Hi, I have servers where shorewall6 won''t reject nor log: # cat /etc/shorewall6/zones fw firewall net ipv6 # cat /etc/shorewall6/interfaces net eth1 tcpflags (I also tried without "tcpflags", but no changes) # cat /etc/shorewall6/policy $FW all ACCEPT all all REJECT info # cat /etc/shorewall6/rules SECTION NEW (for testing, I removed all the rules) I am testing from another location with telnet: telnet <dns-name> 25 (telnet will first the IPv6 address first, after a timeout it will try the IPv4 address; there shouldn''t be any timeout, from rules and policy file, it should be rejected immediately) or ping6 <dns-name> Here''s the output from "shorewall6 dump" (I removed the IP addresses): https://www.dropbox.com/s/f7a9zox1wngmj1w/shorewall6.dump.txt My shorwall6.conf: https://www.dropbox.com/s/74thyaqzlzmdrii/shorewall6.conf PS: When I change the first policy line to "$FW all ACCEPT info" I''ll get some fw2net logging (so logging itself seems to work). -- Regards, Igor ------------------------------------------------------------------------------ Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
Update: # shorewall6 clear (to reset ip6tables) # ip6tables -A INPUT -p ipv6-icmp -j ACCEPT # ip6tables -N LOGGING # ip6tables -A INPUT -j LOGGING # ip6tables -A LOGGING -j LOG --log-prefix "ip6test: " --log-level 4 # ip6tables -A LOGGING -j REJECT This will work, so there is no problem with the system itself, right? Sounds like a problem with shorewall6 generated rules? ------------------------------------------------------------------------------ Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
This is the problem:
Chain Broadcast (1 references)
pkts bytes target prot opt in out source
destination
4 320 DROP all * * ::/0
2001:XXXX:3:3aa:101::
0 0 DROP all * * ::/0
2001:XXXX:3:3aa:101:0:ffff:ff80/121
0 0 DROP all * * ::/0 ff00::/8
2001:XXXX:3:3aa:101:: <-- is the configured IPv6 address...
------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
On 11/19/2013 3:42 PM, Igor Sverkos wrote:> Update: > > # shorewall6 clear (to reset ip6tables) > # ip6tables -A INPUT -p ipv6-icmp -j ACCEPT > # ip6tables -N LOGGING > # ip6tables -A INPUT -j LOGGING > # ip6tables -A LOGGING -j LOG --log-prefix "ip6test: " --log-level 4 > # ip6tables -A LOGGING -j REJECT > > This will work, so there is no problem with the system itself, right? > > Sounds like a problem with shorewall6 generated rules?I see nothing wrong with the shorewall6-generated ruleset. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
On 11/19/2013 4:13 PM, Igor Sverkos wrote:> This is the problem: > > Chain Broadcast (1 references) > pkts bytes target prot opt in out source > destination > 4 320 DROP all * * ::/0 > 2001:XXXX:3:3aa:101:: > 0 0 DROP all * * ::/0 > 2001:XXXX:3:3aa:101:0:ffff:ff80/121 > 0 0 DROP all * * ::/0 ff00::/8 > > > 2001:XXXX:3:3aa:101:: <-- is the configured IPv6 address...What is the prefix length? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
/ 80, is "2001:XXXX:3:3aa:101::" the network address -> not usable (not sure at the moment if something like this still exist in IPv6)? ------------------------------------------------------------------------------ Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
On 11/19/2013 4:47 PM, Igor Sverkos wrote:> / > 80, is "2001:XXXX:3:3aa:101::" the network address -> not usable (not > sure at the moment if something like this still exist in IPv6)?That is the subnet-router anycast address which Shorewall6 silently discards rather than logging. That way, if subnet anycast is actually used, those anycast packets won''t clutter up the log. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car ht8tp://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
Thank you Tom! I wasn''t aware about the subnet-router anycast address. I changed the addresses and now everything works as expected. ------------------------------------------------------------------------------ Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk