[Firehol-support] IPv6 help! (and sorry for bounces)

Arthur Fabre arthur at arthurfabre.com
Mon Dec 28 21:37:39 GMT 2015 

‎Hi Rich,

I've had similar issues in the past, and if I recall correctly IPv6 uses multicast (ff02::/16) for neighbour solicitation (ARP in ipv4 world, ie figuring out what MAC address "has" a given IP) - I had to add ff02‎::/16 as a dest address.

In the end between link-local traffic, multicast, and other addresses, I gave up on using dest with ipv6.

Arthur

On 27/12/15 16:16, Rich Lott - Artful Robot wrote:
> Hi,
> 
> [I originally sent this but never saw it arrive. I think my MTA config was rejecting emails with broken DKIM sigs, which are caused by the list. Apols to anyone who was inconvenienced, I've turned this off now.]
> 
> I'm getting vexed by IPv6.
> 
> I'm using firehol v3 compiled on Debian Jessie on a VM with native IPv6 support.
> 
> With the firewall off I can get a reply from*ping6 ipv6.google.com*.
> 
> With the firewall on, this still works for about 30s and then I just get "connect: network is unreachable" errors. In the log I have things like
> 
> kernel: [143183.342905] IN-unknown:IN=eth0 OUT= MAC=33:33:00:00:00:01:00:05:73:a0:0f:ff:86:dd SRC=fe80:0000:0000:0000:0000:0000:0000:0001 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=104 TC=224 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=134 CODE=0
> 
> The ipv6 rules I have currently are:
> 
> MY_IP6=2a01:..[redacted]..f855/64
> interface6 eth0 internet6 src not "${UNROUTABLE_IPS}" dst $MY_IP6
>   policy accept   server ipv6error accept   server ipv6neigh accept   server custom test1 tcp/13579 any accept   client custom test1 tcp/13579 any accept   client ipv6neigh accept   client ipv6router accept   client http accept   client https accept
>   client all accept
> 
> interface6 eth0 lan6 src $MY_IP6 dst $MY_IP6
>   policy accept
>   client all accept
> 
> interface6 eth0 dst not $MY_IP6
>   policy accept
>   client all accept
> 
> 
> The ones in grey are from earlier testing but as I have 'accept' as a policy, I don't think they'll be in the way. The only other rules are specifically ipv4 ones (interface4...); there are no router lines - it only has one NIC.
> 
> The $MY_IP6 is my /internet/ IPv6 address. I've tried this with /64 at the end (as reported by ip -6 addr show) and without that. The link local one is fe80::f03c:91ff:fe33:f855/64.
> 
> Two things I don't understand are:
> 
> 1. Why don't the rules I've got in my conf file allow all IPv6? Why is the firewall prohibiting IPv6 at all?
> 
> 2. Why am I seeing rejected traffic from what is presumably my gateway (fe80::1) but with a DST address that's not my link local one, nor my external IP?
> 
> I've read all the pages on firehol manual, I think but am still stuck.
> 
> 
> Many thanks for your consideration!
> 
> Rich
> PS. Happy Christmas :-)
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support

More information about the Firehol-support mailing list