[Firewall] IPv6 not blocking INET->DMZ or INET->LAN

Jason Stahls jason at justuscare.ca
Fri Mar 14 15:18:44 CET 2014


I still haven't quite figured out what I've done, but I decided to start 
with a fresh config instead. How can I open ports for just the host?  
 From my understanding of the comments using OPEN_TCP/UDP/IP will cause 
it to forward and not block those ports right?

Thanks,

Jason

On 3/10/2014 11:53 PM, Lonnie Abelbeck wrote:
> Jason,
>
> Try "ip6tables -nvL FORWARD", that will give you more useful data.  The default policy is DROP.
>
> Personally using OpenVPN I add tun0 (or tun+) to INT_IF (append the IPv4 OpenVPN net to INTERNAL_NET and NAT_INTERNAL_NET)
>
> I then use IF_TRUSTS to 'trust' the OpenVPN net with any other LAN INT_IF interfaces.
>
> Lonnie
>
>
> On Mar 10, 2014, at 10:27 PM, Jason Stahls wrote:
>
>> I've tried putting tun+ in LAN_IF as well as DMZ_IF, along with all the subnets in their associated _NET.  I do have IPV6_SUPPORT=1 and 2.0.1d.  I'm honestly no good at iptables rules but a ip6tables -L -n to me looks like it's opened up the forward chain
>>
>> Chain FORWARD (policy DROP)
>> target     prot opt source               destination
>> BASE_FORWARD_CHAIN  all      ::/0                 ::/0
>> TCPMSS     tcp      ::/0                 ::/0                tcp flags:0x06/0x02 TCPMSS clamp to PMTU
>> FORWARD_CHAIN  all      ::/0                 ::/0
>> HOST_BLOCK_SRC  all      ::/0                 ::/0
>> HOST_BLOCK_DST  all      ::/0                 ::/0
>> LINK_LOCAL_DROP  all      fe80::/10            ::/0
>> LINK_LOCAL_DROP  all      ::/0                 fe80::/10
>> ACCEPT     all      ::/0                 ::/0
>> ACCEPT     all      ::/0                 ::/0
>> EXT_FORWARD_IN_CHAIN  all      ::/0                 ::/0
>> EXT_FORWARD_OUT_CHAIN  all      ::/0                 ::/0
>> INT_FORWARD_IN_CHAIN  all      ::/0                 ::/0
>> INT_FORWARD_OUT_CHAIN  all      ::/0                 ::/0
>> INT_FORWARD_IN_CHAIN  all      ::/0                 ::/0
>> INT_FORWARD_OUT_CHAIN  all      ::/0                 ::/0
>> SPOOF_CHK  all      ::/0                 ::/0
>> ACCEPT     all      ::/0                 ::/0
>> LAN_INET_FORWARD_CHAIN  all      ::/0                 ::/0
>> ACCEPT     all      ::/0                 ::/0
>> LAN_INET_FORWARD_CHAIN  all      ::/0                 ::/0
>> POST_FORWARD_CHAIN  all      ::/0                 ::/0
>> LOG        all      ::/0                 ::/0 limit: avg 1/min burst 3 LOG flags 0 level 6 prefix `AIF:Dropped FORWARD packet: '
>> DROP       all      ::/0                 ::/0
>>
>> Thanks,
>>
>> Jason
>>
>> On 3/10/2014 11:21 PM, Lonnie Abelbeck wrote:
>>> Hi Jason,
>>>
>>> By default all IPv6 should not be forwarded.
>>>
>>> How are you allowing OpenVPN traffic via say "tun0" ?
>>>
>>> I assume you have set IPV6_SUPPORT=1
>>>
>>> Are you running AIF v2.0.1 of some release ?
>>>
>>> Lonnie
>>>
>>>
>>> On Mar 10, 2014, at 10:02 PM, Jason Stahls wrote:
>>>
>>>> I've got a server with native v6 and a /48, it's running a OpenVPN server for various sites.  I've given each site a /64 and have IPv6 over the OpenVPN tunnels working great, but over v6 my hosts are completely open.  I've tried putting them in the LAN without NAT, and in the DMZ, both cases the remote subnets are completely open to the Internet.  Is there a default accept policy I'm missing? :)
>>>>
>>>> Thanks,
>>>>
>>>> Jason Stahls



More information about the Firewall mailing list