I'm still plugging along on my 1st shorewall install, now trying to get IPv6
setup.
My config is still pretty simplistic, working first on just PING6
My shorewall6-lite config has
/interfaces
net EXTIF
physical=enp5s0,tcpflags,forward=1,accept_ra=1,nosmurfs
- INTIF physical=enp4s0,tcpflags,forward=1,accept_ra=1
/zones
fw firewall
net ipv6
lan ipv6
/policy
$FW $FW ACCEPT err
$FW all+ ACCEPT err
lan net ACCEPT err
net all DROP debug
all all REJECT debug
/rules
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
Ping(ACCEPT) all all
On the server
ip -6 addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP
qlen 1000
inet6 fe80::e175:83e4:7fc1:b190/64 scope link
valid_lft forever preferred_lft forever
3: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP
qlen 1000
inet6 fe80::e175:83e4:7fc1:b191/64 scope link
valid_lft forever preferred_lft forever
systemctl status shorewall6-lite -ln0
● shorewall6-lite.service - Shorewall IPv6 firewall (lite)
Loaded: loaded
(/usr/lib/systemd/system/shorewall6-lite.service; enabled; vendor preset:
disabled)
Active: active (exited) since Tue 2021-05-18 11:06:43
EDT; 11s ago
Process: 37445 ExecStart=/usr/sbin/shorewall -6l
$OPTIONS start $STARTOPTIONS (code=exited, status=0/SUCCESS)
Main PID: 37445 (code=exited, status=0/SUCCESS)
CPU: 1.977s
I can't even ping to itself
ping6 fe80::e175:83e4:7fc1:b190
PING fe80::e175:83e4:7fc1:b190(fe80::e175:83e4:7fc1:b190) 56
data bytes
(just sits there)
ping6 fe80::e175:83e4:7fc1:b191
PING fe80::e175:83e4:7fc1:b191(fe80::e175:83e4:7fc1:b191) 56
data bytes
(just sits there)
That's with
shorewall6-lite show
1 Shorewall6 Lite 5.2.8 filter Table at thad.local - Tue May 18
11:08:33 AM EDT 2021
2
3 Counters reset Tue May 18 11:06:43 AM EDT 2021
4
5 Chain INPUT (policy DROP 0 packets, 0 bytes)
6 pkts bytes target prot opt in out source
destination
7 2 128 net-fw all enp5s0 * ::/0
::/0
8 0 0 ACCEPT all lo * ::/0
::/0
9 18 1808 AllowICMPs icmpv6 * * ::/0
::/0
10 0 0 Broadcast all * * ::/0
::/0
11 0 0 DROP all * * ::/0
ff00::/8
12 0 0 LOG all * * ::/0
::/0 limit: up to 5/min burst 5 12 mode srcip LOG
flags 0 level 7 prefix "INPUT:REJECT "
13 0 0 reject all * * ::/0
::/0 [goto]
14
15 Chain FORWARD (policy DROP 0 packets, 0 bytes)
16 pkts bytes target prot opt in out source
destination
17 0 0 net_frwd all enp5s0 * ::/0
::/0
18 15 1200 INTIF_fwd all enp4s0 * ::/0
::/0
19 0 0 AllowICMPs icmpv6 * * ::/0
::/0
20 15 1200 Broadcast all * * ::/0
::/0
21 0 0 DROP all * * ::/0
ff00::/8
22 9 720 LOG all * * ::/0
::/0 limit: up to 5/min burst 5 22 mode srcip LOG
flags 0 level 7 prefix "FORWARD:REJECT "
23 15 1200 reject all * * ::/0
::/0 [goto]
24
25 Chain OUTPUT (policy DROP 0 packets, 0 bytes)
26 pkts bytes target prot opt in out source
destination
27 0 0 ACCEPT all * * ::/0
::/0 ctstate ESTABLISHED
28 24 2561 fw-net all * enp5s0 ::/0
::/0
29 0 0 fw-fw all * lo ::/0
::/0
30 18 1800 AllowICMPs icmpv6 * * ::/0
::/0
31 0 0 Broadcast all * * ::/0
::/0
32 0 0 DROP all * * ::/0
ff00::/8
33 0 0 LOG all * * ::/0
::/0 limit: up to 5/min burst 5 33 mode srcip LOG
flags 0 level 7 prefix "OUTPUT:REJECT "
34 0 0 reject all * * ::/0
::/0 [goto]
35
36 Chain +fw-fw (2 references)
37 pkts bytes target prot opt in out source
destination
38 0 0 LOG all * * ::/0
::/0 limit: up to 5/min burst 5 38 mode srcip LOG
flags 0 level 3 prefix "+fw:ACCEPT "
39 0 0 ACCEPT all * * ::/0
::/0
40
41 Chain +net-fw (1 references)
42 pkts bytes target prot opt in out source
destination
43 0 0 LOG all * * ::/0
::/0 limit: up to 5/min burst 5 43 mode srcip LOG
flags 0 level 3 prefix "+net:ACCEPT "
44 0 0 ACCEPT all * * ::/0
::/0
45
46 Chain AllowICMPs (4 references)
47 pkts bytes target prot opt in out source
destination
48 0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmptype 1 /* Needed 48 ICMP types
(RFC4890) */
49 0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmptype 2 /* Needed 49 ICMP types
(RFC4890) */
