because i don't know, what the better list, i sent this mail to the
firewall and ipv6 mailinglist - i hope this is OK.
i am administrate a debian firewall since 2 years without problems. this
weeks, we want to activate IPv6 in testing mode. out firewall script are
generated with fwbuilder. after i have activated IPv6 on our firewall, i
run into some troubles. the first one was, the radvd wasn't able to send
advertisement multicasts (radvd log: operation not permitted). first i
ignored this problem and i tested ping6 between the hosts and the
firewall with the FE80:: addresses. this wasn't also working. after 2
days debugging and searching the error, i found out the following:
fwbuilder generates at the top of the FW script this rules, when the
option 'Drop packets that are not associated with any known connection'
is active:
# drop packets that do not match any valid state
#
$IP6TABLES -N drop_invalid
$IP6TABLES -A OUTPUT -m state --state INVALID -j drop_invalid
$IP6TABLES -A INPUT -m state --state INVALID -j drop_invalid
$IP6TABLES -A FORWARD -m state --state INVALID -j drop_invalid
$IP6TABLES -A drop_invalid -j LOG --log-level debug --log-prefix "REGEL
-1 -- DENY "
$IP6TABLES -A drop_invalid -j DROP
the only rules above this rules are:
$IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
when i did an ping (firewall to another host), the firewall log shows
the follewing entries:
Nov 12 08:29:01 mistral kernel: [38947.431937] REGEL 0 -- ACCEPT IN=
OUT=eth1 SRC=fe80:0000:0000:0000:0215:17ff:fe4f:6137
DST=fe80:0000:0000:0000:f181:4bb8:4d49:ba03 LEN=104 TC=0 HOPLIMIT=64
FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=34886 SEQ=1
Nov 12 08:29:01 mistral kernel: [38947.431947] REGEL -1 -- DENY IN=
OUT=eth1 SRC=fe80:0000:0000:0000:0215:17ff:fe4f:6137
DST=ff02:0000:0000:0000:0000:0001:ff49:ba03 LEN=72 TC=0 HOPLIMIT=255
FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0
first: the outgoing ping will be permited
second: the neighborhood discovery request ist rejected by the "state
invalid" rule.
i don't understand, how a ND request can be marked as invalid?
when i don't insert this firewall rules:
$IP6TABLES -N drop_invalid
$IP6TABLES -A OUTPUT -m state --state INVALID -j drop_invalid
$IP6TABLES -A INPUT -m state --state INVALID -j drop_invalid
$IP6TABLES -A FORWARD -m state --state INVALID -j drop_invalid
$IP6TABLES -A drop_invalid -j LOG --log-level debug --log-prefix "REGEL
-1 -- DENY "
$IP6TABLES -A drop_invalid -j DROP
all is working fine - but i think a standard firewall should be running
with this rules enabled.
is there any mistake i can made did i understand something wrong?
i have this problem with debian 5.0.3 system with the latest available
kernel:
Linux version 2.6.26-2-686 (Debian 2.6.26-19lenny2) (dannf@debian.org)
(gcc version 4.1.3 20080704 (prerelease) (Debian 4.1.2-25)) #1 SMP Wed
Nov 4 20:45:37 UTC 2009
thank for your help!!
alram
--
Alram Lechner
Vogelfängerweg 48
4030 Linz
Österreich
m: +43 650 2800 250
f: +49 1805 4002 - 215410
e: alram.lechner@gmx.at
sms: alramsms@gmx.at
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
No comments:
Post a Comment