ufw IPv4 MASQ and IPv6 settings conflict
Chuck Peters
cp at axs.org
Mon Jun 10 03:11:56 UTC 2013
On Sun, Jun 9, 2013 at 3:06 PM, Chuck Peters <cp at axs.org> wrote:
> I am testing a Ubuntu 13.04 server to act as our gateway for IPv4 and IPv6
> and the documentation conflicts about the ufw DEFAULT_FORWARD_POLICY
> setting. The page on setting up IPv6,
> https://wiki.ubuntu.com/IPv6#ufw_and_Routing, says to set it as DROP
> and the page about setting up MASQ,
> https://help.ubuntu.com/13.04/serverguide/firewall.html#ip-masquerading,
> says to set it to ACCEPT. ufw DEFAULT_FORWARD_POLICY is set in
> /etc/default/ufw. How can I set IPv4 to ACCEPT and IPv6 to DROP?
The ufw-framework man page says:
All examples assume IPv4 only and that DEFAULT_FORWARD_POLICY
in /etc/default/ufw is set to DROP...
However when the default policy is DROP, the machines on the LAN
can't get anywhere and we have [UFW BLOCK] messages in the logs.
I filed a bug report at
https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1189312 and made
some additions to https://wiki.ubuntu.com/IPv6#ufw_and_Routing.
My solution to the problem is set the DEFAULT_FORWARD_POLICY to the
default DROP and to add the following to end of /etc/ufw/after.rules
# Added to forward MASQ traffic and resolve the DEFAULT_FORWARD_POLICY as
# DROP that would have otherwise opened up all IPv6 addresses on the LAN.
-A ufw-skip-to-policy-forward -j ACCEPT
Chuck
More information about the ubuntu-users
mailing list