CentOS 7 IPv6 firewaal

As your replies give any type of information on how to solve uwe@comproso.com issue.

Which is why I gave them instructions on how to disable firewalld and use iptables which he can manage through the Virtualmin UI or the "tool" as you so called it.

The only restriction on using the Virtualmin UI and iptables / ipv6tables was set by you not uwe@comproso.com or the "OP" as you say.

There is also nothing I can do about the lack of support the Virtualmin UI has for firewalld and ip6tables. I can however give information on how to configure these as the user uwe@comproso.com requested.

You could file a feature request for the lack of support given to firewalld or ipv6tables by the Virtualmin UI. There are currently no feature requests for firewalld (just the mention of it being added in later releases of Webmin), not sure about ip6tables. You can file a feature request here: https://www.virtualmin.com/project/issues

With any operating system it's a good practice for system administrators to know how to use the command line, and to encourage it is actually a good idea seeing as to how your S*&^ out of luck when you don't have that GUI to mess with.

Now as a system administrator You would know that there is a lack of information here. CentOS 7 uses Firewalld not the iptables-service and that firewalld covers ipv4 and ipv6. As stated uwe@comproso.com turned off the ipv6 firewall but how and what did they disable? There was no information on how or what they did. I even asked for information about what was done and gave commands to help troubleshoot their actions / issue. Furthermore I was very descriptive on the use of firewalld and even posted information about the use of iptables since you commented on the use of old technology.

You in no way was helpful to this thread. In either post you created. When you end a comment in a support forum; "should do it if the tool doesn't automagically handle it." is not the proper way to help someone. One, it is suggestive at best and gives no insight to the actual problem and/or solution. Two, nothing automagically happens. Three, telling people that there are instructions on the internet to to this and it is very easy is kind of lame. At very least you can take two minuets to find and post the information you are trying to convey to the person asking for help. Four, using words like tool and not the actual name is in no way helpful. Use the tool is suggestive as you could be talking about anything even though I know you were talking about the Virtualmin UI others may not. Being at least somewhat detailed and giving proper instructions on how to do thing vs the information is on the internet and it is easy to do is a much better approach to troubleshooting and solving issues for others.

Below you can view the issues I found in the Issue Tracker regarding firewalld

Firewalld - Webmin, Virtualmin, Cloudmin Issue Tracker

https://www.virtualmin.com/node/21260

https://www.virtualmin.com/node/36035

https://www.virtualmin.com/node/34438

Not a personal attack just very detailed and direct.

Now no where did Uwe specifically mention iptables or ipv6tables. If he did please point it out because he said, and I quote

"Hi,

after installing virtualmin on a fresh CentOS 7 VPS (Rackspace) the firewall for IPv4 works perfectly. But, all IPv6 ports are wide open. Is there a way to install / set up a firewall for IPv6?

I have disabled IPv6 for now but still would like to know.

Uwe".

I don't see the words iptables or ipv6tables once in that entire question. What I do see is the mention of CentOS 7. Maybe you don't know but RHEL 7 and CentOS 7 no longer uses the iptables-service because firewalld provides a dynamic firewall with much more capabilities then iptables or ip6tables. Written on page 37 of the RHEL 7 Release Notes you will see this:

"Dynamic Firewall Daemon, firewalld Suite

Red Hat Enterprise Linux 7 includes the dynamic firewall daemon, firewalld, which provides a dynamically managed firewall with support for network "zones" to assign a level of trust to a network and its associated connections and interfaces. It has support for IPv4 and IPv6 firewall settings. It supports Ethernet bridges and has a separation of runtime and permanent configuration options. It Chapt er 1 1 . Net working also has an interface for services or applications to add firewall rules directly".

Still no mention of iptables or ipv6tables.

Now if you were to read the FirewallD documentation it says:

"firewalld provides a dynamically managed firewall with support for network/firewall zones to define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings and for ethernet bridges and has a separation of runtime and permanent configuration options. It also supports an interface for services or applications to add firewall rules directly.".

So FirewallD supports ipv6 so why iptables or ipv6tables when Uwe never mentioned those single words? Clearly FirewallD supports both protocols.

