Bug 656334

Summary: Default Firewall blocking DHCPv6
Product: Red Hat Enterprise Linux 6 Reporter: Harald Hoyer <harald>
Component: system-config-firewallAssignee: Thomas Woerner <twoerner>
Status: CLOSED WONTFIX QA Contact: qe-baseos-daemons
Severity: high Docs Contact:
Priority: low    
Version: 6.0CC: bart.vanbrabant, cra, jwest, pknirsch, rps, tgraf, tore, twaugh
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 656315
: 712003 (view as bug list) Environment:
Last Closed: 2012-06-25 15:27:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 656315, 656335, 712003, 845867    
Bug Blocks: 684314    

Description Harald Hoyer 2010-11-23 14:47:20 UTC 
+++ This bug was initially created as a clone of Bug #656315 +++

Description of problem:

Problem 1: Default Firewall blocking DHCPv6

The default ip6tables configuration was written to replicate the behavior of the default iptables policy.  This is a good thing.  Unfortunately, the default ip6tables policy blocks DHCPv6 traffic, breaking DHCPv6 on the system.  This is because conntrack has no way to track DHCPv6, which uses multicast, so DHCPv6 traffic is not caught by allowing ESTABLISHED,RELATED connections.  The default firewall must be modified to allow DHCPv6 traffic by default.  This means the addition of the following rule:

-A INPUT -p udp --dport 546 -j ACCEPT
Comment 3 Bart Vanbrabant 2010-12-10 15:50:46 UTC 
This report also mentions this: #552099

The rule can be more strict:
-A INPUT -m state --state NEW -m udp -p udp --dport 546 --sport 547 -s fe80::/10 -d fe80::/10 -j ACCEPT
Comment 4 Phil Knirsch 2010-12-17 15:05:54 UTC 
After several discussions with Thomas Graf and Thomas Woerner the final solution will now be mainly handled via a new kernel module that "does the right thing"(tm). So the only changes we need now at the moment is the kernel module and support in anaconda initially.

Moving this bug to 6.2 to cover how we handle this properly in s-c-f then (aka, lokkit support and new service).

Thanks & regards, Phil
Comment 5 Tim Waugh 2011-06-01 11:54:25 UTC 
Is this related to bug #638176?