ufw

IPv6 Tunnels and 6to4 blocked.

Bug #502655 reported by TDJACR on 2010-01-03
30
This bug affects 5 people
Affects Status Importance Assigned to Milestone
ufw
Wishlist
Jamie Strandboge

Bug Description

I'm trying to use ufw with a VPS. Using both 6to4 and a HE tunnel, ufw doesn't behave as expected. It behaves fine with ipv4, however.
IPv6 is enabled in /etc/default/ufw
When I set the default option to drop, ipv6 drops everything disregarding the rules (ipv4 works fine)
When I set the default option to accept, ipv6 allows everything, regardless of the rules I've set.

Blocks in log:

HE Tunnel
[UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:61:6b:8a:6f:00:d0:02:20:38:00:08:00 SRC=209.51.161.14 DST=xx.xxx.xxx.xxx LEN=100 TOS=0x00 PREC=0x00 TTL=23 ID=31372 PROTO=41
6to4
[UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:61:6b:8a:6f:00:0e:39:6f:48:00:08:00 SRC=192.88.99.1 DST=xx.xxx.xxx.xxx LEN=86 TOS=0x00 PREC=0x00 TTL=244 ID=47185 PROTO=41

Where xx.xxx.xxx.xxx is the IP of my server

Ubuntu 9.10 64 Bit
ufw 0.29-4ubuntu1

TDJACR (thedjatclubrock) wrote :

As I understand, there is no way to currently enable protocol 41

Jamie Strandboge (jdstrand) wrote :

Thank you for using ufw and taking the time to report a bug. IPv6 6to4 tunnels are not supported by the cli command at this time. As a workaround until this is implemented, you can add the needed rules to /etc/ufw/before*.rules.

Changed in ufw:
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Wishlist
status: New → Triaged
TDJACR (thedjatclubrock) wrote :

Is there documentation for adding these rules? Thanks!

Jamie Strandboge (jdstrand) wrote :

thedjatclubrock,

/etc/ufw/before*.rules are standard iptables-restore files (in other words, in most cases you can add iptables rules to the file directly, just omit 'iptables' at the beginning. See 'man ufw' and 'man ufw-framwork' (ufw 0.29 and later) for details.

Jamie Strandboge (jdstrand) wrote :

Changes for this have been added to trunk in commit r623. This will be fixed in ufw 0.30.

Changed in ufw:
status: Triaged → Fix Committed

On Fri, 2010-02-12 at 12:39 +0000, Jamie Strandboge wrote:
> Changes for this have been added to trunk in commit r623. This will be
> fixed in ufw 0.30.
>
> ** Changed in: ufw
> Status: Triaged => Fix Committed
>

Thank you so much! Is there a release date set?

Good work!

Jamie Strandboge (jdstrand) wrote :

0.30 will be in the upcoming Ubuntu 10.04 LTS. I'm hoping to release it soon (within the next week or so).

Scott Anderson (swaj) wrote :

For those that are watching this, I was encountering this issue with 10.04 LTS, but I figured out the syntax to fix it. You basically need to allow traffic over protocol 41 from your ipv4 tunnel endpoint. For example, my IPv4 endpoint was with HE's tunnel broker at 72.52.104.74, so my ufw allow line looks like this:

ufw allow proto ipv6 from 72.52.104.74

After adding this rule, traffic was coming in/out with no issues.

Cheers!

Changed in ufw:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers