Hi,
System is a Fedora 33 VM running firewalld-0.8.4-1.
I have:
[root@f33k ~]# firewall-cmd --get-active-zones drop interfaces: enp1s0
enp1s0 has addresses 192.168.122.26 and 2001:b030:112f:2::53.
If I try to ssh to it from another system I get....
[egreshko@meimei ~]$ ssh 192.168.122.26 ^C
Meaning it "hangs" until I ctrl-C it or it will timeout at some point if left alone.
But I get this using the IPv6 address
[egreshko@meimei ~]$ ssh 2001:b030:112f:2::53 ssh: connect to host 2001:b030:112f:2::53 port 22: No route to host
So, is this a difference in how the FW handles IPv6 or due to how IPv6 works on the source side?
Thanks, Ed
Op zondag 6 december 2020 12:30:46 CET schreef Ed Greshko:
Hi,
System is a Fedora 33 VM running firewalld-0.8.4-1.
I have:
[root@f33k ~]# firewall-cmd --get-active-zones drop interfaces: enp1s0
enp1s0 has addresses 192.168.122.26 and 2001:b030:112f:2::53.
If I try to ssh to it from another system I get....
[egreshko@meimei ~]$ ssh 192.168.122.26 ^C
Meaning it "hangs" until I ctrl-C it or it will timeout at some point if left alone.
But I get this using the IPv6 address
[egreshko@meimei ~]$ ssh 2001:b030:112f:2::53 ssh: connect to host 2001:b030:112f:2::53 port 22: No route to host
So, is this a difference in how the FW handles IPv6 or due to how IPv6 works on the source side?
Thanks, Ed
You gave us some insight in the firewall configuration. It looks you drop all incoming traffic on enp1s0. So the ssh connection to IPv4 gets no answer. For your IPv6 connection attempt it is important to know what the configuration is on the system you tried to make this connection from. So what is the output of "ip -6 r" on that system?
On 07/12/2020 00:50, Freek de Kruijf wrote:
Op zondag 6 december 2020 12:30:46 CET schreef Ed Greshko:
Hi,
System is a Fedora 33 VM running firewalld-0.8.4-1.
I have:
[root@f33k ~]# firewall-cmd --get-active-zones drop interfaces: enp1s0
enp1s0 has addresses 192.168.122.26 and 2001:b030:112f:2::53.
If I try to ssh to it from another system I get....
[egreshko@meimei ~]$ ssh 192.168.122.26 ^C
Meaning it "hangs" until I ctrl-C it or it will timeout at some point if left alone.
But I get this using the IPv6 address
[egreshko@meimei ~]$ ssh 2001:b030:112f:2::53 ssh: connect to host 2001:b030:112f:2::53 port 22: No route to host
So, is this a difference in how the FW handles IPv6 or due to how IPv6 works on the source side?
Thanks, Ed
You gave us some insight in the firewall configuration. It looks you drop all incoming traffic on enp1s0. So the ssh connection to IPv4 gets no answer. For your IPv6 connection attempt it is important to know what the configuration is on the system you tried to make this connection from. So what is the output of "ip -6 r" on that system?
[egreshko@meimei ~]$ ip -6 r ::1 dev lo proto kernel metric 256 pref medium 2001:b030:112f::/64 dev enp2s0 proto kernel metric 100 pref medium 2001:b030:112f:2::/64 dev virbr0 proto kernel metric 256 pref medium fe80::/64 dev enp2s0 proto kernel metric 100 pref medium fe80::/64 dev virbr0 proto kernel metric 256 pref medium fe80::/64 dev vnet0 proto kernel metric 256 pref medium fe80::/64 dev vnet1 proto kernel metric 256 pref medium fe80::/64 dev wlp4s0 proto kernel metric 600 pref medium default via 2001:b030:112f::1 dev enp2s0 proto static metric 100 pref medium
Op zondag 6 december 2020 18:42:13 CET schreef Ed Greshko:
On 07/12/2020 00:50, Freek de Kruijf wrote:
Op zondag 6 december 2020 12:30:46 CET schreef Ed Greshko:
Hi,
System is a Fedora 33 VM running firewalld-0.8.4-1.
I have:
[root@f33k ~]# firewall-cmd --get-active-zones drop
interfaces: enp1s0
enp1s0 has addresses 192.168.122.26 and 2001:b030:112f:2::53.
If I try to ssh to it from another system I get....
