Thanks Tom, that clears up all the questions I had. regards :-) BruceS
Tom Eastep <[email protected]> writes: > On 11/10/2013 6:00 PM, Bruce S. Skinner wrote: >> Gentlepeople, >> >> Shorewall6 starts successfully, but during: >> Compiling /usr/share/shorewall6/action.Broadcast for chain Broadcast... >> >> the kernel issues the message: >> xt_addrtype: ipv6 does not support BROADCAST matching > > That message is the result of the Shorewall compiler probing your > ip6tables and kernel to determine what capabilities they support. As > indicated in the message, the 'addrtype match' capability is not available. > >> >> Distribution: Debian 7 >> kernel: 3.2.0 >> shorewall6 version: 4.5.5.3 >> shorewall config: /usr/share/doc/shorewall6/examples/two-interfaces >> >> I didn't think there was any such thing as a broadcast address in ipv6, >> just multicast and anycast addresses. Can someone shed some light on >> what this all means? > > The Shorewall6 action.Broadcast file is a near clone of the one for ipv4 > and therefore references broadcast. > >> >> The Broadcast chain looks like this. >> >> Chain Broadcast (2 references) >> pkts bytes target prot opt in out source destination >> >> 0 0 DROP all any any anywhere >> 2001:5c0:1505:f900::/128 >> 0 0 DROP all any any anywhere >> 2001:5c0:1505:f900:ffff:ffff:ffff:ff80/121 >> 0 0 DROP all any any anywhere ff00::/8 > > Please never use the ip[6]tables command without the -n and the -V > options. Otherwise, the output is misleading and quite useless. > >> >> Does this mean that datagrams addressed to: >> the subnet router anycast address (2001:5c0:1505:f900::/128), >> all other anycast addresses >> (2001:5c0:1505:f900:ffff:ffff:ffff:ff80/121), >> all multicast addresses (ff00::/8) >> will be dropped? or not? > > It does if they are sent through the Broadcast chain. That chain is > jumped to from the Drop and Reject default actions. It prevents: > > a) Multicast/anycast packets will not be logged. > b) Multicast/anycast packets will not be handled using the REJECT target. > > -Tom -- “Sixty years ago I knew everything; now I know nothing; education is a progressive discovery of our own ignorance.” -- Will Durant Bruce Skinner Norstead Farm 1427 Prospect Rd. Rockland NS B0P 1V0 CANADA Tel: + 1 902 538 1765 Mobile: + 1 902 670 6456 <mailto:[email protected]> <xmpp:[email protected]> -- For "Big Brother" like (i.e. NSA, CSE, GCHQ) automata: Rubin John Kerry kilo class Aldergrove World Trade Center Kennedy wire transfer SAPO Ruby Ridge Cohiba Commecen EuroFed spies Merlin GCHQ ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
