Bug 399757

Summary: SuSEfirewall configured by YaST filters all IPv6 incomming communication
Product: [openSUSE] openSUSE 10.2 Reporter: Martin Calko <cmartin>
Component: YaST2Assignee: Ludwig Nussel <lnussel>
Status: RESOLVED INVALID QA Contact: Jiri Srain <jsrain>
Severity: Normal    
Priority: P5 - None CC: chrubis, cmartin, locilka
Version: Final   
Target Milestone: ---   
Hardware: x86   
OS: openSUSE 10.2   
Whiteboard:
Found By: Customer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: SuSEfirewall2 configuration file

Description Martin Calko 2008-06-12 17:21:42 UTC 
SuSEfirewall2-3.5_SVNr159-4 configured by yast2-firewall-2.14.1-15 module is completely blocking incomming IPv6 communication although some ports/services are allowed.

Outgoing traceroute6 works incorrectly too if SuSEfirewall2 is activated.
Comment 1 Cyril Hrubis 2008-06-12 19:21:07 UTC 
Not sure if this is fixed meanwhile (10.2 is pretty old). Lukas?
Comment 2 Marcus Meissner 2008-06-13 18:01:16 UTC 
what is the configuration (/etc/sysconfig/SuSEfirewall2) ?
Comment 3 Martin Calko 2008-06-14 07:58:55 UTC 
Created attachment 222158 [details]
SuSEfirewall2 configuration file

comments filtered out
Comment 4 Martin Calko 2008-06-14 08:00:34 UTC 
(In reply to comment #2 from Marcus Meissner)
> what is the configuration (/etc/sysconfig/SuSEfirewall2) ?
As you can see in attachement
Comment 5 Ludwig Nussel 2008-06-16 08:17:17 UTC 
The 10.2 kernel doesn't support ipv6 state matching properly. If you run SuSEfirewall2 manually you will see that it says that ipv6 support is disabled. You can set FW_IPv6=no and write custom v6 rules that do not require state matching if you need ipv6 firewalling. Alternatively upgrade to 11.0 which supports v6 state matching.