I am trying to configure an ipv6-only SLES 10.3 host with a firewall, but SuSEfirewall2 blocks all
outgoing ipv6 traffic (DNS, ping6, SSH, etc). The incoming services I allow (SSH) work over ipv6. It all works when I turn the firewall off.
In
/etc/sysconfig/SuSEfirewall2, I have set:
Code:
# Leave empty to automatically detect whether your kernel supports stateful matching.
FW_IPv6=""
# Reject outgoing IPv6 Packets?
FW_IPv6_REJECT_OUTGOING="no"
ip6tables -L output is
here. Basically, in yast2's firewall config dialog, I'm allowing "SSH", "NIS client", "NFS client", "DNS Server" (but what I really was going for was DNS Client, but that's not a choice), and ports 50000-50005, everything else is SuSEfirewall2's defaults.
I placed the interface in the External Zone; it's a one-interface machine.
This is logged in dmesg when I try
ping6 2002:920:c000:213:9:32:213:134:
Code:
Aug 18 11:23:29 susoaqa02 kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:14:5e:1c:14:9c:00:14:5e:1c:a7:16:86:dd SRC=2002:0920:c000:0213:0009:0032:0213:0134 DST=2002:0920:c000:0213:0009:0032:0213:0063 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=129 CODE=0 ID=23150 SEQ=4
Aug 18 11:23:33 susoaqa02 kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=2002:0920:c000:0213:0009:0032:0213:0063 DST=2002:0920:c000:0213:0009:0032:0213:0134 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=23150 SEQ=8
And
telnet 2002:920:c000:213:9:32:213:134 22:
Code:
Aug 18 11:25:23 susoaqa02 kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:14:5e:1c:14:9c:00:14:5e:1c:a7:16:86:dd SRC=2002:0920:c000:0213:0009:0032:0213:0134 DST=2002:0920:c000:0213:0009:0032:0213:0063 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=22 DPT=49280 WINDOW=5712 RES=0x00 ACK SYN URGP=0 OPT (020405A00402080A0006309102D53E0301030302)
Aug 18 11:25:35 susoaqa02 kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=2002:0920:c000:0213:0009:0032:0213:0063 DST=2002:0920:c000:0213:0009:0032:0213:0134 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TCP SPT=49280 DPT=22 WINDOW=5760 RES=0x00 SYN URGP=0 OPT (020405A00402080A02D552850000000001030302)
I see the "ACCEPT all anywhere anywhere" in the OUTPUT chain, but the rule that's blocking the traffic(?) is in chain input_ext.
- SLES 10.3 x86_64
- SuSEfirewall2-3.4_SVNr142-7.16.27 (ie, I took this rpm from 10.4 which DID fix a bug I was seeing)
- kernel 2.6.16.60-0.81.2-smp (the latest for 10.3)
- I try very hard to avoid raw iptables; I have always used Shorewall in the past and this is my first foray into SuSEfirewall2.
Am I doing something wrong here? Why is outgoing ipv6 blocked and how do I get it to stop?
Edit:
If I reduce the rules to
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p ALL -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --dport ssh -j ACCEPT
COMMIT
then outgoing SSH and DNS don't work. Is that how it's supposed to be?