Hi, my first post here. Huge learning curve, but I am enjoying the challenge so far.
I’ve modeled my firewall rules after Zerobytes closer to the top of the thread. My question is about the order of the forward rules first in the v6 firewall, why? I’ve seen this in other peoples examples as well. v4 rules have input rules first. I initially set up my v6 in the same order as my v4 but have since moved them around. It doesn’t affect my setup AFAIK.
Order of rules matters, but only in same chain.
These will function differently (well, depending on exact rules):
input rule A
input rule B
input rule C
input rule B
input rule C
input rule A
But there’s no functional difference between these, because order of rules within each chain did not change:
input rule A
input rule B
forward rule A
forward rule B
otherchain rule A
otherchain rule B
otherchain rule A
otherchain rule B
forward rule A
forward rule B
input rule A
input rule B
otherchain rule A
forward rule A
input rule A
input rule B
forward rule B
otherchain rule B
Awesome, thanks for the reply. I’ve grouped my chains together ie input and forward for my own organization. Your example shows you can intersperse them and organize them however you’d like. Now I can move them back to parallel my v4 filter rule list !
I’ve adapted my default IPv6 firewall rules a bit. They are more permissive than most but that’s largely because I acknowledge I can be echo-requested from outside and I’m fine with it. It’s easy to disable just that particular item or only allowing echo request to the firewall by moving the echo-request rule up into the icmpv6_input chain.
ipv6 firewall filter add action=accept chain=input comment="(baseline)allow any established or related" connection-state=established,related
ipv6 firewall filter add action=accept chain=forward comment="(baseline)allow any established or related" connection-state=established,related
ipv6 firewall filter add action=jump jump-target=icmpv6_input chain=input comment="(baseline)Jump to ICMPv6 filter for eth1 input" protocol=icmpv6 in-interface=eth1
ipv6 firewall filter add action=jump jump-target=icmpv6_input-forward chain=forward comment="(baseline)Jump to ICMPv6 filter for eth1 forward" protocol=icmpv6 in-interface=eth1
ipv6 firewall filter add action=accept chain=icmpv6_input comment="icmpv6 router-solicitation" icmp-options=133 limit=1k,100:packet protocol=icmpv6
ipv6 firewall filter add action=accept chain=icmpv6_input comment="icmpv6 router-advertisement" icmp-options=134 limit=1k,100:packet protocol=icmpv6
ipv6 firewall filter add action=accept chain=icmpv6_input comment="icmpv6 neighbor-solicitation" icmp-options=135 limit=1k,100:packet protocol=icmpv6
ipv6 firewall filter add action=accept chain=icmpv6_input comment="icmpv6 neighbor-advertisement" icmp-options=136 limit=1k,100:packet protocol=icmpv6
ipv6 firewall filter add action=jump jump-target=icmpv6_input-forward chain=icmpv6-input comment="send any left-overs to icmpv6_input-forward"
ipv6 firewall filter add action=accept chain=icmpv6_input-forward comment="icmpv6 destination-unreachable" icmp-options=1 limit=1k,100:packet protocol=icmpv6
ipv6 firewall filter add action=accept chain=icmpv6_input-forward comment="icmpv6 packet-too-big" icmp-options=2 limit=1k,100:packet protocol=icmpv6
ipv6 firewall filter add action=accept chain=icmpv6_input-forward comment="icmpv6 time-exceeded" icmp-options=3 limit=1k,100:packet protocol=icmpv6
ipv6 firewall filter add action=accept chain=icmpv6_input-forward comment="icmpv6 bad-header" icmp-options=4:0 limit=1k,100:packet protocol=icmpv6
ipv6 firewall filter add action=accept chain=icmpv6_input-forward comment="icmpv6 unknown-header-type" icmp-options=4:1 limit=1k,100:packet protocol=icmpv6
ipv6 firewall filter add action=accept chain=icmpv6_input-forward comment="icmpv6 echo-request" icmp-options=128 limit=1k,100:packet protocol=icmpv6
ipv6 firewall filter add action=accept chain=icmpv6_input-forward comment="icmpv6 echo-reply" icmp-options=129 limit=1k,100:packet protocol=icmpv6
ipv6 firewall filter add action=drop chain=icmpv6_input-forward comment="end of chain drop all"
ipv6 firewall filter add action=accept chain=input comment="(baseline)dhcpv6" dst-address=fe80::/10 dst-port=546 protocol=udp src-address=fe80::/10 src-port=547
ipv6 firewall filter add action=drop chain=input comment="(baseline)end of chain drop all" in-interface=eth1
ipv6 firewall filter add action=drop chain=forward comment="(baseline)end of chain drop all" in-interface=eth1