Red Hat Bugzilla – Bug 140305
Firewall IPv4 only
Last modified: 2007-11-30 17:10:55 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20041020 Description of problem: system-config-securitylevel only configure IPv4 firewalls, IPv6 is ignored. This means that services that is blocked by the IPv4 firewall still can be reached through IPv6. This also applies to the initial firewall setup by anaconda. Version-Release number of selected component (if applicable): system-config-securitylevel-1.4.14-1 How reproducible: Always Steps to Reproduce: 1. Configure a firewall through system-config-securitylevel 2. Activate the new setup. 3. There is no effect on IPv6. Actual Results: Firewall rules are only written to /etc/sysconfig/iptables and not to /etc/sysconfig/ip6tables Expected Results: At least have these rules identical for the two protocols or block everything by default for IPv6. Additional info:
Please test 1.6.19-1 in Rawhide and see how well it works for you. It should currently be performing exactly the same actions for IPv4 and IPv6, except for a couple things that are not currently supported by the ip6tables code.
It seems to write IPv6 firewall rules now, however there is no warning if iptables/ip6tables are not enabled or even installed.
s-c-securitylevel will enable the ip6tables service and load the appropriate module. The rest can be solved by making it require iptables-ipv6.
Some further testing seems to show that state-tracking does not seem to work with ip6tables: When making an outgoing IPv6 tcp connection the returning packets are blocked. Incoming IPv6 connections to open services are blocked too with the current script. This must be a bug in iptables-ipv6 and not system-config-securitylevel though.