On 5/17/2015 6:53 AM, aleph de wrote: > I'm setting up a home router/firewall. > > It's runnning Shorewall-lite & Shorewall6-lite. > > I have an IPv6 tunnel provided by Hurricane Electric's tunnelbroker. > > I have a VPS with a DNS secondary that needs to communicate to a DNS primary > that's on my home DNS primary, over IPv6. > > At the moment, my shorewall logs on the home router are showing this DROP > > May 17 06:24:57 yoda kernel: [235522.153692] shorewall:net2fw:DROP > IN=sit1 OUT= TUNNEL=H.H.H.H->L.L.L.L SRC=2600:...:1234 DST=2001:...:0100 > LEN=72 TC=0 HOPLIMIT=60 FLOWLBL=0 PROTO=TCP SPT=44927 DPT=53 WINDOW=28800 > RES=0x00 SYN URGP=0 MARK=0x100 > > Where > > H.H.H.H is the IPv6 tunnel's IPv4 endpoint @ Hurricane Electric > L.L.L.L is the IPv6 tunnel's IPv4 endpoint @ my office, i.e. my static > IPv4 > 2600:...:1234 is IPv6 address of the DNS 2ndary server @ the VPS > 2001:...:0100 is IPv6 address of the DNS primary server @ the office > > I don't understand the interfaces involved in that DROP > > ... IN=sit1 OUT= TUNNEL=H.H.H.H->L.L.L.L SRC=2600:...:1234 > DST=2001:...:0100 ... > > What specific IPv6 Shorewall rule do I need to create to allow this traffic?
Looks to me as though you neglected to configure an IPv4 rule for the tunneled traffic. I do that through use of the tunnels file: #TYPE ZONE GATEWAY GATEWAY # ZONE 6to4 net 216.218.226.238 Where 216.218.226.238 is the IPv4 endpoint at HE. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
