Firewalld & IPv6
by Paavo Leinonen
Hi,
I'm running firewalld in a router that connects the devices in my home LAN
to internet.
I have recently added IPv6 DHCPv6 config to the router, and prefix
delegation works, so
the devices in my home LAN get proper IPv6 addresses.
However, I don't like the idea that all IPv6 enabled devices in my home LAN
have public
IPv6 addresses. I'd very much prefer simple IPv4 -style NAT approach to
protect the
devices in home LAN from being accessed from the internet.
How do I implement something like this with firewalld in the router?
wanif=eth0
lanif=eth1
ip6tables -A FORWARD -m state --state NEW -i $lanif -o $wanif -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -P FORWARD DROP
Other ways to protect the devices in my home LAN being accessed from the
internet?
-Paavo
5 years, 9 months
Adding masquerade for subnet (openvpn)
by alen.alen@powdermail.com
I am following this tutorial[1] to set up OpenVPN. It suggests running
both of the following commands:
sudo firewall-cmd --permanent --add-masquerade
sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A
POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE
I was reading about firewalld and iptables and some people have
wrote[2] that the 1st command should already add a similar rule as the
2nd one I guess without the specific subnet range. Why not use only
the 2nd command? What benefit is also running the 1st?
Regard to the -o eth1 I have multiple public IP address with each has
its own interface. How do I force to NAT and MASQUERADE the openvpn
subnet to the IP address (interface) of my choice? Is -o eth1
detecting traffic that is already routed out interface eth1? If yes,
where does the routing happen? If no, can I change -o eth2 to get what
I want? (BTW openvpn only listening on port 1194 for IP address thats
on eth2.)
Other question: I read[3] "if you use default public zone for your
external facing network adapter then your loopback interface could
also be masqueraded" which I am concerned about. How do I test if this
is the case and what are the side effects?
[1]
https://www.digitalocean.com/community/tutorials/how-to-setup-and-configu...
[2]
https://www.reddit.com/r/linuxadmin/comments/7iom6e/what_does_firewallcmd...
[3] https://unix.stackexchange.com/a/149193
-------------------------------------------------
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
5 years, 11 months
differences between various --direct commands
by alen.alen@powdermail.com
For adding a custom iptables rule using firewall-cmd, I'm having a
difficult time understanding the difference between these:
--direct --add-rule
--direct --passthrough
--direct --add-passthrough
The manual explanation sounds the same for all three. There must be a
reason to have each one, they have to be different, can you help me
know which I am to use?
-------------------------------------------------
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
5 years, 11 months
Firewalld Scan Interval
by Lesley Kimmel
Does firewalld periodically scan its directories?
I am having an issue where I programmatically create a service file
(/etc/firewalld/services/name.xml) and then immediately try to add it
(firewall-cmd --permanent --zone public --add-service name) and it
frequently tells me that the service file is not found
If I put a delay (say 5seconds) in between it seems to work every time.
I can't find any documentation that this is the expected behavior.
Thanks
-Lesley Kimmel
5 years, 11 months