50 0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmptype 3 /* Needed 50 ICMP types
(RFC4890) */
51 0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmptype 4 /* Needed 51 ICMP types
(RFC4890) */
52 0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmptype 133 /* Neede 52 d ICMP types
(RFC4890) */
53 32 3328 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmptype 134 /* Neede 53 d ICMP types
(RFC4890) */
54 2 144 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmptype 135 /* Neede 54 d ICMP types
(RFC4890) */
55 4 264 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmptype 136 /* Neede 55 d ICMP types
(RFC4890) */
56 0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmptype 137 /* Neede 56 d ICMP types
(RFC4890) */
57 0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmptype 141 /* Neede 57 d ICMP types
(RFC4890) */
58 0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmptype 142 /* Neede 58 d ICMP types
(RFC4890) */
59 0 0 ACCEPT icmpv6 * * fe80::/10
::/0 ipv6-icmptype 130 /* Neede 59 d ICMP types
(RFC4890) */
60 0 0 ACCEPT icmpv6 * * fe80::/10
::/0 ipv6-icmptype 131 /* Neede 60 d ICMP types
(RFC4890) */
61 0 0 ACCEPT icmpv6 * * fe80::/10
::/0 ipv6-icmptype 132 /* Neede 61 d ICMP types
(RFC4890) */
62 0 0 ACCEPT icmpv6 * * fe80::/10
::/0 ipv6-icmptype 143 /* Neede 62 d ICMP types
(RFC4890) */
63 0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmptype 148 /* Neede 63 d ICMP types
(RFC4890) */
64 0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmptype 149 /* Neede 64 d ICMP types
(RFC4890) */
65 0 0 ACCEPT icmpv6 * * fe80::/10
::/0 ipv6-icmptype 151 /* Neede 65 d ICMP types
(RFC4890) */
66 0 0 ACCEPT icmpv6 * * fe80::/10
::/0 ipv6-icmptype 152 /* Neede 66 d ICMP types
(RFC4890) */
67 0 0 ACCEPT icmpv6 * * fe80::/10
::/0 ipv6-icmptype 153 /* Neede 67 d ICMP types
(RFC4890) */
68
69 Chain Broadcast (4 references)
70 pkts bytes target prot opt in out source
destination
71
72 Chain INTIF_fwd (1 references)
73 pkts bytes target prot opt in out source
destination
74 0 0 sfilter all * enp4s0 ::/0
::/0 [goto]
75 0 0 DROP all * * ::/0
::/0 ctstate INVALID,NEW,UNTRACK 75 ED match-set
SW_DBL6 src
76 0 0 ACCEPT all * * ::/0
::/0 ctstate ESTABLISHED
77 15 1200 tcpflags tcp * * ::/0
::/0
78
79 Chain fw-fw (1 references)
80 pkts bytes target prot opt in out source
destination
81 0 0 +fw-fw all * * ::/0
::/0 ctstate RELATED
82 0 0 LOG all * * ::/0
::/0 limit: up to 5/min burst 5 82 mode srcip LOG
flags 0 level 3 prefix "fw:ACCEPT "
83 0 0 ACCEPT all * * ::/0
::/0
84
85 Chain fw-net (1 references)
86 pkts bytes target prot opt in out source
destination
87 0 0 +fw-fw all * * ::/0
::/0 ctstate RELATED
88 22 2417 ACCEPT udp * * ::/0
::/0 udp dpt:53 /* DNS */
89 0 0 ACCEPT tcp * * ::/0
::/0 tcp dpt:53 /* DNS */
90 0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmptype 128 /* Ping 90 */
91 2 144 LOG all * * ::/0
::/0 limit: up to 5/min burst 5 91 mode srcip LOG
flags 0 level 3 prefix "fw:ACCEPT "
92 2 144 ACCEPT all * * ::/0
::/0
93
94 Chain logflags (7 references)
95 pkts bytes target prot opt in out source
destination
96 0 0 LOG all * * ::/0
::/0 limit: up to 5/min burst 5 96 mode srcip LOG
flags 4 level 3 prefix "logflags:DROP "
97 0 0 DROP all * * ::/0
::/0
98
99 Chain net-fw (1 references)
100 pkts bytes target prot opt in out source
destination
101 0 0 DROP all * * ::/0
::/0 ctstate INVALID,NEW,UNTRACK 101 ED match-set SW_DBL6 src
102 0 0 ACCEPT all * * ::/0
::/0 ctstate ESTABLISHED
103 2 128 smurfs all * * ::/0
::/0 ctstate INVALID,NEW,UNTRACK 103 ED
104 0 0 tcpflags tcp * * ::/0
::/0
105 0 0 +net-fw all * * ::/0
::/0 ctstate RELATED
106 0 0 ACCEPT icmpv6 * * ::/0
::/0 ipv6-icmptype 128 /* Ping 106 */
107 2 128 AllowICMPs icmpv6 * * ::/0
::/0
108 0 0 Broadcast all * * ::/0
::/0
109 0 0 DROP all * * ::/0
ff00::/8
110 0 0 LOG all * * ::/0
::/0 limit: up to 5/min burst 5 110 mode srcip LOG flags 0
level 7 prefix "net:DROP "
111 0 0 DROP all * * ::/0
::/0
112
113 Chain net_frwd (1 references)
