Hurricane Electric's IPv6 Tunnel Broker Forums

General IPv6 Topics => IPv6 on Linux & BSD & Mac => Topic started by: tapin on February 24, 2011, 02:02:35 PM

Title: [solved] Problem with ufw rules
Post by: tapin on February 24, 2011, 02:02:35 PM
I have some services I do not want to be exposed running on this server so I need to enable a firewall. When the firewall is enabled the sever running the tunnel has ipv6 conectivity as normal everything is ok but clients on the lan lose connectivity, when i issue a ping from a windows client:

Code: [Select]
Pinging [2a00:1450:8006::68] with 32 bytes of data:
Request timed out.

I see assocated block messages in /var/log/messages

Code: [Select]
Feb 24 21:52:49 redshift kernel: [90746.567197] [UFW BLOCK] IN=eth0 OUT=he-ipv6 SRC=2001:0470:1f09:15bd:f905:2ab5:0e3f:d0cd DST=2a00:1450:8006:0000:0000:0000:0000:0068 LEN=80 TC=0 HOPLIMIT=127 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=1 SEQ=187

Unfortuantly I have no idea what rule I need to put in to allow this as even setting the incoming default to allow does not solve this issue, so im hoping somone better at linux firewalls than I am can help. When the firewall is turned off everything works as expected.

ufw status verbose:
Code: [Select]
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere
80                         ALLOW IN    Anywhere
Anywhere                   ALLOW IN
22                         ALLOW IN    Anywhere (v6)
443                        ALLOW IN    Anywhere (v6)
80                         ALLOW IN    Anywhere (v6)

Code: [Select]
eth0      Link encap:Ethernet  HWaddr 00:21:85:53:b8:12
          inet addr:  Bcast:  Mask:
          inet6 addr: fe80::221:85ff:fe53:b812/64 Scope:Link
          RX packets:683742 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1231665 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:53259912 (53.2 MB)  TX bytes:1701283117 (1.7 GB)
          Interrupt:26 Base address:0x8000

he-ipv6   Link encap:IPv6-in-IPv4
          inet6 addr: 2001:470:1f08:15bd::2/64 Scope:Global
          inet6 addr: fe80::c0a8:16e/128 Scope:Link
          UP POINTOPOINT RUNNING NOARP  MTU:1480  Metric:1
          RX packets:37374 errors:0 dropped:0 overruns:0 frame:0
          TX packets:28042 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:7430443 (7.4 MB)  TX bytes:2550713 (2.5 MB)

lo        Link encap:Local Loopback
          inet addr:  Mask:
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1631 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1631 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:100308 (100.3 KB)  TX bytes:100308 (100.3 KB)

The server is running Ubuntu 10.04.2 LTS
Title: Re: Problem with ufw rules
Post by: tapin on February 24, 2011, 02:30:56 PM
 ::) so after spening hours on this after posting the message I came to the solution.

The default forward policy in /etc/default/ufw was set to drop so set it to accept...

Code: [Select]

and everything works fine!

Hopefully this might save somone a couple of hours!

Title: Re: [solved] Problem with ufw rules
Post by: arip on June 27, 2011, 10:05:50 AM
Instead of changing the policy to allowing all incoming traffic (which sort of defeats most of the purpose of a firewall), you can do this to allow IPv6 tunneled traffic from HE, and then any IPv6 rules will match on your tunnel interface.

ufw allow proto ipv6 from

Replace with your HE tunnel server.