tcp (WWW) ALLOW INAnywhere > 25/tcp (Postfix) ALLOW INAnywhere > 587/tcp (Postfix Submission) ALLOW INAnywhere > 22/tcp (OpenSSH (v6)) ALLOW INAnywhere (v6) > 25/tcp (SMTP (v6)) ALLOW INAnywhere (v6) > 80/tcp (WWW (v6)) ALLOW INAnywhere (v6) > 25/tcp (Postfix (v6)) ALLOW INAnywhere (v6) > 587/tcp (Postfix Submission (v6)) ALLOW INAnywhere (v6) There's no ICMP6 in that list, which is why your ping responses were blocked. Nick. -- PGP Key ID = 0x418487E7 http://www.nick-andrew.net/ PGP Key fingerprint = B3ED 6894 8E49 1770 C24A 67E3 6266 6EB9 4184 87E7 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] IPv6 using ufw on Debian stable
On 7 June 2011 17:12, Nick Andrew wrote: > There's no ICMP6 in that list, which is why your ping responses were > blocked. > ufw allows ICMP (4 and 6) by default. The problem was that the Linode kernel (Xen kernels with no module support) didn't have IPv6 connection tracking compiled in. Updated to a more recent kernel and away we go! So for IPv6 Day, my web server and, get this, gopher server are available via IPv6! http://rumble.net/ gopher://rumble.net/ -- Simon Rumble -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html