LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

March 2018

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS March 2018

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	IPv6 outbound packets filtered by default?
From:	Sean A <[log in to unmask]>
Reply To:	Sean A <[log in to unmask]>
Date:	Wed, 21 Mar 2018 12:27:32 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (83 lines)

Hello,

We have just encountered a strange scenario with firewalld and ipv6.  We are running SL 7.4, with kernel 3.10.0-693.21.1.el7.x86_64 and firewalld-0.4.4.4-6, but this situation has existed for nearly a year, if not longer.  For a long time, I have thought our infrastructure team just didn't have IPv6 Routing or Boundary Firewall rules setup right because I have not been able to ping6 sites like google.com.... (site info scrubbed) -

$ ping6 www.google.com
PING www.google.com(iad30s14-in-x04.1e100.net (2607:f8b0:4004:806::2004)) 56 data bytes
From localhost (IPv6 IP) icmp_seq=1 Destination unreachable: Address unreachable
From localhost (IPv6 IP) icmp_seq=2 Destination unreachable: Address unreachable
From localhost (IPv6 IP) icmp_seq=3 Destination unreachable: Address unreachable
From localhost (IPv6 IP) icmp_seq=4 Destination unreachable: Address unreachable

Today a colleague temporarily disabled firewalld to troubleshoot an unrelated issue with IPv6, and noticed that ping6 to google now worked.  So I started tinkering and confirmed this...

$ ping6 www.google.com 
PING www.google.com(iad30s14-in-x04.1e100.net (2607:f8b0:4004:806::2004)) 56 data bytes
From localhost (IPv6 IP) icmp_seq=1 Destination unreachable: Address unreachable
From localhost (IPv6 IP) icmp_seq=2 Destination unreachable: Address unreachable
From localhost (IPv6 IP) icmp_seq=3 Destination unreachable: Address unreachable
From localhost (IPv6 IP) icmp_seq=4 Destination unreachable: Address unreachable
<switch to root shell>
# systemctl stop firewalld
<switch back to the above shell>
64 bytes from iad30s15-in-x04.1e100.net (2607:f8b0:4004:807::2004): icmp_seq=32 ttl=53 time=2026 ms
64 bytes from iad30s15-in-x04.1e100.net (2607:f8b0:4004:807::2004): icmp_seq=33 ttl=53 time=1026 ms
64 bytes from iad30s15-in-x04.1e100.net (2607:f8b0:4004:807::2004): icmp_seq=34 ttl=53 time=27.0 ms
64 bytes from iad30s15-in-x04.1e100.net (2607:f8b0:4004:807::2004): icmp_seq=35 ttl=53 time=22.1 ms

Its a strange thing, but the first few successful pings after stopping firewalld take a long time.  When I start firewalld, the pings will continue to succeed for a period of time, then the network will become unreachable again at some point later.

From a ruleset perspective, we do not filter outbound packets.  We do use the drop zone as default, but both my system and my colleague's have different input filtering.  e.g. My system is a desktop, the system my colleague was working on is a dns server.

My system's rules look like:
# firewall-cmd --get-active-zones
drop
  interfaces: enp2s0
# firewall-cmd --list-all
drop (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: enp2s0
  sources: 
  services: ssh
  ports: 591/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

Another point of interest is that looking at the ip6tables as ping6s are NOT reaching the target, I can see the packets piling up in the OUTPUT chain, but nothing is logged as DROP or REJECT.

# ip6tables -n -v -L OUTPUT
Chain OUTPUT (policy ACCEPT 1048 packets, 186K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1048  186K OUTPUT_direct  all      *      *       ::/0                 ::/0                
# ip6tables -n -v -L OUTPUT
Chain OUTPUT (policy ACCEPT 1059 packets, 187K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1059  187K OUTPUT_direct  all      *      *       ::/0                 ::/0                
# ip6tables -n -v -L OUTPUT
Chain OUTPUT (policy ACCEPT 1061 packets, 188K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1061  188K OUTPUT_direct  all      *      *       ::/0                 ::/0                
# ip6tables -n -v -L OUTPUT
Chain OUTPUT (policy ACCEPT 1062 packets, 188K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1062  188K OUTPUT_direct  all      *      *       ::/0                 ::/0              

...But  no packets are accoutned in the OUTPUT_direct chain -

# ip6tables -n -v -L OUTPUT_direct
Chain OUTPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         
# ip6tables -n -v -L OUTPUT_direct
Chain OUTPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         
# ip6tables -n -v -L OUTPUT_direct
Chain OUTPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination        

Can anyone explain, validate my experience, or otherwise help me to resolve it with out permanently disabling firewalld?

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV