with ipv6, you just allow the specific ports destined to the specific local machine(s) in on your WAN side, they don't need translating. same sort of rule as if you had a internet-facing service running on the routing system On Tue, May 26, 2020 at 11:55 AM Kenneth Porter <shiva at sewingwitch.com> wrote:> I finally got an ISP connection with working IPv6 and now I need to add > firewall rules for forwarding connections from my LAN to the WAN. I'm > using > firewalld to handle the high-level description that gets translated to > iptables/ip6tables on CentOS 7. > > Of course, with IPv6, one doesn't do NAT, so the usual masquerade target > doesn't make sense. But I want similar connection logic, with no inbound > connections allowed to LAN clients and all outbound connections allowed. > How does one express this in either firewalld or its ip6tables "direct > rules"? > > I don't currently need port-forwarding to internal servers but, for > completeness, what would such rules look like? > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >-- -john r pierce recycling used bits in santa cruz
I figure that TCP is easy: Add a rule to the forward chain to allow SYN packets. There's already connection tracking to handle established connections. Does connection tracking handle UDP? If I allow all UDP from the LAN interface and one sends a DNS query from LAN to WAN, will the reply get back? I don't want to blanket authorize all UDP. ICMPv6, maybe, to allow traceroutes. Unless that's also handled by the tracking system.
yes, outbound UDP through the NAT layer adds an entry to the tracking table which expires after some time. this sorta explains it... https://www.linuxtopia.org/Linux_Firewall_iptables/x1544.html On Tue, May 26, 2020 at 12:59 PM Kenneth Porter <shiva at sewingwitch.com> wrote:> I figure that TCP is easy: Add a rule to the forward chain to allow SYN > packets. There's already connection tracking to handle established > connections. Does connection tracking handle UDP? If I allow all UDP > from the LAN interface and one sends a DNS query from LAN to WAN, will > the reply get back? I don't want to blanket authorize all UDP. ICMPv6, > maybe, to allow traceroutes. Unless that's also handled by the tracking > system. > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >-- -john r pierce recycling used bits in santa cruz
Once upon a time, Kenneth Porter <shiva at sewingwitch.com> said:> I figure that TCP is easy: Add a rule to the forward chain to allow > SYN packets. There's already connection tracking to handle > established connections. Does connection tracking handle UDP? If I > allow all UDP from the LAN interface and one sends a DNS query from > LAN to WAN, will the reply get back? I don't want to blanket > authorize all UDP. ICMPv6, maybe, to allow traceroutes. Unless > that's also handled by the tracking system.Anything that's already working through IPv4 NAT should work just fine through IPv6 with connection tracking. IPv4 NAT is a stateful, connection tracking, packet mangling firewall. With IPv6, you can just do the same thing without the packet mangling misfeatures of NAT, with just connection tracking. But don't go blocking ICMP - doing that in IPv4 already can break things, and it can break even more things in IPv6. -- Chris Adams <linux at cmadams.net>