with ipv6, you just allow the specific ports destined to the specific local machine(s) in on your WAN side, they don't need translating. same sort of rule as if you had a internet-facing service running on the routing system
On Tue, May 26, 2020 at 11:55 AM Kenneth Porter shiva@sewingwitch.com wrote:
I finally got an ISP connection with working IPv6 and now I need to add firewall rules for forwarding connections from my LAN to the WAN. I'm using firewalld to handle the high-level description that gets translated to iptables/ip6tables on CentOS 7.
Of course, with IPv6, one doesn't do NAT, so the usual masquerade target doesn't make sense. But I want similar connection logic, with no inbound connections allowed to LAN clients and all outbound connections allowed. How does one express this in either firewalld or its ip6tables "direct rules"?
I don't currently need port-forwarding to internal servers but, for completeness, what would such rules look like?
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
I figure that TCP is easy: Add a rule to the forward chain to allow SYN packets. There's already connection tracking to handle established connections. Does connection tracking handle UDP? If I allow all UDP from the LAN interface and one sends a DNS query from LAN to WAN, will the reply get back? I don't want to blanket authorize all UDP. ICMPv6, maybe, to allow traceroutes. Unless that's also handled by the tracking system.
yes, outbound UDP through the NAT layer adds an entry to the tracking table which expires after some time.
this sorta explains it... https://www.linuxtopia.org/Linux_Firewall_iptables/x1544.html
On Tue, May 26, 2020 at 12:59 PM Kenneth Porter shiva@sewingwitch.com wrote:
I figure that TCP is easy: Add a rule to the forward chain to allow SYN packets. There's already connection tracking to handle established connections. Does connection tracking handle UDP? If I allow all UDP from the LAN interface and one sends a DNS query from LAN to WAN, will the reply get back? I don't want to blanket authorize all UDP. ICMPv6, maybe, to allow traceroutes. Unless that's also handled by the tracking system.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Once upon a time, Kenneth Porter shiva@sewingwitch.com said:
I figure that TCP is easy: Add a rule to the forward chain to allow SYN packets. There's already connection tracking to handle established connections. Does connection tracking handle UDP? If I allow all UDP from the LAN interface and one sends a DNS query from LAN to WAN, will the reply get back? I don't want to blanket authorize all UDP. ICMPv6, maybe, to allow traceroutes. Unless that's also handled by the tracking system.
Anything that's already working through IPv4 NAT should work just fine through IPv6 with connection tracking.
IPv4 NAT is a stateful, connection tracking, packet mangling firewall. With IPv6, you can just do the same thing without the packet mangling misfeatures of NAT, with just connection tracking.
But don't go blocking ICMP - doing that in IPv4 already can break things, and it can break even more things in IPv6.