Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

ip6tables stateless rules

wnefal
2012-11-23
2013-03-05
  • wnefal
    wnefal
    2012-11-23

    Hi,
    It is a fact that with RHEL 5 you must do stateless firewalling for IPv6
    https://bugzilla.redhat.com/show_bug.cgi?id=243739

    I am wondering how to write stateless firewall rules with fwbuilder. For ssh incoming only this could go like

    disallow outgoing ssh packets with only syn set.
    I think I would need a custom tcp service?

    allow incoming packets.
    Trivial.

    allow outgoing packets.
    I need a -sport 22
    Do I need to define a custom tcp service for ssh responses?

    AFAICS I need to define two additional custom objects per service.
    Or is there a better and maybe more elegant way?
    -
    Markus

     
  • Vadim Kurland
    Vadim Kurland
    2012-11-23

    you need to service objects if you want to build stateless rules. One service object to match destination port 22 and the other to match source port 22. These do not need to be CustomService, they can be TCP service objects.

    Do not forget to mark the rule as "stateless" in the rule options dialog