Description of problem: If IPv6 DHCPv6 client is enabled on a system with ip6tables configured via system-config-firewall, the necessary ports are blocked and there is no easy mechanism to open them. Unlike DHCP for IPv4, DHCP for IPv6 uses normal UDP traffic over standard ports (546/udp). Version-Release number of selected component (if applicable): system-config-firewall-1.2.21-1.fc12.noarch iptables-ipv6-1.4.5-1.fc12.i686 dhclient-4.1.0p1-13.fc12.i686 How reproducible: 100% Steps to Reproduce: 1. Setup IPv6 IPTables (ip6tables) via system-config-firewall as a default workstation. 2. Start dhclient -6 -v 3. Optionally run tcpdump ip6 to observer traffic Actual results: dhclient sends requests, and responses are sent by the DHCPv6 server, but no responses are received. Expected results: dhclient should receive a valid DHCPv6 response either as an address or other information. Additional info: If the IPv6 tables rules are flushed and the policy is to accept all traffic, it works fine, similarly if the following rule is manually added into the system: -A RH-Firewall-1-INPUT -p udp -m udp --sport 547 --dport 546 -d fe80::/10 -j ACC EPT -A RH-Firewall-1-INPUT -p tcp -m tcp --sport 547 --dport 546 -d fe80::/10 -j ACC EPT it also works (note, I'm not sure they are the best rules, they just work).
This message is a reminder that Fedora 12 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 12. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '12'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 12's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 12 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Still can't see anyway in the Fedora 14 to setup the firewall with system-config-firewall to accept DHCPv6 data.
I'm using Fedora 15 and I have just tested it at a conference Internet and Technology 2011 in Prague (starting at IPv6 day, BTW). They had an experimental network with RA, stateless autoconfiguration of addresses, but DHCPv6 configuration of DNS. The DNS part failed with NetworkManager (IPv6 set to Automatic, IPv4 set to Disabled). NetworkManager called dhclient, dhclient sent DHCPv6 Information Request and tcpdump showed the host got DHCPv6 reply from the server. But dhclient asked again and again, until it gives up.
I run into this after clean (my first) installation of Fedora (15, XFCE). After installation and setup of apache (which i enabled in firewall in xfce main menu - administration - firewall) i moved to setup dhclient for ipv6. I have RA+DHCPv6 on my router. I tried NM applet in xfce to enable ipv6 but no luck. So i switched to console and i got to the same point as mentioned in this bug. Evidence: - Router is :f859 bellow - Host with F15 is :41d8 dhclient -d -6 wlan0 at fedora tries to solicit ipv6 with "no answer from router" -------------------------------------------------------------------------- # dhclient -d -6 wlan0 Internet Systems Consortium DHCP Client 4.2.1-P1 Copyright 2004-2011 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Bound to *:546 Listening on Socket/wlan0 Sending on Socket/wlan0 PRC: Soliciting for leases (INIT). XMT: Forming Solicit, 0 ms elapsed. XMT: X-- IA_NA a5:a9:41:d8 XMT: | X-- Request renew in +3600 XMT: | X-- Request rebind in +5400 XMT: Solicit on wlan0, interval 1080ms. XMT: Forming Solicit, 1080 ms elapsed. XMT: X-- IA_NA a5:a9:41:d8 XMT: | X-- Request renew in +3600 XMT: | X-- Request rebind in +5400 XMT: Solicit on wlan0, interval 2170ms. ... and so on -------------------------------------------------------------------------- tcpdump on router revealed this (foreign packets removed): -------------------------------------------------------------------------- 12:12:04.547901 IP6 fe80::214:a5ff:fea9:41d8 > fe80::200:21ff:fe5c:f859: ICMP6, neighbor solicitation, who has fe80::200:21ff:fe5c:f859, length 32 12:12:04.547918 IP6 fe80::200:21ff:fe5c:f859 > fe80::214:a5ff:fea9:41d8: ICMP6, neighbor advertisement, tgt is fe80::200:21ff:fe5c:f859, length 24 12:12:05.442119 IP6 fe80::214:a5ff:fea9:41d8 > fe80::200:21ff:fe5c:f859: ICMP6, destination unreachable, unreachable prohibited fe80::214:a5ff:fea9:41d8, length 140 12:12:06.523644 IP6 fe80::214:a5ff:fea9:41d8 > fe80::200:21ff:fe5c:f859: ICMP6, destination unreachable, unreachable prohibited fe80::214:a5ff:fea9:41d8, length 140 12:12:07.487287 IP6 fe80::200:21ff:fe5c:f859 > ff02::1:ff4e:d277: ICMP6, neighbor solicitation, who has fe80::222:fcff:fe4e:d277, length 32 12:12:07.536033 IP6 fe80::222:fcff:fe4e:d277 > fe80::200:21ff:fe5c:f859: ICMP6, neighbor advertisement, tgt is fe80::222:fcff:fe4e:d277, length 32 12:12:08.695056 IP6 fe80::214:a5ff:fea9:41d8 > fe80::200:21ff:fe5c:f859: ICMP6, destination unreachable, unreachable prohibited fe80::214:a5ff:fea9:41d8, length 140 12:12:08.959189 IP6 fe80::200:21ff:fe5c:f859 > ff02::1: ICMP6, router advertisement, length 56 -------------------------------------------------------------------------- and finally ip6tables on fedora client shows: -------------------------------------------------------------------------- # ip6tables -vnL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED 2 231 22120 ACCEPT icmpv6 * * ::/0 ::/0 3 0 0 ACCEPT all lo * ::/0 ::/0 4 0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:22 5 0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:80 6 5 660 REJECT all * * ::/0 ::/0 reject-with icmp6-adm-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all * * ::/0 ::/0 reject-with icmp6-adm-prohibited Chain OUTPUT (policy ACCEPT 12 packets, 1544 bytes) num pkts bytes target prot opt in out source destination -------------------------------------------------------------------------- So i think there should be default rule allowing dhcp configuration of ipv6 or at least optional way to enable it using firewall gui(...) tools? Maybe (if it is possible) such rule should be enabled if NM is configured to use ipv6 (from dhcp). Or at least it should be mentioned anywhere/somewhere else then just in this bugreport.
Related: bug 591630
This message is a notice that Fedora 14 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 14. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '14' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 14 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping