6

I'm trying to setup an IPv6 web-server on CentOS 7.2 with NGINX. I have tested my IPv6 connectivity outgoing and incoming - everything works. My IP, AAAA records, etc as fine as well. Essentially everything is OK until I enable FirewallD.

I have it set up to default to the drop zone with eth0 interface. I have enabled dhcpv6-client, http, https and ssh (ssh is on a custom port). When the firewall is enabled no IPv6 traffic can leave or enter the machine. Traceroute6 to anything (even the gateway) only goes to localhost. If I disable the firewall, it's all good.

I have no idea why this is happening. I couldn't find anything online in order to make FirewallD apply the same IPv4 config to the IPv6 traffic. I personally thought, it would do that automatically, as all of its commands are IP protocol agnostic.

Any help is much appreciated.

kasperd
  • 30,455
  • 17
  • 76
  • 124
kgizdov
  • 205
  • 1
  • 2
  • 4
  • You set the zone to `drop`? Do you really _intend_ to drop all traffic? – Michael Hampton Apr 11 '16 at 01:54
  • yes, I would like to drop all traffic that I haven't explicitly permitted. – kgizdov Apr 11 '16 at 02:23
  • Use the `public` zone then. `drop` is intended to drop all traffic without exception. – Michael Hampton Apr 11 '16 at 02:56
  • Also see http://unix.stackexchange.com/questions/275612/firewalld-blocks-ipv6-ignores-config – roaima Apr 11 '16 at 09:31
  • @MichaelHampton The only difference I see between the two is that the `drop` zone does not answer to unauthorised traffic - which I would really prefer to keep. In any case, using public over drop still doesn't answer my question as to why allowed IPV6 traffic is treated incorrectly, whereas allowed IPV4 is fine. – kgizdov Apr 11 '16 at 12:07
  • As @Mark points out in his answer, IPv6 depends on ICMPv6 in a way the IPv4 doesn't depend on ICMP. If you block that, things do not work correctly. – Ron Maupin May 06 '16 at 00:51

2 Answers2

8

I ran into the same issue. After following the logic through the rules that firewalld puts in I found that the drop zone was blocking ipv6 icmp that is needed to find the ipv6 neighbors. There is a rule to allow all ipv6 icmp but firewalld puts it after the input zones which is where the drop rules go.

If you want to see this for yourself just look at the output from 'ip6tables -L -n -v'

So, a quick and dirty fix is to do this:

firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p icmpv6 -j ACCEPT

Firewalld puts the direct rules before the other input rules so that will happen before the drop rules. If you want to block things like ping you would also use a direct rule but you would need it before the rule above.

You would do something like:

firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p icmpv6 --icmpv6-type 128 -j DROP
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 1 -p icmpv6 -j ACCEPT

The priorities will keep them in order.

Mark
  • 106
  • 2
  • This works. I may instead try allowing only the types I need. Thanks. – kgizdov May 07 '16 at 13:02
  • does INPUT 0 and INPUT 1 mean priority? Having been able to find what INPUT # means in firewall-cmd commands – red888 Apr 06 '17 at 23:42
  • Is this still _current_, or is there a better way? – Maxxer Apr 06 '20 at 12:18
  • 2
    for the record recent versions of firewalld can allow icmpv6 with `firewall-cmd --zone public --add-protocol ipv6-icmp`. [rule change here](https://github.com/firewalld/firewalld/commit/f329311ac858a0d96d0dac99d7227c6dae643b75). credits goes to erig @ freenode – Maxxer Apr 06 '20 at 15:12
0

After some fiddling around with a Vultr (IPv6 works perfectly) and Contabo (IPv6 wouldn't work with firewalld) instance, I found the following sysctl differences even after running Contabo's custom enable_ipv6 script:

net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0

Even though there are no such settings in /etc/sysctl.conf, /etc/sysctl.d, /usr/lib/sysctl.d, /run/sysctl.d, or anywhere else. So it must be some weird hack deep, deep inside.

Imo it can't be firewalld differences, because this happens even after a clean install, so there's no rules at all. Listing all zones won't show anything weird either.

Anyhow, after putting the above 3 lines into /etc/sysctl.d/10-ipv6.conf (name it any way you want), and rebooting, everything started working as expected.

And no, don't ask me why IPv6 works with net.ipv6.conf.all.disable_ipv6 = 1 and firewalld turned off, it makes no sense whatsoever.

bviktor
  • 900
  • 6
  • 12