Not a personal attack just very detailed and direct.
Now no where did Uwe specifically mention iptables or ipv6tables. If he did please point it out because he said, and I quote
"Hi,
after installing virtualmin on a fresh CentOS 7 VPS (Rackspace) the firewall for IPv4 works perfectly. But, all IPv6 ports are wide open. Is there a way to install / set up a firewall for IPv6?
I have disabled IPv6 for now but still would like to know.
Uwe".
I don’t see the words iptables or ipv6tables once in that entire question. What I do see is the mention of CentOS 7. Maybe you don’t know but RHEL 7 and CentOS 7 no longer uses the iptables-service because firewalld provides a dynamic firewall with much more capabilities then iptables or ip6tables. Written on page 37 of the RHEL 7 Release Notes you will see this:
"Dynamic Firewall Daemon, firewalld Suite
Red Hat Enterprise Linux 7 includes the dynamic firewall daemon, firewalld, which provides a
dynamically managed firewall with support for network “zones” to assign a level of trust to a network
and its associated connections and interfaces. It has support for IPv4 and IPv6 firewall settings. It
supports Ethernet bridges and has a separation of runtime and permanent configuration options. It
Chapt er 1 1 . Net working also has an interface for services or applications to add firewall rules directly".
Still no mention of iptables or ipv6tables.
Now if you were to read the FirewallD documentation it says:
“firewalld provides a dynamically managed firewall with support for network/firewall zones to define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings and for ethernet bridges and has a separation of runtime and permanent configuration options. It also supports an interface for services or applications to add firewall rules directly.”.
So FirewallD supports ipv6 so why iptables or ipv6tables when Uwe never mentioned those single words? Clearly FirewallD supports both protocols.
Just curious why would one point someone (especially when they did not ask about the service) to use iptables when RHEL 7 and CentOS 7 no longer uses iptables or ip6tables? With that being said why would I point someone to use old technology when it was not specifically asked for? Seriously it’s no longer being used in the current release and will be used in future releases, both as the default firewall which supports both ipv4 and ipv6.
Don’t forget about the part where I asked fore the output of six commands which would determine what exactly Uwe was using and what was disabled. Sorry for assuming Uwe was using the default and now standard FirewallD over the no longer used iptables or ip6tables.
Now as far as the command line and the FirewallD documentation one would think that with the use of the default and now standard FirewallD information on how to use FirewallD was very appropriate, especially given the fact Uwe not once mentioned a restriction on the use of the Virtualmin UI. Sure there was no mention of the use or a command line but as you pointed out the Virtualmin UI does not provide support for FirewallD nor does it provide support for ip6tables, which I might add that a firewall for ipv6 was their specific request. Was it not?
Again my bad on providing information on the now default Firewalld which does in fact support ipv6.
When you said you suggested a method for them to use iptables where was that? Because you said, and I quote:
“I don’t think virtualmin supports firewalld. There are instructions to remove it and go back to iptables on the net (pretty easy) but I haven’t looked at Centos 7/iptables/ip6tables yet. Actually I don’t remember if it did it in Centos 6.5/6… I haven’t played with my iptables in a long time. 99% of ip6tbles is the same as iptables, copying iptables to ip6tables and making the appropriate adjustments (icmp6 instead of icmp etc) should do it if the tool doesn’t automagically handle it.”.
I am sure you said "
“I don’t think virtualmin supports firewalld. There are instructions to remove it and go back to iptables on the net (pretty easy) but I haven’t looked at Centos 7/iptables/ip6tables yet.”. Not here are the four commands to revert back to iptables, which aren’t even the correct four commands.
Taken directly from the FirewallD Documentation it says:
"Using static firewall rules with the iptables and ip6tables services
If you want to use your own static firewall rules with the iptables and ip6tables services, install iptables-services and disable firewalld and enable iptables and ip6tables:
yum install iptables-services
systemctl mask firewalld.service
systemctl enable iptables.service
systemctl enable ip6tables.service
Use /etc/sysconfig/iptables and /etc/sysconfig/ip6tables for your static firewall rules.
Note: The package iptables and iptables-services do not provide firewall rules for use with the services. The services are available for compatibility and people that want to use their own firewall rules. You can install and use system-config-firewall to create rules with the services though. To be able to use system-config-firewall, you have to stop firewalld.
After creating rules for use with the services stop firewalld and start the iptables and ip6tables services:
systemctl stop firewalld.service
systemctl start iptables.service
systemctl start ip6tables.service".
I am pretty sure I provided the documentation to configure iptables and ip6tables. Yes Uwe has to setup ip6tables from the command line but as you mentioned the Virtualmin UI does not support ip6tables nor does it support FirewallD so to provide Uwe with his exact request of the use of a firewall that supports ipv6 was exactly what I did as well as how to do it with both the new and old way of doing things.
Again with the tool thing. Kind of ambiguous don’t you think?
I think we covered the ip6tables thing already.
Well unless I am reading the names incorrect the only other person other then myself and Uwe to comment in this thread was you and you said:
" I haven’t played with my iptables in a long time. 99% of ip6tbles is the same as iptables, copying iptables to ip6tables and making the appropriate adjustments (icmp6 instead of icmp etc) should do it if the tool doesn’t automagically handle it.".
Whats that word in the last line of that sentience? No way it can’t be, oh but it is; the word automagically. Other then quoting you I never used or suggested the word “automagically”.
I will however start telling people that when I help them out for now on.
Don’t worry sir it will fix itself automagically.
It should do it if the tool does not do it automagically.
Oh don’t thank me it was done automagically.
I have even found a way to use it as motivation:
I can automagically do anything if I set my mind to it.
Thank’s for that I feel much better now.
Seriously though.
Redhat 7 Release Notes: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/pdf/7.0_Release_Notes/Red_Hat_Enterprise_Linux-7-7.0_Release_Notes-en-US.pdf
FirewallD Documentation: https://fedoraproject.org/wiki/FirewallD