Bug#336611: shorewall: Does not disable ipv6 at boot

Fri, 16 Dec 2005 11:33:27 -0800 

Lorenzo Martignoni wrote:

but, as you can see, on my own system ipv6 seems to be disabled
correctly.

What happens on your system if you clear all firewall rules and policies
and then issue a "shorewall start"?

-- lorenzo
Ok, the recent kernel-image-2.6.8-i386 security update gave me an opportunity to double check this. The output of 'ip6tables --list' after booting up shows that ACCEPT is the policy for all three chains. I am attaching the shorewall-init.log.
Running 'shorewall start' does not change this ("Shorewall Already Started"). Running 'shorewall restart' does correctly set the chains' policy to DROP.
Is it possible that the ipv6 kernel modules are not loaded when shorewall is started, and so shorewall doesn't bother running ip6tables to set the default policy? 

--
Sam Morris
http://robots.org.uk/

PGP key id 5EA01078
3412 EA18 1277 354B 991B  C869 B219 7FDB 5EA0 1078

Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Stopping Shorewall...Disabling IPV6...
done.
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Starting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Not available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Not available
   Physdev Match: Available
   IP range Match: Available
   Recent Match: Available
Determining Zones...
   Zones: net
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   Net Zone: eth0:0.0.0.0/0
Pre-processing Actions...
   Pre-processing /usr/share/shorewall/action.DropSMB...
   Pre-processing /usr/share/shorewall/action.RejectSMB...
   Pre-processing /usr/share/shorewall/action.DropUPnP...
   Pre-processing /usr/share/shorewall/action.RejectAuth...
   Pre-processing /usr/share/shorewall/action.DropPing...
   Pre-processing /usr/share/shorewall/action.DropDNSrep...
   Pre-processing /usr/share/shorewall/action.AllowPing...
   Pre-processing /usr/share/shorewall/action.AllowFTP...
   Pre-processing /usr/share/shorewall/action.AllowDNS...
   Pre-processing /usr/share/shorewall/action.AllowSSH...
   Pre-processing /usr/share/shorewall/action.AllowWeb...
   Pre-processing /usr/share/shorewall/action.AllowSMB...
   Pre-processing /usr/share/shorewall/action.AllowAuth...
   Pre-processing /usr/share/shorewall/action.AllowSMTP...
   Pre-processing /usr/share/shorewall/action.AllowPOP3...
   Pre-processing /usr/share/shorewall/action.AllowICMPs...
   Pre-processing /usr/share/shorewall/action.AllowIMAP...
   Pre-processing /usr/share/shorewall/action.AllowTelnet...
   Pre-processing /usr/share/shorewall/action.AllowVNC...
   Pre-processing /usr/share/shorewall/action.AllowVNCL...
   Pre-processing /usr/share/shorewall/action.AllowNTP...
   Pre-processing /usr/share/shorewall/action.AllowRdate...
   Pre-processing /usr/share/shorewall/action.AllowNNTP...
   Pre-processing /usr/share/shorewall/action.AllowTrcrt...
   Pre-processing /usr/share/shorewall/action.AllowSNMP...
   Pre-processing /usr/share/shorewall/action.AllowPCA...
   Pre-processing /usr/share/shorewall/action.AllowSPAMD...
   Pre-processing /usr/share/shorewall/action.AllowSyslog...
   Pre-processing /usr/share/shorewall/action.AllowAmanda...
   Pre-processing /usr/share/shorewall/action.AllowLDAP...
   Pre-processing /usr/share/shorewall/action.AllowICQ...
   Pre-processing /usr/share/shorewall/action.AllowBitTorrent...
   Pre-processing /usr/share/shorewall/action.AllowSMBswat...
   Pre-processing /usr/share/shorewall/action.DropSMTP...
   Pre-processing /usr/share/shorewall/action.AllowCVS...
   Pre-processing /usr/share/shorewall/action.AllowSVN...
   Pre-processing /usr/share/shorewall/action.AllowMySQL...
   Pre-processing /usr/share/shorewall/action.AllowPostgreSQL...
   Pre-processing /usr/share/shorewall/action.AllowRsync...
   Pre-processing /usr/share/shorewall/action.AllowDistcc...
   Pre-processing /usr/share/shorewall/action.Drop...
   Pre-processing /usr/share/shorewall/action.Reject...
Deleting user chains...
Processing /etc/shorewall/routestopped ...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Setting up NETMAP...
Adding Common Rules
Setting up Kernel Route Filtering...
Processing /etc/shorewall/rules...
   Rule "ACCEPT net fw tcp ssh" added.
   Rule "ACCEPT net fw tcp smtp" added.
   Rule "ACCEPT net fw tcp domain" added.
   Rule "ACCEPT net fw udp domain" added.
   Rule "ACCEPT net fw tcp www" added.
   Rule "ACCEPT net fw tcp imap" added.
   Rule "ACCEPT net fw tcp https" added.
   Rule "ACCEPT net fw tcp imaps" added.
   Rule "ACCEPT net fw tcp xmpp-client" added.
   Rule "ACCEPT net fw tcp 5223" added.
   Rule "ACCEPT net fw tcp xmpp-server" added.
   Rule "ACCEPT net fw icmp 8" added.
   Rule "ACCEPT net fw tcp 6881" added.
   Rule "REDIRECT net 10080 tcp www - 212.227.91.3" added.
Processing Actions...
   Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Drop for Chain Drop...
   Rule "RejectAuth" added.
   Rule "dropBcast" added.
   Rule "AllowICMPs - - icmp" added.
   Rule "dropInvalid" added.
   Rule "DropSMB" added.
   Rule "DropUPnP" added.
   Rule "dropNotSyn - - tcp" added.
   Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.Reject for Chain Reject...
   Rule "RejectAuth" added.
   Rule "dropBcast" added.
   Rule "AllowICMPs - - icmp" added.
   Rule "dropInvalid" added.
   Rule "RejectSMB" added.
   Rule "DropUPnP" added.
   Rule "dropNotSyn - - tcp" added.
   Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.RejectAuth for Chain RejectAuth...
   Rule "REJECT - - tcp 113" added.
Processing /usr/share/shorewall/action.AllowICMPs for Chain AllowICMPs...
   Rule "ACCEPT - - icmp fragmentation-needed" added.
   Rule "ACCEPT - - icmp time-exceeded" added.
Processing /usr/share/shorewall/action.DropSMB for Chain DropSMB...
   Rule "DROP - - udp 135" added.
   Rule "DROP - - udp 137:139" added.
   Rule "DROP - - udp 445" added.
   Rule "DROP - - tcp 135" added.
   Rule "DROP - - tcp 139" added.
   Rule "DROP - - tcp 445" added.
Processing /usr/share/shorewall/action.DropUPnP for Chain DropUPnP...
   Rule "DROP - - udp 1900" added.
Processing /usr/share/shorewall/action.DropDNSrep for Chain DropDNSrep...
   Rule "DROP - - udp - 53" added.
Processing /usr/share/shorewall/action.RejectSMB for Chain RejectSMB...
   Rule "REJECT - - udp 135" added.
   Rule "REJECT - - udp 137:139" added.
   Rule "REJECT - - udp 445" added.
   Rule "REJECT - - tcp 135" added.
   Rule "REJECT - - tcp 139" added.
   Rule "REJECT - - tcp 445" added.
Processing /etc/shorewall/policy...
   Policy ACCEPT for fw to net using chain fw2net
   Policy REJECT for net to fw using chain net2all
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Started

Reply via email to