[Firewall] IPv6 not blocking INET->DMZ or INET->LAN

Jason Stahls jason at justuscare.ca
Tue Mar 11 04:27:47 CET 2014


I've tried putting tun+ in LAN_IF as well as DMZ_IF, along with all the 
subnets in their associated _NET.  I do have IPV6_SUPPORT=1 and 2.0.1d.  
I'm honestly no good at iptables rules but a ip6tables -L -n to me looks 
like it's opened up the forward chain

Chain FORWARD (policy DROP)
target     prot opt source               destination
BASE_FORWARD_CHAIN  all      ::/0                 ::/0
TCPMSS     tcp      ::/0                 ::/0                tcp 
flags:0x06/0x02 TCPMSS clamp to PMTU
FORWARD_CHAIN  all      ::/0                 ::/0
HOST_BLOCK_SRC  all      ::/0                 ::/0
HOST_BLOCK_DST  all      ::/0                 ::/0
LINK_LOCAL_DROP  all      fe80::/10            ::/0
LINK_LOCAL_DROP  all      ::/0                 fe80::/10
ACCEPT     all      ::/0                 ::/0
ACCEPT     all      ::/0                 ::/0
EXT_FORWARD_IN_CHAIN  all      ::/0                 ::/0
EXT_FORWARD_OUT_CHAIN  all      ::/0                 ::/0
INT_FORWARD_IN_CHAIN  all      ::/0                 ::/0
INT_FORWARD_OUT_CHAIN  all      ::/0                 ::/0
INT_FORWARD_IN_CHAIN  all      ::/0                 ::/0
INT_FORWARD_OUT_CHAIN  all      ::/0                 ::/0
SPOOF_CHK  all      ::/0                 ::/0
ACCEPT     all      ::/0                 ::/0
LAN_INET_FORWARD_CHAIN  all      ::/0                 ::/0
ACCEPT     all      ::/0                 ::/0
LAN_INET_FORWARD_CHAIN  all      ::/0                 ::/0
POST_FORWARD_CHAIN  all      ::/0                 ::/0
LOG        all      ::/0                 ::/0 limit: avg 1/min burst 3 
LOG flags 0 level 6 prefix `AIF:Dropped FORWARD packet: '
DROP       all      ::/0                 ::/0

Thanks,

Jason

On 3/10/2014 11:21 PM, Lonnie Abelbeck wrote:
> Hi Jason,
>
> By default all IPv6 should not be forwarded.
>
> How are you allowing OpenVPN traffic via say "tun0" ?
>
> I assume you have set IPV6_SUPPORT=1
>
> Are you running AIF v2.0.1 of some release ?
>
> Lonnie
>
>
> On Mar 10, 2014, at 10:02 PM, Jason Stahls wrote:
>
>> I've got a server with native v6 and a /48, it's running a OpenVPN server for various sites.  I've given each site a /64 and have IPv6 over the OpenVPN tunnels working great, but over v6 my hosts are completely open.  I've tried putting them in the LAN without NAT, and in the DMZ, both cases the remote subnets are completely open to the Internet.  Is there a default accept policy I'm missing? :)
>>
>> Thanks,
>>
>> Jason Stahls



More information about the Firewall mailing list