[egreshko@meimei ~]$ ssh 192.168.122.26 ^C
Meaning it "hangs" until I ctrl-C it or it will timeout at some point if left alone.
But I get this using the IPv6 address
[egreshko@meimei ~]$ ssh 2001:b030:112f:2::53 ssh: connect to host 2001:b030:112f:2::53 port 22: No route to host
So, is this a difference in how the FW handles IPv6 or due to how IPv6 works on the source side?
Thanks, Ed
You gave us some insight in the firewall configuration. It looks you drop all incoming traffic on enp1s0. So the ssh connection to IPv4 gets no answer. For your IPv6 connection attempt it is important to know what the configuration is on the system you tried to make this connection from. So what is the output of "ip -6 r" on that system?
[egreshko@meimei ~]$ ip -6 r
::1 dev lo proto kernel metric 256 pref medium
2001:b030:112f::/64 dev enp2s0 proto kernel metric 100 pref medium 2001:b030:112f:2::/64 dev virbr0 proto kernel metric 256 pref medium
So the question is: Is your system with 2001:b030:112f:2::53 reachable via virbr0? You may try "ping 2001:b030:112f:2::53" on the system you want to connect from in case the firewall allows the system with 2001:b030:112f:2::53 to answer on ping requests.
fe80::/64 dev enp2s0 proto kernel metric 100 pref medium fe80::/64 dev virbr0 proto kernel metric 256 pref medium fe80::/64 dev vnet0 proto kernel metric 256 pref medium fe80::/64 dev vnet1 proto kernel metric 256 pref medium fe80::/64 dev wlp4s0 proto kernel metric 600 pref medium default via 2001:b030:112f::1 dev enp2s0 proto static metric 100 pref medium
On 07/12/2020 19:19, Freek de Kruijf wrote:
Op zondag 6 december 2020 18:42:13 CET schreef Ed Greshko:
On 07/12/2020 00:50, Freek de Kruijf wrote:
Op zondag 6 december 2020 12:30:46 CET schreef Ed Greshko:
Hi,
System is a Fedora 33 VM running firewalld-0.8.4-1.
I have:
[root@f33k ~]# firewall-cmd --get-active-zones drop
interfaces: enp1s0
enp1s0 has addresses 192.168.122.26 and 2001:b030:112f:2::53.
If I try to ssh to it from another system I get....
[egreshko@meimei ~]$ ssh 192.168.122.26 ^C
Meaning it "hangs" until I ctrl-C it or it will timeout at some point if left alone.
But I get this using the IPv6 address
[egreshko@meimei ~]$ ssh 2001:b030:112f:2::53 ssh: connect to host 2001:b030:112f:2::53 port 22: No route to host
So, is this a difference in how the FW handles IPv6 or due to how IPv6 works on the source side?
Thanks, Ed
You gave us some insight in the firewall configuration. It looks you drop all incoming traffic on enp1s0. So the ssh connection to IPv4 gets no answer. For your IPv6 connection attempt it is important to know what the configuration is on the system you tried to make this connection from. So what is the output of "ip -6 r" on that system?
[egreshko@meimei ~]$ ip -6 r
::1 dev lo proto kernel metric 256 pref medium
2001:b030:112f::/64 dev enp2s0 proto kernel metric 100 pref medium 2001:b030:112f:2::/64 dev virbr0 proto kernel metric 256 pref medium
So the question is: Is your system with 2001:b030:112f:2::53 reachable via virbr0? You may try "ping 2001:b030:112f:2::53" on the system you want to connect from in case the firewall allows the system with 2001:b030:112f:2::53 to answer on ping requests.
If the interface on 2001:b030:112f:2::53 is in the public zone, sure.
[egreshko@meimei ~]$ ping -c 3 -n f33k PING f33k(2001:b030:112f:2::53) 56 data bytes 64 bytes from 2001:b030:112f:2::53: icmp_seq=1 ttl=64 time=0.393 ms 64 bytes from 2001:b030:112f:2::53: icmp_seq=2 ttl=64 time=0.362 ms 64 bytes from 2001:b030:112f:2::53: icmp_seq=3 ttl=64 time=0.358 ms
--- f33k ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2075ms rtt min/avg/max/mdev = 0.358/0.371/0.393/0.015 ms
Put it in the drop zone and no. But I think that is normal. [egreshko@meimei ~]$ ping -c 3 -n f33k PING f33k(2001:b030:112f:2::53) 56 data bytes
--- f33k ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2076ms
firewalld-users@lists.fedorahosted.org