How to get snmpget responses over IPv6 with active firewall
by Thomas Zimmermann
Hi,
I'm trying to get snmp v3 request working over IPv6 with active firewall on Rocky Linux 8.
Get request over IPv4 are working fine over 161/udp with active firewall (on the client side).
But when I do a request to the same host over IPv6 no answer is received. After shutting down the firewall, on the client side, also request over IPv6 are working fine.
For testing purposes I've added a source port rule to my clients firewall:
firewall-cmd --add-source-port=161/udp
After adding this rule, the answers are received.
But I don't want to allow every 161/udp source port and can not add a rule for every host.
Do you know why UDP responses over IPv4 are received, but not over IPv6?
Kind regards,
Thomas
12 months
How to setup inter-zone traffic?
by Volker Bub
Hello,
I am running a wireguard server with an interface eth0 which is reachable over the internet. I have added this interface to the zone public and closed all ports except 51820 (Wireguard). This server should serve as a gateway for other servers in the infrastructure. For this purpose the server has a second interface eth1 that I inserted in the zone trusted. With the Wireguard configuration I execute the following commands:
PostUp = firewall-cmd --zone=trusted --add-interface=wg0
PostUp = firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg0 -o eth1 -j ACCEPT
PostUp = firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth1 -j MASQUERADE
PostDown = firewall-cmd --zone=trusted --remove-interface=wg0
PostDown = firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i wg0 -o eth1 -j ACCEPT
PostDown = firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -o eth1 -j MASQUERADE
Access via Wireguard to the complete infrastructure works as well. However, the servers behind the gateway do not have access to the Internet, which is needed.
My attempts to set up Internet access for the servers behind the gateway all fail. I am afraid that no communication will be allowed between the trusted and public zones, even if I include appropriate direct rules. I want all servers behind the gateway to have access to the Internet exclusively through the gateway server.
How can I implement such a scenario?
Many greetings
Volker
1 year