On 8/17/20 5:23 PM, Timo Sigurdsson wrote: > Hi, > > I have shorewall running on a gateway that gets both IPv4 and IPv6 addresses > or prefixes dynamically assigned by my ISP. When I dump the ip6tables rules > with ip6tables-restore, I can see certain rules containing anycast addresses > for each interface. The rules look like these: > -A Broadcast -d 2001:db8:1:1::/128 -j DROP > -A Broadcast -d 2001:db8:1:1:ffff:ffff:ffff:ff80/121 -j DROP > -A reject -d 2001:db8:1:1::/128 -j DROP > -A reject -d 2001:db8:1:1:ffff:ffff:ffff:ff80/121 -j DROP > -A smurfs -s 2001:db8:1:1::/128 -g smurflog > -A smurfs -s 2001:db8:1:1:ffff:ffff:ffff:ff80/121 -g smurflog > > I'd like to know: What generates these rules and can I suppress just these > without changing anything else in the ruleset? I tried a few options like > removing the nosmurfs option in the interfaces file, since the smurfs chain > is referenced here, but that didn't do anything. Neither did any of my > attempted changes to shorewall.conf, so I still don't even know what causes > these rules to be generated. > > The reason I'm asking is this: The anycast-related rules are the only ones > changing when I reload shorewall6 after my gateway received new IPv6 > addresses. Since renumbering occurs frequently on this machine, I'm wondering > if I can avoid having to reload shorewall6 all the time. I thought about > adding a hook to my DHCPv6 client that could add the anycast addresses for > each interface to an ipset, so I could reference just the ipset in my > shorewall6 configuration and the ruleset itself could stay the same without > the need to reload shorewall6 after renumbering occurs. >
It is currently somewhat convoluted to eliminate these rules:
a) Create your own version of action.Broadcast which does not include
the anycast addresses.
b) Don't use nosmurfs. If you want Smurf protection:
i) Create your own copy of action.DropSmurfs that doesn't include
anycast addresses.
ii) Invoke DropSmurfs in the ALL section of the rules file for packets
entering through interfaces that you wish to protect.
c) Use the REJECT_ACTION option in shorewall6.conf to define your own
'reject' chain. The action's code listed in the manpage should work,
provided that you have done a), above.
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster
Shoreline, \ with an international standard?
Washington, USA \ A: Someone who makes you an offer you
http://shorewall.org \ can't understand
\________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
