[Firehol-support] IPv6 help! (and sorry for bounces)

Rich Lott - Artful Robot forums at artfulrobot.uk
Sun Dec 27 15:16:00 GMT 2015


Hi,

[I originally sent this but never saw it arrive. I think my MTA config 
was rejecting emails with broken DKIM sigs, which are caused by the 
list. Apols to anyone who was inconvenienced, I've turned this off now.]

I'm getting vexed by IPv6.

I'm using firehol v3 compiled on Debian Jessie on a VM with native IPv6 
support.

With the firewall off I can get a reply from*ping6 ipv6.google.com*.

With the firewall on, this still works for about 30s and then I just get 
"connect: network is unreachable" errors. In the log I have things like

kernel: [143183.342905] IN-unknown:IN=eth0 OUT= 
MAC=33:33:00:00:00:01:00:05:73:a0:0f:ff:86:dd 
SRC=fe80:0000:0000:0000:0000:0000:0000:0001 
DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=104 TC=224 HOPLIMIT=255 
FLOWLBL=0 PROTO=ICMPv6 TYPE=134 CODE=0

The ipv6 rules I have currently are:

MY_IP6=2a01:..[redacted]..f855/64
interface6 eth0 internet6 src not "${UNROUTABLE_IPS}" dst $MY_IP6
   policy accept   server ipv6error accept   server ipv6neigh accept   server custom 
test1 tcp/13579 any accept   client custom test1 tcp/13579 any accept   
client ipv6neigh accept   client ipv6router accept   client http accept 
   client https accept
   client all accept

interface6 eth0 lan6 src $MY_IP6 dst $MY_IP6
   policy accept
   client all accept

interface6 eth0 dst not $MY_IP6
   policy accept
   client all accept


The ones in grey are from earlier testing but as I have 'accept' as a 
policy, I don't think they'll be in the way. The only other rules are 
specifically ipv4 ones (interface4...); there are no router lines - it 
only has one NIC.

The $MY_IP6 is my /internet/ IPv6 address. I've tried this with /64 at 
the end (as reported by ip -6 addr show) and without that. The link 
local one is fe80::f03c:91ff:fe33:f855/64.

Two things I don't understand are:

1. Why don't the rules I've got in my conf file allow all IPv6? Why is 
the firewall prohibiting IPv6 at all?

2. Why am I seeing rejected traffic from what is presumably my gateway 
(fe80::1) but with a DST address that's not my link local one, nor my 
external IP?

I've read all the pages on firehol manual, I think but am still stuck.


Many thanks for your consideration!

Rich
PS. Happy Christmas :-)



More information about the Firehol-support mailing list