Just curious why would one point someone (especially when they did not ask about the service) to use iptables when RHEL 7 and CentOS 7 no longer uses iptables or ip6tables? With that being said why would I point someone to use old technology when it was not specifically asked for? Seriously it's no longer being used in the current release and will be used in future releases, both as the default firewall which supports both ipv4 and ipv6.

Don't forget about the part where I asked fore the output of six commands which would determine what exactly Uwe was using and what was disabled. Sorry for assuming Uwe was using the default and now standard FirewallD over the no longer used iptables or ip6tables.

Now as far as the command line and the FirewallD documentation one would think that with the use of the default and now standard FirewallD information on how to use FirewallD was very appropriate, especially given the fact Uwe not once mentioned a restriction on the use of the Virtualmin UI. Sure there was no mention of the use or a command line but as you pointed out the Virtualmin UI does not provide support for FirewallD nor does it provide support for ip6tables, which I might add that a firewall for ipv6 was their specific request. Was it not?

Again my bad on providing information on the now default Firewalld which does in fact support ipv6.

When you said you suggested a method for them to use iptables where was that? Because you said, and I quote:

"I don't think virtualmin supports firewalld. There are instructions to remove it and go back to iptables on the net (pretty easy) but I haven't looked at Centos 7/iptables/ip6tables yet. Actually I don't remember if it did it in Centos 6.5/6... I haven't played with my iptables in a long time. 99% of ip6tbles is the same as iptables, copying iptables to ip6tables and making the appropriate adjustments (icmp6 instead of icmp etc) should do it if the tool doesn't automagically handle it.".

I am sure you said " "I don't think virtualmin supports firewalld. There are instructions to remove it and go back to iptables on the net (pretty easy) but I haven't looked at Centos 7/iptables/ip6tables yet.". Not here are the four commands to revert back to iptables, which aren't even the correct four commands.

Taken directly from the FirewallD Documentation it says:

"Using static firewall rules with the iptables and ip6tables services

If you want to use your own static firewall rules with the iptables and ip6tables services, install iptables-services and disable firewalld and enable iptables and ip6tables:

yum install iptables-services

systemctl mask firewalld.service

systemctl enable iptables.service

systemctl enable ip6tables.service

Use /etc/sysconfig/iptables and /etc/sysconfig/ip6tables for your static firewall rules.

Note: The package iptables and iptables-services do not provide firewall rules for use with the services. The services are available for compatibility and people that want to use their own firewall rules. You can install and use system-config-firewall to create rules with the services though. To be able to use system-config-firewall, you have to stop firewalld.

After creating rules for use with the services stop firewalld and start the iptables and ip6tables services:

systemctl stop firewalld.service

systemctl start iptables.service

systemctl start ip6tables.service".

I am pretty sure I provided the documentation to configure iptables and ip6tables. Yes Uwe has to setup ip6tables from the command line but as you mentioned the Virtualmin UI does not support ip6tables nor does it support FirewallD so to provide Uwe with his exact request of the use of a firewall that supports ipv6 was exactly what I did as well as how to do it with both the new and old way of doing things.

Again with the tool thing. Kind of ambiguous don't you think?

I think we covered the ip6tables thing already.

Well unless I am reading the names incorrect the only other person other then myself and Uwe to comment in this thread was you and you said:

" I haven't played with my iptables in a long time. 99% of ip6tbles is the same as iptables, copying iptables to ip6tables and making the appropriate adjustments (icmp6 instead of icmp etc) should do it if the tool doesn't automagically handle it.".

Whats that word in the last line of that sentience? No way it can't be, oh but it is; the word automagically. Other then quoting you I never used or suggested the word "automagically".

I will however start telling people that when I help them out for now on.

Don't worry sir it will fix itself automagically.

It should do it if the tool does not do it automagically.

Oh don't thank me it was done automagically.

I have even found a way to use it as motivation:

I can automagically do anything if I set my mind to it.

Thank's for that I feel much better now.

Seriously though.

Redhat 7 Release Notes: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7...

FirewallD Documentation: https://fedoraproject.org/wiki/FirewallD