114 pkts bytes target prot opt in out source
destination
115 0 0 sfilter all * enp5s0 ::/0
::/0 [goto]
116 0 0 DROP all * * ::/0
::/0 ctstate INVALID,NEW,UNTRACK 116 ED match-set SW_DBL6 src
117 0 0 ACCEPT all * * ::/0
::/0 ctstate ESTABLISHED
118 0 0 smurfs all * * ::/0
::/0 ctstate INVALID,NEW,UNTRACK 118 ED
119 0 0 tcpflags tcp * * ::/0
::/0
120
121 Chain reject (3 references)
122 pkts bytes target prot opt in out source
destination
123 0 0 DROP all * * ff00::/8
::/0
124 0 0 DROP 2 * * ::/0
::/0
125 15 1200 REJECT tcp * * ::/0
::/0 reject-with tcp-reset
126 0 0 REJECT udp * * ::/0
::/0 reject-with icmp6-port-unre 126 achable
127 0 0 REJECT icmpv6 * * ::/0
::/0 reject-with icmp6-addr-unr 127 eachable
128 0 0 REJECT all * * ::/0
::/0 reject-with icmp6-adm-prohi 128 bited
129
130 Chain sfilter (2 references)
131 pkts bytes target prot opt in out source
destination
132 0 0 LOG all * * ::/0
::/0 limit: up to 5/min burst 5 132 mode srcip LOG flags 0
level 3 prefix "sfilter:DROP "
133 0 0 DROP all * * ::/0
::/0
134
135 Chain sha-lh-df6b6641257157224ef0 (0 references)
136 pkts bytes target prot opt in out source
destination
137
138 Chain sha-rh-d6b77076c61861d4f974 (0 references)
139 pkts bytes target prot opt in out source
destination
140
141 Chain shorewall (0 references)
142 pkts bytes target prot opt in out source
destination
143 0 0 all * * ::/0
::/0 recent: SET name: %CURRENTT 143 IME side: source mask:
ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
144
145 Chain smurflog (1 references)
146 pkts bytes target prot opt in out source
destination
147 0 0 LOG all * * ::/0
::/0 limit: up to 5/min burst 5 147 mode srcip LOG flags 0
level 3 prefix "smurfs:DROP "
148 0 0 DROP all * * ::/0
::/0
149
150 Chain smurfs (2 references)
151 pkts bytes target prot opt in out source
destination
152 0 0 smurflog all * * ff00::/8
::/0 [goto]
153
154 Chain tcpflags (3 references)
155 pkts bytes target prot opt in out source
destination
156 0 0 logflags tcp * * ::/0
::/0 [goto] tcp flags:0x3F/0x29
157 0 0 logflags tcp * * ::/0
::/0 [goto] tcp flags:0x3F/0x00
158 0 0 logflags tcp * * ::/0
::/0 [goto] tcp flags:0x06/0x06
159 0 0 logflags tcp * * ::/0
::/0 [goto] tcp flags:0x05/0x05
160 0 0 logflags tcp * * ::/0
::/0 [goto] tcp flags:0x03/0x03
161 0 0 logflags tcp * * ::/0
::/0 [goto] tcp flags:0x19/0x09
162 0 0 logflags tcp * * ::/0
::/0 [goto] tcp spt:0 flags:0x17 162 /0x02
If I clear the firewall, so,
ip6tables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain +fw-fw (0 references)
target prot opt source destination
Chain +net-fw (0 references)
target prot opt source destination
Chain AllowICMPs (0 references)
target prot opt source destination
Chain Broadcast (0 references)
target prot opt source destination
Chain INTIF_fwd (0 references)
target prot opt source destination
Chain fw-fw (0 references)
target prot opt source destination
Chain fw-net (0 references)
target prot opt source destination
Chain logflags (0 references)
target prot opt source destination
Chain net-fw (0 references)
target prot opt source destination
Chain net_frwd (0 references)
target prot opt source destination
Chain reject (0 references)
target prot opt source destination
Chain sfilter (0 references)
target prot opt source destination
Chain sha-lh-df6b6641257157224ef0 (0 references)
target prot opt source destination
Chain sha-rh-d6b77076c61861d4f974 (0 references)
target prot opt source destination
Chain shorewall (0 references)
target prot opt source destination
Chain smurflog (0 references)
target prot opt source destination
Chain smurfs (0 references)
target prot opt source destination
Chain tcpflags (0 references)
target prot opt source destination
Same thing, NO ping.
And even with the 'debug' loglevel I don't see and related DROPs or REJECTs
when I ping/fail.
So as usual I guess I'm missing something.
Any helpful pointers?
Thanks!
Thad
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
