[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

iptables bug with neighborhood discovery?

dear debian admins,
because i don't know, what the better list, i sent this mail to the firewall and ipv6 mailinglist - i hope this is OK.
i am administrate a debian firewall since 2 years without problems. this weeks, we want to activate IPv6 in testing mode. out firewall script are generated with fwbuilder. after i have activated IPv6 on our firewall, i run into some troubles. the first one was, the radvd wasn't able to send advertisement multicasts (radvd log: operation not permitted). first i ignored this problem and i tested ping6 between the hosts and the firewall with the FE80:: addresses. this wasn't also working. after 2 days debugging and searching the error, i found out the following:
fwbuilder generates at the top of the FW script this rules, when the option 'Drop packets that are not associated with any known connection' is active: 

# drop packets that do not match any valid state
#
$IP6TABLES -N drop_invalid
$IP6TABLES -A OUTPUT   -m state --state INVALID  -j drop_invalid
$IP6TABLES -A INPUT    -m state --state INVALID  -j drop_invalid
$IP6TABLES -A FORWARD  -m state --state INVALID  -j drop_invalid
$IP6TABLES -A drop_invalid -j LOG --log-level debug --log-prefix "REGEL -1 -- DENY " 
$IP6TABLES -A drop_invalid  -j DROP

the only rules above this rules are:

$IP6TABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
when i did an ping (firewall to another host), the firewall log shows the follewing entries:
Nov 12 08:29:01 mistral kernel: [38947.431937] REGEL 0 -- ACCEPT IN= OUT=eth1 SRC=fe80:0000:0000:0000:0215:17ff:fe4f:6137 DST=fe80:0000:0000:0000:f181:4bb8:4d49:ba03 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=34886 SEQ=1 Nov 12 08:29:01 mistral kernel: [38947.431947] REGEL -1 -- DENY IN= OUT=eth1 SRC=fe80:0000:0000:0000:0215:17ff:fe4f:6137 DST=ff02:0000:0000:0000:0000:0001:ff49:ba03 LEN=72 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0 

first: the outgoing ping will be permited
second: the neighborhood discovery request ist rejected by the "state invalid" rule. 
i don't understand, how a ND request can be marked as invalid?

when i don't insert this firewall rules:
$IP6TABLES -N drop_invalid
$IP6TABLES -A OUTPUT   -m state --state INVALID  -j drop_invalid
$IP6TABLES -A INPUT    -m state --state INVALID  -j drop_invalid
$IP6TABLES -A FORWARD  -m state --state INVALID  -j drop_invalid
$IP6TABLES -A drop_invalid -j LOG --log-level debug --log-prefix "REGEL -1 -- DENY " 
$IP6TABLES -A drop_invalid  -j DROP
all is working fine - but i think a standard firewall should be running with this rules enabled. 

is there any mistake i can made did i understand something wrong?
i have this problem with debian 5.0.3 system with the latest available kernel: Linux version 2.6.26-2-686 (Debian 2.6.26-19lenny2) (dannf@debian.org) (gcc version 4.1.3 20080704 (prerelease) (Debian 4.1.2-25)) #1 SMP Wed Nov 4 20:45:37 UTC 2009 

thank for your help!!

alram

--

Alram Lechner
Vogelfängerweg 48
4030 Linz
Österreich
m: +43 650 2800 250
f: +49 1805 4002 - 215410
e: alram.lechner@gmx.at
sms: alramsms@gmx.at
Reply to: