Print

[swschulz]

Has anyone gotten the combo of Ubuntu Jaunty (9.04) with the UFW firewall to work with an HEnet tunnel?

I have configured the tunnel, added an IP from my /64 allotment to eth0, and everything works as expected until I bring up the firewall.  UFW is supposed to support IPv6, but I must be missing something somewhere.  By default it is supposed to allow ping6, etc through, and I have added rules to allow port 80 in to the v6 address.  Unfortunately, all packets are dropped by UFW.

My steps:

1) Configure and test IPv6 tunnel
2) Set IPV6=yes in /etc/default/ufw (to add the v6 rules)
3) Removed and re-added all the rules that were previously in place.  It does add what appear to be the necessary rules in the user6.rules file.
4) Re-enabled UFW

At this point, all ipv6 traffic dies.  I've tried adding rules to allow anything through to the ipv6 address, and another to allow any traffic from my tunnel server ipv4 address, again, no joy.

This box is a linode, and has public IPv4 addresses, so there is no NAT in place, so it is my understanding that I do not need to try to forward protocol 41.

Here is a ping6 to the box drop (cleansed):

[UFW BLOCK] IN=he-ipv6 OUT= TUNNEL=216.66.22.2->I.P.v4.102
SRC=2001:0470:1f06:06c7:0000:0000:0000:0002 DST=2001:0470:0018:037b:0000:0000:0000:0002
LEN=104 TC=0 HOPLIMIT=60 FLOWLBL=0
PROTO=ICMPv6 TYPE=128 CODE=0 ID=41264 SEQ=4

ip6tables -L -n | grep 'type 128' shows that this is the rule it has in place:
ACCEPT     icmpv6    ::/0                 ::/0                ipv6-icmp type 128

So something else must be catching the traffic, just not sure what.

Anyone have any ideas?  So close, and yet so far.

Thanks,

SwS
A Burnt Sage

[jimb]

I suggest going through your rules carefully.  Is that permit rule in the FORWARD chain or the INPUT chain?  If it's in the FORWARD chain but not in the INPUT chain, it would explain why the tunnel interface is dropping pings, for instance.

EDIT: in fact, your grep shows it's in only one chain, while it should be in two.  That is, the grep should have match two such lines.  FYI: The INPUT chain applies to traffic for which the destination is the firewall itself.  The FORWARD chain applies to traffic which would be forwarded to other hosts on the other side of the firewall.

[swschulz]

Yes, all of these rules are in the INPUT chain, and by default there are none in the FORWARD chain.  But since the firewall (software firewall) lives on the same box as the tunnel, and there are no other boxes behind it, i.e. all traffic to/from the tunnel will originate/destinate at this one box, do I need to set up FORWARD rules/masquerading to pass traffic between the he-ipv6 virtual interface and eth0 where they are coming in originally?

[jimb]

Nope.  If all IPv6 traffic will terminate at that box, you don't need forwarding rules, or the ip forwarding sysctl even set.

[swschulz]

Was afraid of that, so either I've got something mucked up, or I am missing something simple (or there is a bug in it).

Thanks for all the info.

[majidfarid]

Just enable ipv6 in /etc/default/ufw the same rules you have for ipv4 will work for ipv6.

/Majid

[jimb]

I need to learn this ufw stuff.  I always do my own iptables stuff, but I guess the ufw front end is going to be in wide use now that it's in *buntu.

[patrickdk]

It's the issue more that protocol 41 is blocked?

In lucid I have no issues using, ufw allow to x.x.x.x proto ipv6

But versions before 10.04 don't support ipv6 protocol, so you will have to do it manually:

https://bugs.launchpad.net/ufw/+bug/502655

You could always edit /etc/ufw/before.conf and add a rule to allow protocol 41