Hi! Actually I think this behaviour is correct. IPv6 is meant to be routet global by default, thats what was in mind when it was invented. Sure, it would be better to display a warning in the docs.
Most firewalls route traffic of internal interfaces (some kind of trusted zones) while there is one or more untrusted zones (net). Declining routing in stoppedrules should be the better approach. I prefer disabling routing on the host and set it on using shorewall (currently "Keep" is the default). This way, you can be sure, routing only works when shorewall service _tries_ to start. After this, even when shorewall fails, you are sure, traffic will be blocked. Or think of it in a different way: You install shorewall and start the service, you will be immediately dropped out of the system (or the nodes behind this setup). With IPv6, the firewall should be running on the endpoints anyways. Making it more secure with some kind of connection tracking (RELATED / ESTABLISHED) is optional. Just my 2 cents Kevin Am Sa., 24. Nov. 2018 um 22:17 Uhr schrieb Timo Sigurdsson <span>: > > Hi again, > > so, lately I started looking at the less crucial or obvious parts of my > shorewall configuration that was originally based on the three- > interface example configuration. I haven't touched my stoppedrules for > a while and came to question whether they are still any good for my > current setup. > > What struck me in particular were the rules that accepted traffic from > any source to the local interfaces (which are used for the local zone > and dmz zone in the example): > ACCEPT eth1 - > -> ACCEPT - eth1 <- > ACCEPT eth2 - > -> ACCEPT - eth2 <- > > In the stopped state of my firewall, I would certainly not want to > forward any traffic from my external interface to my local ones. Now, > in case of IPv4, where most people will use masquerading, that won't be > an issue because there are not NAT rules. But with IPv6 and global > addressing that would mean any traffic could reach the internal > networks if there are valid routes for these addresses. > > I actually tested that and hooked up a computer to an interface not > listed in the stoppedrules and stopped the firewall. I could reach > other clients connected to the local interfaces mentioned in > stoppedrules. Is that behavior really intended? > > If I'm not completely missing something here, I think there should be a > warning about this in the stoppedrules examples for people with a dual- > stack configuration. > > Best regards, > > Timo > > > > > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users</span> _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
