Bug 22778

Summary: Shorewall6 support (shorewall.pm from drakx-net still has "# Deliberately not adding shorewall6 support here for now")
Product: Mageia Reporter: Jybz <j.biernacki+mga>
Component: RPM PackagesAssignee: José Jorge <lists.jjorge>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: lists.jjorge, marja11
Version: 6   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: gitweb.mageia.org/software/drakx-net/tree/lib/network/shorewall.pm
Whiteboard:
Source RPM: shorewall drakx-net CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 21417    

Description Jybz 2018-03-15 19:31:01 CET 
Hi all !

I've a bad ISP, which doesn't offer NAT services. The (almost) only way to reach my computer from outside, is to use IPv6.

I search on the files, I found on this : /etc/shorewall(6)/rules , that they include /etc/shorewall(6)/rules.drakx

On the ipv4 version, the rules.drakx is full of rules, compared to the ipv6 version which is an empty file for me.

I look on git, and I see that line 44 (and 43) of this file : gitweb.mageia.org/software/drakx-net/tree/lib/network/shorewall.pm
mention :
# Deliberately not adding shorewall6 support here for now
I look on drakfirewall.pm http://gitweb.mageia.org/software/drakx-net/tree/lib/network/drakfirewall.pm
and drakgw http://gitweb.mageia.org/software/drakx-net/tree/bin/drakgw?id=844526c6a45a5a02edcd3f46d46d98dd054d695b
as mentioned in the shorewall.pm, but didn't really understand.

Whatever, I change the /etc/shorewall6/rules file,
instead of :
include rules.drakx
I have 
include /etc/shorewall/rules.drakx
(it didn't recognised ../shorewall/rules.drakx)

I really think that we should enable the ipv6 support, some ISP start sharing the IPv4 for their clients, (sorry, it is in french but funny : https://www.numerama.com/tech/145703-free-peut-attribuer-la-meme-adresse-ip-a-plusieurs-abonnes.html )

What is the position of Mageia with Ipv6 ?
Marja Van Waes 2018-03-17 10:06:42 CET

Summary: Shorewall6 support => Shorewall6 support (shorewall.pm from drakx-net still has "# Deliberately not adding shorewall6 support here for now")
Assignee: bugsquad => mageiatools
CC: (none) => marja11

Jybz 2018-11-07 19:31:12 CET

Blocks: (none) => 21417

Comment 1 José Jorge 2019-02-10 09:51:32 CET 
I agree this should be fixed, now that IPv6 is very used.

I'll try to work on it, if no one else volunteers. In my personal use, I simply copy all shorewall4 files in shorewall6 directory, and it works as expected.

Status: NEW => ASSIGNED
Assignee: mageiatools => lists.jjorge
CC: (none) => lists.jjorge

Comment 2 José Jorge 2019-02-11 12:20:54 CET 
(In reply to J-B B from comment #0)
> Whatever, I change the /etc/shorewall6/rules file,
> instead of :
> include rules.drakx
> I have 
> include /etc/shorewall/rules.drakx
> 
> I really think that we should enable the ipv6 support, some ISP start
> sharing the IPv4 for their clients, (sorry, it is in french but funny :
> https://www.numerama.com/tech/145703-free-peut-attribuer-la-meme-adresse-ip-
> a-plusieurs-abonnes.html )
> 
> What is the position of Mageia with Ipv6 ?

I thin kyour change is not enough to get a good IPv6 firewall : this two lines are needed to enable good IPv6 traffic

ACCEPT  net     fw      ipv6-icmp
ACCEPT  net     lan     ipv6-icmp

We really need someone to work on this...
Comment 3 José Jorge 2019-04-10 11:00:41 CEST 
(In reply to José Jorge from comment #2)
> We really need someone to work on this...

Well I tried. So now in Cauldron we have drakconf-13.20 and drakx-net-2.40 that allow a separate IPv6 firewall configuration. Please test, you can install this packages in MGA6 if you have no beta MGA7 system :

drakconf-13.20-1.mga7.noarch
drakconf-icons-13.20-1.mga7.noarch
drakx-net-applet-2.40-1.mga7.noarch
drakx-net-2.40-1.mga7.noarch
drakx-net-text-2.40-1.mga7.noarch
libdrakx-net-2.40-1.mga7.noarch

Please reopen the bug if needed.

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED