Discussion:
[Shorewall-users] Recommended way to restart Shorewall6
Sven Kirmess
2016-12-31 13:39:33 UTC
Permalink
I'm trying to find out what the recommended way would be to restart
shorewall6. I found <http://shorewall.org/dhcp.htm> but I'm not 100%
sure if that applies to shorewall6 too.

On my firewall I run dhcpcd, which

- configures an IPv6 address on ppp0, according to a router advertisment

dhcpcd[25267]: ppp0: Router Advertisement from fe80::226:cbff:fe9d:4c1b
dhcpcd[25267]: ppp0: adding address 2a02:200:2f00:91d:31da:4c2d:2f89:d379/64
dhcpcd[25267]: ppp0: pltime 604800 seconds, vltime 2592000 seconds
dhcpcd[25267]: ppp0: executing `//libexec/dhcpcd-run-hooks' ROUTERADVERT

- requests a /60 network with DHCPv6-PD and assigns an IPv6 network
to internal interfaces.

dhcpcd[25267]: ppp0: broadcasting RENEW6 (xid 0xb2b730), next in 9.7 seconds
dhcpcd[25267]: ppp0: REPLY6 received from fe80::226:cbff:fe9d:4c1b
dhcpcd[25267]: ppp0: renew in 3600, rebind in 5760, expire in 86400 seconds
dhcpcd[25267]: ppp0: writing lease `/var/db/dhcpcd-ppp0.lease6'
dhcpcd[25267]: ppp0: delegated prefix 2a02:200:2e00:91d0::/60
dhcpcd[25267]: em2.100: adding address 2a02:200:2e00:91d4::1/64
dhcpcd[25267]: em2.100: pltime 7200 seconds, vltime 86400 seconds
dhcpcd[25267]: em2.100: executing `//libexec/dhcpcd-run-hooks' DELEGATED6
dhcpcd[25267]: em2.170: adding address 2a02:200:2e00:91da::1/64
dhcpcd[25267]: em2.170: pltime 7200 seconds, vltime 86400 seconds
dhcpcd[25267]: em2.170: executing `//libexec/dhcpcd-run-hooks' DELEGATED6
dhcpcd[25267]: em2.191: adding address 2a02:200:2e00:91db::1/64
dhcpcd[25267]: em2.191: pltime 7200 seconds, vltime 86400 seconds
dhcpcd[25267]: em2.191: executing `//libexec/dhcpcd-run-hooks' DELEGATED6
dhcpcd[25267]: em2.192: adding address 2a02:200:2e00:91dc::1/64
dhcpcd[25267]: em2.192: pltime 7200 seconds, vltime 86400 seconds
dhcpcd[25267]: em2.192: executing `//libexec/dhcpcd-run-hooks' DELEGATED6
dhcpcd[25267]: em2.193: adding address 2a02:200:2e00:91dd::1/64
dhcpcd[25267]: em2.193: pltime 7200 seconds, vltime 86400 seconds
dhcpcd[25267]: em2.193: executing `//libexec/dhcpcd-run-hooks' DELEGATED6
dhcpcd[25267]: ppp0: executing `//libexec/dhcpcd-run-hooks' RENEW6

Should I restart shorewall6? And if yes, on which event?

The networks should be static but I don't trust my ISP to tell me if
he changes them. What's the worst thing that can happen if a restart
does not happen?

(I restart shorewall from /etc/ppp/ip-up.d/20-shorewall, which should
be enough.)


