|
Bugzilla – Full Text Bug Listing |
| Summary: | When configuring networking with yast, using dhcp6, firewall blocks it. | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE 12.3 | Reporter: | Carlos Robinson <carlos.e.r> |
| Component: | YaST2 | Assignee: | Michal Filka <mfilka> |
| Status: | RESOLVED FIXED | QA Contact: | Jiri Srain <jsrain> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | meissner, mt |
| Version: | Final | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | openSUSE 12.3 | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
Thanks for report. Do you use default SuSEfirewall2 configuration? Is /etc/sysconfig/SuSEfirewall2.d/services/dhcp6-server existent at your machine? Do you have net device where you expect dhcp replies assigned into any zone (INT, EXT, DMZ, ...)? If yes, which one? You can check it e.g. using "yast2 firewall" -> interfaces -> Look into "Configured in" column this is the same issue as bug 783002 short summary: - ipv4 dhcp works through the firewall "RELATED" rules - ipv6 dhcp does not work through the firewall "RELATED" rules as we cannot match the broadcast address to the reply address. Unconditionally opening ports might be a workaround but probably should not be default. (In reply to comment #1) > Thanks for report. > > Do you use default SuSEfirewall2 configuration? AFAIK, current changes are: Telcontar:~ # diff /other/aux_01/etc/sysconfig/SuSEfirewall2~ /other/aux_01/etc/sysconfig/SuSEfirewall2 252c252 < FW_SERVICES_EXT_TCP="546" --- > FW_SERVICES_EXT_TCP="" 266c266 < FW_SERVICES_EXT_UDP="546" --- > FW_SERVICES_EXT_UDP="dhcpv6-client mdns" Telcontar:~ # and they were done after the problem was detected. > Is /etc/sysconfig/SuSEfirewall2.d/services/dhcp6-server existent at your > machine? Yep. Telcontar:~ # l /other/aux_01/etc/sysconfig/SuSEfirewall2.d/services/dhcp* -rw-r--r-- 1 root root 503 Mar 27 16:40 /other/aux_01/etc/sysconfig/SuSEfirewall2.d/services/dhcp-server -rw-r--r-- 1 root root 507 Mar 27 16:40 /other/aux_01/etc/sysconfig/SuSEfirewall2.d/services/dhcp6-server Telcontar:~ # > Do you have net device where you expect dhcp replies assigned into any zone > (INT, EXT, DMZ, ...)? If yes, which one? You can check it e.g. using "yast2 > firewall" -> interfaces -> Look into "Configured in" column To look in YaST, I would have to boot into that partition, and that has to wait a bit. I can tell you the contents of the firewall file: /other/aux_01/etc/sysconfig/SuSEfirewall2: FW_DEV_EXT="eth0" FW_DEV_INT="" FW_DEV_DMZ="" Is that what you want? Or this? Telcontar:~ # cat /other/aux_01/etc/sysconfig/network/ifcfg-eth0 BOOTPROTO='dhcp' BROADCAST='' ETHTOOL_OPTIONS='' IPADDR='' MTU='' NAME='RTL8111/8168B PCI Express Gigabit Ethernet controller' NETMASK='' NETWORK='' REMOTE_IPADDR='' STARTMODE='auto' USERCONTROL='no' Telcontar:~ # Yes config seems good. There is already running discussion in bnc#783002. If I understand it well, netfilter is unable to track DHCPv6 related packets. Opening firewall unconditionally is considered insecure and is not provided by default in SuSEfirewall2 From YaST POV there are two possibilities: (1) do not touch (2) enable 546/udp,tcp explicitly when dhcpv6 is enabled in services. I personally don't like this approach. I think it can cause only troubles once DHCPv6 gets properly tracked by netfilter. Also, I think that IPv6 / DHCPv6 is not so widely used to require such special approach. I thought this is abiout the dhcp CLIENT for ipv6? Or is this about the IPv6 DHCP server? If its anbout the DHCP server, opening ports is possible. What I reported originally was about the client side. The computer running openSUSE Linux 12.3 requests an IPv6 address, and does not get it because it is blocked in the firewall. This is an autogenerated message for OBS integration: This bug (822959) was mentioned in https://build.opensuse.org/request/show/235571 Factory / SuSEfirewall2 trying to allow dhcpv6 input by default |
