Hello,
We have just encountered a strange scenario with firewalld and ipv6. We are running SL 7.4, with kernel 3.10.0-693.21.1.el7.x86_64 and firewalld-0.4.4.4-6, but this situation has existed for nearly a year, if not longer. For a long time, I have thought our infrastructure team just didn't have IPv6 Routing or Boundary Firewall rules setup right because I have not been able to ping6 sites like google.com.... (site info scrubbed) -
$ ping6 www.google.com
PING www.google.com(iad30s14-in-x04.1e100.net (2607:f8b0:4004:806::2004)) 56 data bytes
From localhost (IPv6 IP) icmp_seq=1 Destination unreachable: Address unreachable
From localhost (IPv6 IP) icmp_seq=2 Destination unreachable: Address unreachable
From localhost (IPv6 IP) icmp_seq=3 Destination unreachable: Address unreachable
From localhost (IPv6 IP) icmp_seq=4 Destination unreachable: Address unreachable
Today a colleague temporarily disabled firewalld to troubleshoot an unrelated issue with IPv6, and noticed that ping6 to google now worked. So I started tinkering and confirmed this...
$ ping6 www.google.com
PING www.google.com(iad30s14-in-x04.1e100.net (2607:f8b0:4004:806::2004)) 56 data bytes
From localhost (IPv6 IP) icmp_seq=1 Destination unreachable: Address unreachable
From localhost (IPv6 IP) icmp_seq=2 Destination unreachable: Address unreachable
From localhost (IPv6 IP) icmp_seq=3 Destination unreachable: Address unreachable
From localhost (IPv6 IP) icmp_seq=4 Destination unreachable: Address unreachable
<switch to root shell>
# systemctl stop firewalld
<switch back to the above shell>
64 bytes from iad30s15-in-x04.1e100.net (2607:f8b0:4004:807::2004): icmp_seq=32 ttl=53 time=2026 ms
64 bytes from iad30s15-in-x04.1e100.net (2607:f8b0:4004:807::2004): icmp_seq=33 ttl=53 time=1026 ms
64 bytes from iad30s15-in-x04.1e100.net (2607:f8b0:4004:807::2004): icmp_seq=34 ttl=53 time=27.0 ms
64 bytes from iad30s15-in-x04.1e100.net (2607:f8b0:4004:807::2004): icmp_seq=35 ttl=53 time=22.1 ms
Its a strange thing, but the first few successful pings after stopping firewalld take a long time. When I start firewalld, the pings will continue to succeed for a period of time, then the network will become unreachable again at some point later.
From a ruleset perspective, we do not filter outbound packets. We do use the drop zone as default, but both my system and my colleague's have different input filtering. e.g. My system is a desktop, the system my colleague was working on is a dns server.
My system's rules look like:
# firewall-cmd --get-active-zones
drop
interfaces: enp2s0
# firewall-cmd --list-all
drop (active)
target: DROP
icmp-block-inversion: no
interfaces: enp2s0
sources:
services: ssh
ports: 591/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Another point of interest is that looking at the ip6tables as ping6s are NOT reaching the target, I can see the packets piling up in the OUTPUT chain, but nothing is logged as DROP or REJECT.
# ip6tables -n -v -L OUTPUT
Chain OUTPUT (policy ACCEPT 1048 packets, 186K bytes)
pkts bytes target prot opt in out source destination
1048 186K OUTPUT_direct all * * ::/0 ::/0
# ip6tables -n -v -L OUTPUT
Chain OUTPUT (policy ACCEPT 1059 packets, 187K bytes)
pkts bytes target prot opt in out source destination
1059 187K OUTPUT_direct all * * ::/0 ::/0
# ip6tables -n -v -L OUTPUT
Chain OUTPUT (policy ACCEPT 1061 packets, 188K bytes)
pkts bytes target prot opt in out source destination
1061 188K OUTPUT_direct all * * ::/0 ::/0
# ip6tables -n -v -L OUTPUT
Chain OUTPUT (policy ACCEPT 1062 packets, 188K bytes)
pkts bytes target prot opt in out source destination
1062 188K OUTPUT_direct all * * ::/0 ::/0
...But no packets are accoutned in the OUTPUT_direct chain -
# ip6tables -n -v -L OUTPUT_direct
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
# ip6tables -n -v -L OUTPUT_direct
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
# ip6tables -n -v -L OUTPUT_direct
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Can anyone explain, validate my experience, or otherwise help me to resolve it with out permanently disabling firewalld?
|