Sven
Tom Eastep
2016-12-31 18:19:31 UTC
Permalink
Post by Sven Kirmess
I'm trying to find out what the recommended way would be to
restart shorewall6. I found <http://shorewall.org/dhcp.htm> but I'm
not 100% sure if that applies to shorewall6 too.
On my firewall I run dhcpcd, which
- configures an IPv6 address on ppp0, according to a router
advertisment
dhcpcd[25267]: ppp0: Router Advertisement from
fe80::226:cbff:fe9d:4c1b dhcpcd[25267]: ppp0: adding address
executing `//libexec/dhcpcd-run-hooks' ROUTERADVERT
- requests a /60 network with DHCPv6-PD and assigns an IPv6
network to internal interfaces.
dhcpcd[25267]: ppp0: broadcasting RENEW6 (xid 0xb2b730), next in
9.7 seconds dhcpcd[25267]: ppp0: REPLY6 received from
fe80::226:cbff:fe9d:4c1b dhcpcd[25267]: ppp0: renew in 3600, rebind
in 5760, expire in 86400 seconds dhcpcd[25267]: ppp0: writing lease
`/var/db/dhcpcd-ppp0.lease6' dhcpcd[25267]: ppp0: delegated prefix
2a02:200:2e00:91d0::/60 dhcpcd[25267]: em2.100: adding address
2a02:200:2e00:91d4::1/64 dhcpcd[25267]: em2.100: pltime 7200
seconds, vltime 86400 seconds dhcpcd[25267]: em2.100: executing
em2.191: executing `//libexec/dhcpcd-run-hooks' DELEGATED6
dhcpcd[25267]: em2.192: adding address 2a02:200:2e00:91dc::1/64
dhcpcd[25267]: em2.192: pltime 7200 seconds, vltime 86400 seconds
dhcpcd[25267]: em2.192: executing `//libexec/dhcpcd-run-hooks'
DELEGATED6 dhcpcd[25267]: em2.193: adding address
2a02:200:2e00:91dd::1/64 dhcpcd[25267]: em2.193: pltime 7200
seconds, vltime 86400 seconds dhcpcd[25267]: em2.193: executing
executing `//libexec/dhcpcd-run-hooks' RENEW6
Should I restart shorewall6? And if yes, on which event?
We can't answer that without knowing if your Shorewall6 configuration
is dependent on the IPv6 address of ppp0 or the IPv6 local network
address. If it isn't, then there is no reason to *reload* (there is
never a need to *restart* in this case)
Post by Sven Kirmess
The networks should be static but I don't trust my ISP to tell me
if he changes them. What's the worst thing that can happen if a
restart does not happen?
If your ruleset contains rules that are dependent on the
above-mentioned addresses, then those rules will cease to match.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Sven Kirmess
2016-12-31 18:58:08 UTC
Permalink
Post by Tom Eastep
Post by Sven Kirmess
Should I restart shorewall6? And if yes, on which event?
We can't answer that without knowing if your Shorewall6 configuration
is dependent on the IPv6 address of ppp0 or the IPv6 local network
address. If it isn't, then there is no reason to *reload* (there is
never a need to *restart* in this case)
My rules don't specify IPv6 addresses, they only filter between zones.

But the IPv6 network is in the reject, Broadcast and smurfs chain:

Chain reject
target prot opt in out source destination
DROP all * * ::/0
2a02:200:2e00:91d4::
DROP all * * ::/0
2a02:200:2e00:91d4:ffff:ffff:ffff:ff80/121
DROP all * * ::/0
2a02:200:2e00:91da::
DROP all * * ::/0
2a02:200:2e00:91da:ffff:ffff:ffff:ff80/121
DROP all * * ::/0
2a02:200:2e00:91db::
DROP all * * ::/0
2a02:200:2e00:91db:ffff:ffff:ffff:ff80/121
DROP all * * ::/0
2a02:200:2e00:91dc::
DROP all * * ::/0
2a02:200:2e00:91dc:ffff:ffff:ffff:ff80/121
DROP all * * ::/0
2a02:200:2e00:91dd::
DROP all * * ::/0
2a02:200:2e00:91dd:ffff:ffff:ffff:ff80/121
DROP all * * ::/0
2a02:200:2f00:91d::
DROP all * * ::/0
2a02:200:2f00:91d:ffff:ffff:ffff:ff80/121
DROP all * * ff00::/8 ::/0
DROP 2 * * ::/0 ::/0
REJECT tcp * * ::/0 ::/0
reject-with tcp-reset
REJECT udp * * ::/0 ::/0
reject-with icmp6-port-unreachable
REJECT icmpv6 * * ::/0 ::/0
reject-with icmp6-addr-unreachable
REJECT all * * ::/0 ::/0
reject-with icmp6-adm-prohibited


