On 8/17/20 6:33 PM, Tom Eastep wrote: > On 8/17/20 5:23 PM, Timo Sigurdsson wrote: >> Hi, >> >> I have shorewall running on a gateway that gets both IPv4 and IPv6 addresses >> or prefixes dynamically assigned by my ISP. When I dump the ip6tables rules >> with ip6tables-restore, I can see certain rules containing anycast addresses >> for each interface. The rules look like these: >> -A Broadcast -d 2001:db8:1:1::/128 -j DROP >> -A Broadcast -d 2001:db8:1:1:ffff:ffff:ffff:ff80/121 -j DROP >> -A reject -d 2001:db8:1:1::/128 -j DROP >> -A reject -d 2001:db8:1:1:ffff:ffff:ffff:ff80/121 -j DROP >> -A smurfs -s 2001:db8:1:1::/128 -g smurflog >> -A smurfs -s 2001:db8:1:1:ffff:ffff:ffff:ff80/121 -g smurflog >> >> I'd like to know: What generates these rules and can I suppress just these >> without changing anything else in the ruleset? I tried a few options like >> removing the nosmurfs option in the interfaces file, since the smurfs chain >> is referenced here, but that didn't do anything. Neither did any of my >> attempted changes to shorewall.conf, so I still don't even know what causes >> these rules to be generated. >> >> The reason I'm asking is this: The anycast-related rules are the only ones >> changing when I reload shorewall6 after my gateway received new IPv6 >> addresses. Since renumbering occurs frequently on this machine, I'm >> wondering if I can avoid having to reload shorewall6 all the time. I thought >> about adding a hook to my DHCPv6 client that could add the anycast addresses >> for each interface to an ipset, so I could reference just the ipset in my >> shorewall6 configuration and the ruleset itself could stay the same without >> the need to reload shorewall6 after renumbering occurs. >> > > It is currently somewhat convoluted to eliminate these rules: > > a) Create your own version of action.Broadcast which does not include > the anycast addresses. > > b) Don't use nosmurfs. If you want Smurf protection: > i) Create your own copy of action.DropSmurfs that doesn't include > anycast addresses. > ii) Invoke DropSmurfs in the ALL section of the rules file for packets > entering through interfaces that you wish to protect. > > c) Use the REJECT_ACTION option in shorewall6.conf to define your own > 'reject' chain. The action's code listed in the manpage should work, > provided that you have done a), above. >
I've taken another look at this, and you can easily suppress these rules
by placing this statement in your /etc/shorewall6/init file:
ALL_ACASTS=''
Much easier than the convoluted instructions that I sent previuosly.
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster
Shoreline, \ with an international standard?
Washington, USA \ A: Someone who makes you an offer you
http://shorewall.org \ can't understand
\________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