I'm testing a new router that has IPv6 capabilities. I enabled its DHCP6 server, but oS 12.3 did not get an IPv6, only the IPv4 one. See: rescate1:~ # ifconfig eth0 Link encap:Ethernet HWaddr 00:21:85:16:2D:0B inet addr:192.168.1.31 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::221:85ff:fe16:2d0b/64 Scope:Link <-- (1) UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4271 errors:0 dropped:0 overruns:0 frame:0 TX packets:2762 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3171265 (3.0 Mb) TX bytes:379424 (370.5 Kb) (1) thats a link local address, not one via dhcp Log: > 2013-06-03T20:57:04.618453+02:00 rescate1 network[6148]: eth0 Starting DHCP4+DHCP6 client. . . . . . . . > 2013-06-03T20:57:04.619896+02:00 rescate1 ifup-dhcp[6561]: > 2013-06-03T20:57:04.620840+02:00 rescate1 network[6148]: eth0 IP address: 192.168.1.31/24 > 2013-06-03T20:57:04.621691+02:00 rescate1 ifup-dhcp[6561]: eth0 IP address: 192.168.1.31/24 > 2013-06-03T20:57:04.622276+02:00 rescate1 network[6148]: eth0 DHCP6 continues in background > 2013-06-03T20:57:04.623284+02:00 rescate1 ifup-dhcp[6561]: eth0 DHCP6 continues in background > 2013-06-03T20:57:04.702500+02:00 rescate1 network[6148]: ..done eth1 device: Realtek Semiconductor Co., Ltd. RTL8111/8168 > 2013-06-03T20:57:04.703128+02:00 rescate1 ifup[8861]: eth1 device: Realtek Semiconductor Co., Ltd. RTL8111/8168 > 2013-06-03T20:57:04.704288+02:00 rescate1 network[6148]: No configuration found for eth1 > 2013-06-03T20:57:04.704996+02:00 rescate1 ifup[8861]: No configuration found for eth1 > 2013-06-03T20:57:04.726882+02:00 rescate1 network[6148]: ..unusedSetting up service network . . . . . . . . . . . . ...done > 2013-06-03T20:57:04.726903+02:00 rescate1 systemd[1]: Started LSB: Configure network interfaces and set up routing. The openSUSE firewall blocks it! Firewal log > 2013-06-03T20:57:04.158282+02:00 rescate1 kernel: [ 1675.547633] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:f8:1a:67:91:f4:22:86:dd SRC=fe80:0000:0000:0000:d0fa:c7ff:fe67:4031 DST=fe80:0000:0000:0000:0221:85ff:fe16:2d0b LEN=152 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=48629 DPT=546 LEN=112 > 2013-06-03T20:57:21.676291+02:00 rescate1 kernel: [ 1693.065233] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:f8:1a:67:91:f4:22:86:dd SRC=fe80:0000:0000:0000:d0fa:c7ff:fe67:4031 DST=fe80:0000:0000:0000:0221:85ff:fe16:2d0b LEN=152 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=48629 DPT=546 LEN=112 > 2013-06-03T20:57:56.000281+02:00 rescate1 kernel: [ 1727.389585] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:f8:1a:67:91:f4:22:86:dd SRC=fe80:0000:0000:0000:d0fa:c7ff:fe67:4031 DST=fe80:0000:0000:0000:0221:85ff:fe16:2d0b LEN=152 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=48629 DPT=546 LEN=112 > 2013-06-03T20:59:07.315296+02:00 rescate1 kernel: [ 1798.704924] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:f8:1a:67:91:f4:22:86:dd SRC=fe80:0000:0000:0000:d0fa:c7ff:fe67:4031 DST=fe80:0000:0000:0000:0221:85ff:fe16:2d0b LEN=152 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=UDP SPT=48629 DPT=546 LEN=112 The port 546 is assigned to it: dhcpv6-client 546/tcp # DHCPv6 Client dhcpv6-client 546/udp # DHCPv6 Client dhcpv6-server 547/tcp # DHCPv6 Server dhcpv6-server 547/udp # DHCPv6 Server So, now, after explictly opening that port, I get it: rescate1:~ # ifconfig eth0 Link encap:Ethernet HWaddr 00:21:85:16:2D:0B inet addr:192.168.1.31 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::221:85ff:fe16:2d0b/64 Scope:Link inet6 addr: fc00::7fff/64 Scope:Global <--- correct IPv6 adres. UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4854 errors:0 dropped:0 overruns:0 frame:0 TX packets:3142 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3288751 (3.1 Mb) TX bytes:430544 (420.4 Kb) I propose that YaST ifup config should automatically or manually (or at least sugest), open that port if dhcp6 (client) is enabled.