Chain Broadcast
target prot opt in out source destination
NFLOG all * * ::/0
2a02:200:2e00:91d4:: nflog-prefix "Shorewall:Broadcast:DROP:"
nflog-group 6
DROP all * * ::/0
2a02:200:2e00:91d4::
NFLOG all * * ::/0
2a02:200:2e00:91d4:ffff:ffff:ffff:ff80/121 nflog-prefix
"Shorewall:Broadcast:DROP:" nflog-group 6
DROP all * * ::/0
2a02:200:2e00:91d4:ffff:ffff:ffff:ff80/121
NFLOG all * * ::/0
2a02:200:2e00:91da:: nflog-prefix "Shorewall:Broadcast:DROP:"
nflog-group 6
DROP all * * ::/0
2a02:200:2e00:91da::
NFLOG all * * ::/0
2a02:200:2e00:91da:ffff:ffff:ffff:ff80/121 nflog-prefix
"Shorewall:Broadcast:DROP:" nflog-group 6
DROP all * * ::/0
2a02:200:2e00:91da:ffff:ffff:ffff:ff80/121
NFLOG all * * ::/0
2a02:200:2e00:91db:: nflog-prefix "Shorewall:Broadcast:DROP:"
nflog-group 6
DROP all * * ::/0
2a02:200:2e00:91db::
NFLOG all * * ::/0
2a02:200:2e00:91db:ffff:ffff:ffff:ff80/121 nflog-prefix
"Shorewall:Broadcast:DROP:" nflog-group 6
DROP all * * ::/0
2a02:200:2e00:91db:ffff:ffff:ffff:ff80/121
NFLOG all * * ::/0
2a02:200:2e00:91dc:: nflog-prefix "Shorewall:Broadcast:DROP:"
nflog-group 6
DROP all * * ::/0
2a02:200:2e00:91dc::
NFLOG all * * ::/0
2a02:200:2e00:91dc:ffff:ffff:ffff:ff80/121 nflog-prefix
"Shorewall:Broadcast:DROP:" nflog-group 6
DROP all * * ::/0
2a02:200:2e00:91dc:ffff:ffff:ffff:ff80/121
NFLOG all * * ::/0
2a02:200:2e00:91dd:: nflog-prefix "Shorewall:Broadcast:DROP:"
nflog-group 6
DROP all * * ::/0
2a02:200:2e00:91dd::
NFLOG all * * ::/0
2a02:200:2e00:91dd:ffff:ffff:ffff:ff80/121 nflog-prefix
"Shorewall:Broadcast:DROP:" nflog-group 6
DROP all * * ::/0
2a02:200:2e00:91dd:ffff:ffff:ffff:ff80/121
NFLOG all * * ::/0
2a02:200:2f00:91d:: nflog-prefix "Shorewall:Broadcast:DROP:"
nflog-group 6
DROP all * * ::/0
2a02:200:2f00:91d::
NFLOG all * * ::/0
2a02:200:2f00:91d:ffff:ffff:ffff:ff80/121 nflog-prefix
"Shorewall:Broadcast:DROP:" nflog-group 6
DROP all * * ::/0
2a02:200:2f00:91d:ffff:ffff:ffff:ff80/121
NFLOG all * * ::/0
ff00::/8 nflog-prefix "Shorewall:Broadcast:DROP:"
nflog-group 6
DROP all * * ::/0 ff00::/8


Chain smurfs
target prot opt in out source destination
smurflog all * * 2a02:200:2e00:91d4:: ::/0
[goto]
smurflog all * *
2a02:200:2e00:91d4:ffff:ffff:ffff:ff80/121 ::/0 [goto]
smurflog all * * 2a02:200:2e00:91da:: ::/0
[goto]
smurflog all * *
2a02:200:2e00:91da:ffff:ffff:ffff:ff80/121 ::/0 [goto]
smurflog all * * 2a02:200:2e00:91db:: ::/0
[goto]
smurflog all * *
2a02:200:2e00:91db:ffff:ffff:ffff:ff80/121 ::/0 [goto]
smurflog all * * 2a02:200:2e00:91dc:: ::/0
[goto]
smurflog all * *
2a02:200:2e00:91dc:ffff:ffff:ffff:ff80/121 ::/0 [goto]
smurflog all * * 2a02:200:2e00:91dd:: ::/0
[goto]
smurflog all * *
2a02:200:2e00:91dd:ffff:ffff:ffff:ff80/121 ::/0 [goto]
smurflog all * * 2a02:200:2f00:91d:: ::/0
[goto]
smurflog all * *
2a02:200:2f00:91d:ffff:ffff:ffff:ff80/121 ::/0 [goto]
smurflog all * * ff00::/8 ::/0
[goto]

Loading...