ufw

Add IPv6 router settings to ufw-framework

Bug #1030220 reported by Patrick Fasano on 2012-07-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	ufw	Triaged	Wishlist	Patrick Fasano

Bug Description

"man ufw-framework" already gives simple instructions on how to set up a NAT firewall using ufw's before.rules -- a similar section on setting up routing for IPv6 should be added to ufw-framework. It should be a lot simpler than explaining NAT, since NAT is gone. :-)

The applicable rules that would be added to the man page are (something like) :

To allow connections to servers on the inside at 2001:0DB8::a and 2001:0DB8::b add the following lines before COMMIT in before6.rules:

-A ufw6-before-forward -o eth0 -d 2001:0DB8::a -m state --state NEW -j ACCEPT
-A ufw6-before-forward -o eth0 -d 2001:0DB8::b -m state --state NEW -j ACCEPT</pre>

To allow routing to the Internet for hosts on the internal network 2001:0DB8::/32 on interface eth0 add the following lines before COMMIT in before6.rules:

# ok icmp codes
-A ufw6-before-forward -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A ufw6-before-forward -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A ufw6-before-forward -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-A ufw6-before-forward -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-request -j ACCEPT
-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-reply -j ACCEPT

-A ufw6-before-forward -i eth0 -s 2001:0DB8::/32 -o eth1 -m state --state NEW -j ACCEPT
-A ufw6-before-forward -m state --state RELATED,ESTABLISHED -j ACCEPT

To allow DHCPv6 for the local network, run the following command

ufw allow in on eth0 proto udp from fe80::/10 port 546 to any port 547

Revision history for this message

Patrick Fasano (kc9jud) wrote on 2012-07-28:

Granted, some nice explanation of all the rules would be helpful, too... I might be able to work on them if this has a good chance of making it into the main source...

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-08-12:

Thanks for using ufw and reporting a bug. Yes, I think this would be very helpful and would be happy to add it to the man page. Do note, that DHCPv6 is already fixed in 0.31.2 (it will also be in 0.33) for the client, though your rule looks to be for the server (which would be a fine addition to the man page). If you'd like to send those explanations, that would be great. Thanks!

Changed in ufw:
importance:	Undecided → Wishlist
status:	New → Confirmed

Revision history for this message

Patrick Fasano (kc9jud) wrote on 2012-08-12:

I'll write it up and post it here as a patch to the manpage!

Changed in ufw:
assignee:	nobody → Patrick Fasano (kc9jud)
status:	Confirmed → In Progress

Jamie Strandboge (jdstrand) on 2015-07-17

Changed in ufw:
status:	In Progress → Triaged

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.