Firewalld & IPv6
by Paavo Leinonen
Hi,
I'm running firewalld in a router that connects the devices in my home LAN
to internet.
I have recently added IPv6 DHCPv6 config to the router, and prefix
delegation works, so
the devices in my home LAN get proper IPv6 addresses.
However, I don't like the idea that all IPv6 enabled devices in my home LAN
have public
IPv6 addresses. I'd very much prefer simple IPv4 -style NAT approach to
protect the
devices in home LAN from being accessed from the internet.
How do I implement something like this with firewalld in the router?
wanif=eth0
lanif=eth1
ip6tables -A FORWARD -m state --state NEW -i $lanif -o $wanif -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -P FORWARD DROP
Other ways to protect the devices in my home LAN being accessed from the
internet?
-Paavo
5 years, 9 months
Re: firewalld and ipsets
by John Griffiths
I implemented the use of ipsets for a direct rule in firewalld in 2013.
The direct.xml is:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<!-- IPset Blacklisting -->
<chain ipv="ipv4" table="raw" chain="PREROUTING_blacklist"/>
<passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit
--limit
3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
<passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j
DROP</passthrough>
<passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set
blacklist
src -j PREROUTING_blacklist</passthrough>
<chain ipv="ipv6" table="raw" chain="PREROUTING_blacklist"/>
<passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit
--limit
3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
<passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j
DROP</passthrough>
<passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set
blacklist
src -j PREROUTING_blacklist</passthrough>
</direct>
I have several ipsets that are modified outside of firewalld.
blacklist_ipv4_permanent
blacklist_ipv4_semipermanent
blacklist_ipv4_current
blacklist_ipv6_permanent
blacklist_ipv6_semipermanent
blacklist_ipv6_current
These are members of ipset blacklist:
Name: blacklist
Type: list:set
Revision: 3
Header: size 8
Size in memory: 368
References: 0
Number of entries: 6
Members:
blacklist_ipv4_permanent
blacklist_ipv4_semipermanent
blacklist_ipv4_current
blacklist_ipv6_permanent
blacklist_ipv6_semipermanent
blacklist_ipv6_current
This was working until I upgraded to Fedora 26 from Fedora 24. Now, even
though an IP is in one of the member iplists,
blacklist_ipv4_semipermanent or one of the others, firewalld does not
block the IP.
I do not know if this is an issue with ipsets or firewalld, nor do I
know whether this is a "feature" or a bug.
Since these ipsets are modified dynamically and need to be accessed from
bash scripts, using the internal ipset functionality of firewalld is not
my desired choice.
Any insight or help in getting the ipsets working again with firewalld
would be greatly appreciated.
Thanks.
John
6 years, 3 months
Re: firewalld-users Digest, Vol 50, Issue 2
by John Griffiths
> Have you tried Fail2Ban? It works with firewalld.
>
> Cheers,
>
> JonRam
I have not. My stuff existed before Fail2Ban. It worked with iptables
and it also worked with firewalld.
I know that Linux is a ever moving target. I just dislike that something
that worked no longer works without at least going through a deprecation
notice period.
As someone noted, if cars went through the same changes that operating
systems do, we'd all have to learn to drive again every time we bought a
new car.
I am not belittling the effort that goes into all that Linux is
including firewalld. I wrote software for over 30 years. I appreciate
the difficulty of development, user base satisfaction, and the value of
regression testing.
Thanks,
John
6 years, 6 months
Re: firewalld and ipsets
by John Griffiths
> As many active zones you need are possible; see: firewall-cmd
> --get-active-zones But only one zone per interface.
>
And there is the problem. I have one NIC so one interface. I have a
router in front of the system on which I am running firewalld. The
router forwards some ports to the system. I am using firewalld to
protect the system from IPs trying to break in to it.
I have an active zone on the interface which defines services that are
permitted and their ports. I have been using direct rule to use ipsets
to blacklist IPs. When I updated to version of ipset and firewalld that
are in Fedora 26, the direct rule quit working. That may be a bug or
bugs or a change in use. Either way, firewalld is no longer blocking the
IPs in the ipsets I have defined.
John
6 years, 6 months
Re: firewalld and ipsets
by John Griffiths
> You can have as many zones as you have memory to hold. A zone is a policy,
> destinations, and a group of sources, which could be interfaces or source addresses.
It is true you can have as many zones as you want, but you can only have
one active zone at a time as far as I know.
John
6 years, 6 months
Re: firewalld and ipsets
by John Griffiths
Thank you for the reply although I am not completely clear on what you
are saying since part seems to be a question.
Using direct was the only way to use ipsets when I started using them
with firewalld.
Are you saying that ipsets cannot be used with direct now in firewalld?
Also, ipsets that were members of a "super" ipset would have the ips in
those sets found by referencing the "super" ipset as I explained in my
original post to the list. That seems to be no longer the case. Is that
by intent? Is that a change in ipset or in firewalld?
I already use the FedoraServer zone. I can't have two zones active. So,
creating a zone that drops always would defeat the current zone I am using.
I want to use firewalld as intended, but at rev 0.4.4.5, the software
is, as would be expected, in flux and the documentation is sparse and
lags development. The section on ipsets is particularly sparse.
I have over 500 ips that I want black listed. At one time, when my
system was under heavy attack, I had over 4000. I have programs that
dynamically add and delete ips from ipsets based on how persistent the
abuse from the ip.
The direct method of firewalld was working quite well. Now it is not
blocking any of the ips that I want to black list.
I guess I could go back to iptables, but that is not my first choice,
but I must get the blocking of ips working soon.
I hope I can get some help with this.
Regards,
John
6 years, 7 months