Hi,
I'm trying to configure the IPv6 Firewall on my server and I found some problems.
The rules Reject with ICMP type with icmp6-adm-prohibited is badly written.
Webmin write (as showed in attachement) in /etc/ip6tables/ip.rules
icmp6-adm-pro-hibited and not icmp6-adm-prohibited
There is an "-" between pro and hibited
Also the rules doens't work, and I don't understand why.
I have for exemple :
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -j MYCHAIN
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j LOG --log-level=4
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A MYCHAIN -p icmpv6 -j ACCEPT
-A MYCHAIN -p tcp -m tcp -i eth0 --dport 80 -j ACCEPT
-A MYCHAIN -p tcp -m tcp -i eth0 --dport 443 -j ACCEPT
-A MYCHAIN -p tcp -m tcp -i eth0 --dport 21 -j ACCEPT
If I delete the rules:
-A MYCHAIN -p tcp -m tcp -i eth0 --dport 21 -j ACCEPT
I still have access port 21 FTP !
But if I replace by :
-A MYCHAIN -p tcp -m tcp -i eth0 --dport 21 -j DROP
Traffic is well dropped on port 21
(simply because the drop is before "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT")
So my conclusion is : is it due to :-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
I don't understand why....traffic is accepted despite the connection is "established, related" or not....
They must be pass this line (as no connection is establish or related) and dropped with :
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
or
-A INPUT -j DROP
No issue at all, with my IPv4 rules
Best regards,
for the second part it's ok....sorry, I found it, nothing to do with the issue in attachments (1st part)
Thanks for pointing out this error - it will be fixed in the next Webmin release.