Bug 28793

Summary: drakfirewall6 interferes with ipv6 usage by configuring shorewall6 to block all icmpv6 packets
Product: Mageia Reporter: Dave Hodgins <davidwhodgins>
Component: RPM PackagesAssignee: Mageia tools maintainers <mageiatools>
Status: NEW --- QA Contact:
Severity: normal    
Priority: Normal    
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO
Source RPM: drakx-net-2.55-1.mga8.src.rpm CVE:
Status comment:
Attachments: Shorewall6 rules to accept icmpv6 packets
shorewall rules to accpet icmp (ipv4) packets

Description Dave Hodgins 2021-04-16 22:51:14 CEST
Now that I finally have ipv6 access, I've found a problem with shorewall6
blocking icmpv6 packets interfering with ipv6 access.

It sometimes works, but usually fails resulting in the slowing down of all
network connections (waiting for ipv6 to fail), and blocking access to
ipv6 only sites.

drakfirewall6 should add rules allowing icmpv6 packets to be accepted by
shorwall6 (shorewall-ipv6 rpm package)

While less critical, it similarly should add rules for for ipv4 icmp packets.
Comment 1 Dave Hodgins 2021-04-16 22:56:55 CEST
Created attachment 12643 [details]
Shorewall6 rules to accept icmpv6 packets

Based on https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml
I've put together the attached rules for shorewall6 to accept icmpv6 traffic.
Comment 2 Dave Hodgins 2021-04-16 23:00:36 CEST
Created attachment 12644 [details]
shorewall rules to accpet icmp (ipv4) packets

While less critical for ipv4, here are the rules for icmp packets based on
https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml

For both lists, unassigned, deprecated, reserved, and experimental packet
types have been excluded.
Dave Hodgins 2021-04-16 23:42:29 CEST

Whiteboard: (none) => MGA7TOO
Assignee: bugsquad => mageiatools

Comment 3 David Walser 2021-04-19 04:34:25 CEST
This reminds me of the complaint in the recent Distrowatch review about how shorewall in Mageia handles IPv4 and IPv6 separately.  Maybe it's time to rebase our firewall support on firewalld like RedHat/SUSE have done, and which now handle both protocols consistently.