I notice that ICMPv6 was not working automatically with a fairly basic install of shorewall6 In the output of shorewall6 restart I see this: Compiling /usr/share/shorewall6/action.AllowICMPs for chain AllowICMPs... None of the examples I''ve come across give a clear example of how to enable ICMPv6 Is ICMPv6 supposed to "just work", or it is necessary to add some custom entries to the rules file? Is there any shortcut to automatically allow the minimum required ICMPv6 support for each flow where it is necessary? E.g if I open up a port for a web server, can/should Shorewall automatically add the ICMPv6 rules for that source/dest tuple? Or is it always necessary for the administrator to explicitly set up ICMPv6 rules between zones? ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
On 07/02/2013 10:39 AM, Daniel Pocock wrote:> > I notice that ICMPv6 was not working automatically with a fairly basic > install of shorewall6 >What does ''not working'' mean? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
On 02/07/13 21:11, Tom Eastep wrote:> On 07/02/2013 10:39 AM, Daniel Pocock wrote: >> >> I notice that ICMPv6 was not working automatically with a fairly basic >> install of shorewall6 >> > > > What does ''not working'' mean?It means that IPv6 connections were failing and as soon as I manually added an ICMPv6 rule, the connectivity started working immediately e.g. I added this to /etc/shorewall6/rules to prove it was an ICMPv6 issue: ACCEPT all all icmp ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
On 07/02/2013 12:37 PM, Daniel Pocock wrote:> > > On 02/07/13 21:11, Tom Eastep wrote: >> On 07/02/2013 10:39 AM, Daniel Pocock wrote: >>> >>> I notice that ICMPv6 was not working automatically with a fairly basic >>> install of shorewall6 >>> >> >> >> What does ''not working'' mean? > > It means that IPv6 connections were failing and as soon as I manually > added an ICMPv6 rule, the connectivity started working immediately > > e.g. I added this to /etc/shorewall6/rules to prove it was an ICMPv6 issue: > > ACCEPT all all icmpWhat ICMPv6 packets were being dropped/rejected? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
On 02/07/13 21:44, Tom Eastep wrote:> On 07/02/2013 12:37 PM, Daniel Pocock wrote: >> >> >> On 02/07/13 21:11, Tom Eastep wrote: >>> On 07/02/2013 10:39 AM, Daniel Pocock wrote: >>>> >>>> I notice that ICMPv6 was not working automatically with a fairly basic >>>> install of shorewall6 >>>> >>> >>> >>> What does ''not working'' mean? >> >> It means that IPv6 connections were failing and as soon as I manually >> added an ICMPv6 rule, the connectivity started working immediately >> >> e.g. I added this to /etc/shorewall6/rules to prove it was an ICMPv6 issue: >> >> ACCEPT all all icmp > > What ICMPv6 packets were being dropped/rejected? >neighbor solicitation ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
On Jul 2, 2013, at 1:07 PM, Daniel Pocock <daniel@pocock.com.au> wrote:> > > On 02/07/13 21:44, Tom Eastep wrote: >> On 07/02/2013 12:37 PM, Daniel Pocock wrote: >>> >>> >>> On 02/07/13 21:11, Tom Eastep wrote: >>>> On 07/02/2013 10:39 AM, Daniel Pocock wrote: >>>>> >>>>> I notice that ICMPv6 was not working automatically with a fairly basic >>>>> install of shorewall6 >>>>> >>>> >>>> >>>> What does ''not working'' mean? >>> >>> It means that IPv6 connections were failing and as soon as I manually >>> added an ICMPv6 rule, the connectivity started working immediately >>> >>> e.g. I added this to /etc/shorewall6/rules to prove it was an ICMPv6 issue: >>> >>> ACCEPT all all icmp >> >> What ICMPv6 packets were being dropped/rejected? >> > > neighbor solicitationDaniel and I worked this off-list; it turned out to be a stale routing table entry in one of his hosts. After that was removed, everything worked as expected. -Tom Tom Eastep \ Nothing is foolproof to a Shoreline, \ sufficiently talented fool Washington, USA \ http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
On 02/07/13 23:33, Tom Eastep wrote:> On Jul 2, 2013, at 1:07 PM, Daniel Pocock <daniel@pocock.com.au> wrote: > >> >> On 02/07/13 21:44, Tom Eastep wrote: >>> On 07/02/2013 12:37 PM, Daniel Pocock wrote: >>>> >>>> On 02/07/13 21:11, Tom Eastep wrote: >>>>> On 07/02/2013 10:39 AM, Daniel Pocock wrote: >>>>>> I notice that ICMPv6 was not working automatically with a fairly basic >>>>>> install of shorewall6 >>>>>> >>>>> >>>>> What does ''not working'' mean? >>>> It means that IPv6 connections were failing and as soon as I manually >>>> added an ICMPv6 rule, the connectivity started working immediately >>>> >>>> e.g. I added this to /etc/shorewall6/rules to prove it was an ICMPv6 issue: >>>> >>>> ACCEPT all all icmp >>> What ICMPv6 packets were being dropped/rejected? >>> >> neighbor solicitation > Daniel and I worked this off-list; it turned out to be a stale routing table entry in one of his hosts. After that was removed, everything worked as expected.Thanks for the help with this - IPv6 has been working smoothly now with Shorewall6 ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev