Firewalld & IPv6
by Paavo Leinonen
Hi,
I'm running firewalld in a router that connects the devices in my home LAN
to internet.
I have recently added IPv6 DHCPv6 config to the router, and prefix
delegation works, so
the devices in my home LAN get proper IPv6 addresses.
However, I don't like the idea that all IPv6 enabled devices in my home LAN
have public
IPv6 addresses. I'd very much prefer simple IPv4 -style NAT approach to
protect the
devices in home LAN from being accessed from the internet.
How do I implement something like this with firewalld in the router?
wanif=eth0
lanif=eth1
ip6tables -A FORWARD -m state --state NEW -i $lanif -o $wanif -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -P FORWARD DROP
Other ways to protect the devices in my home LAN being accessed from the
internet?
-Paavo
5 years, 9 months
Assign conntrack helper without allowing INPUT for service
by Marcelo Ricardo Leitner
Hi,
I'm trying to use
# firewall-cmd --set-automatic-helpers=no
to have it to only assign the expected helpers, as it is more secure.
The protocol I'm interested is FTP. The gateway in question doesn't
provide any FTP service, but at the same time, it seems I cannot get
firewalld to add the CT iptables rule if I don't add the FTP service
to the zone ('internal' one, fwiw), which in turn also allows INPUT of
such packets but that's not wanted.
Is there a way that I can allow it to assign the helper, without
having to allow the INPUT for such service?
I'm on firewalld-0.4.4.4-6.el7.noarch, on CentOS.
Thanks,
Marcelo
5 years, 10 months