ymy
1
And while allowing all ipv6 (::/0), apparently i allow all traffic:
[user@dom0 ~]$ qvm-firewall calendar add --before=1 accept proto=tcp dst6=::/0
[user@dom0 ~]$ qvm-firewall calendar list
NO ACTION HOST PROTOCOL PORT(S) SPECIAL TARGET ICMP TYPE EXPIRE COMMENT
0 accept 10.0.0.0/8 - - - - - -
1 accept - tcp - - - - -
2 accept - - - dns - - -
3 accept - icmp - - - - -
4 drop - - - - - - -
I used
2000::/4
instead
is this a bug or am i just bad at using firewall rules? (maybe both 
)
1 Like
It seems to be a bug with ::/0 destination:
$ qvm-firewall tst
NO ACTION HOST PROTOCOL PORT(S) SPECIAL TARGET ICMP TYPE EXPIRE COMMENT
0 drop - udp - - - - -
1 drop 2000::/3 tcp - - - - -
2 drop ::/1 tcp - - - - -
3 drop - tcp - - - - -
4 accept - - - - - - -
table ip qubes-firewall {
chain qbs-... {
ip protocol udp reject with icmp admin-prohibited
ip protocol tcp reject with icmp admin-prohibited
accept
reject with icmp admin-prohibited
}
}
table ip6 qubes-firewall {
chain qbs-... {
ip6 nexthdr udp reject with icmpv6 admin-prohibited
ip6 nexthdr tcp ip6 daddr 2000::/3 reject with icmpv6 admin-prohibited
ip6 nexthdr tcp ip6 daddr ::/1 reject with icmpv6 admin-prohibited
ip6 nexthdr tcp reject with icmpv6 admin-prohibited
accept
reject with icmpv6 admin-prohibited
}
}
Can you report it on guthub?
1 Like
ymy
3
thanks for checking, i opened an issue as suggested:
2 Likes
ymy
4
i stumbled about the same problem again. 
1 Like