Firewalld & IPv6
by Paavo Leinonen
Hi,
I'm running firewalld in a router that connects the devices in my home LAN
to internet.
I have recently added IPv6 DHCPv6 config to the router, and prefix
delegation works, so
the devices in my home LAN get proper IPv6 addresses.
However, I don't like the idea that all IPv6 enabled devices in my home LAN
have public
IPv6 addresses. I'd very much prefer simple IPv4 -style NAT approach to
protect the
devices in home LAN from being accessed from the internet.
How do I implement something like this with firewalld in the router?
wanif=eth0
lanif=eth1
ip6tables -A FORWARD -m state --state NEW -i $lanif -o $wanif -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -P FORWARD DROP
Other ways to protect the devices in my home LAN being accessed from the
internet?
-Paavo
5 years, 9 months
hard limits?
by davewill@kayakero.net
I'm sure I'm just doing it wrong but I'm having trouble with an ipset hitting "maxelem 65536 reached."
I tried:
$ sudo firewall-cmd --permanent --new-ipset=blacklist --type=hash:ip --option=maxelem:131072
success
which creates:
$ sudo more /etc/firewalld/ipsets/blacklist.xml
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:ip">
<option name="maxelem:131072"/>
</ipset>
but when I load with $ sudo firewall-cmd --reload:
Jun 18 11:40:20 temp-2 firewalld: WARNING: INVALID_IPSET: blacklist
Jun 18 11:40:35 temp-2 firewalld: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/blacklist.xml': INVALID_OPTION: Unknown option 'maxelem:131072'
Jun 18 11:40:35 temp-2 firewalld: WARNING: INVALID_IPSET: blacklist
Jun 18 11:40:37 temp-2 firewalld: ERROR: Failed to load ipset file 'blacklist.xml': INVALID_OPTION: Unknown option 'maxelem:131072'
I thought I would work around it by splitting my ipset in two but that still generated the maxelem error for both files:
Jun 18 12:13:27 temp-2 firewalld: ERROR: Failed to create ipset 'blacklist-1'
Jun 18 12:13:27 temp-2 firewalld: ERROR: '/usr/sbin/ipset restore' failed:
Jun 18 12:13:27 temp-2 kernel: Set blacklist-2 is full, maxelem 65536 reached
Jun 18 12:13:27 temp-2 firewalld: ERROR: Failed to create ipset 'blacklist-2'
Jun 18 12:13:27 temp-2 firewalld: ERROR: '/usr/sbin/ipset restore' failed:
and removing the larger of the two, I still get the maxelem error for what is now a pretty small file.
I'm stumped and trying to avoid having to add each entry via sudo firewall-cmd --permanent --ipset=blacklist --add-entry=...
Thanks for any guidance out there,
-David
6 years, 9 months