It is a fact that with RHEL 5 you must do stateless firewalling for IPv6
I am wondering how to write stateless firewall rules with fwbuilder. For ssh incoming only this could go like
disallow outgoing ssh packets with only syn set.
I think I would need a custom tcp service?
allow incoming packets.
allow outgoing packets.
I need a -sport 22
Do I need to define a custom tcp service for ssh responses?
AFAICS I need to define two additional custom objects per service.
Or is there a better and maybe more elegant way?
you need to service objects if you want to build stateless rules. One service object to match destination port 22 and the other to match source port 22. These do not need to be CustomService, they can be TCP service objects.
Do not forget to mark the rule as "stateless" in the rule options dialog