booting with qemu, firewall fails to protect router services (ssh) from wan interface over ipv6
Username: amk
Origin: https://bugs.openwrt.org/index.php?do=details&task_id=2446
Started latest malta snapshot with qemu, did not change any configuration.
IPv6 wan interface gets its link-local address.
Firewall allows connections to this address from wan.
Firewall restart helps.
tunctl brctl addbr testbr brctl addif testbr tap0 ip link set dev tap0 up ip link set dev testbr up
qemu-system-mips -kernel openwrt-malta-be-vmlinux.elf -hda openwrt-malta-be-rootfs-ext4.img -append "root=/dev/sda console=ttyS0" -nographic -m 64 -net nic,model=pcnet -net tap,ifname=tap0,script=no,downscript=no
root@OpenWrt:/# ip6tables -nvL INPUT
Chain INPUT (policy ACCEPT 4 packets, 208 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all lo * ::/0 ::/0 /* !fw3 /
4 208 input_rule all * * ::/0 ::/0 / !fw3: Custom input rule chain /
0 0 ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED / !fw3 /
0 0 syn_flood tcp * * ::/0 ::/0 tcp flags:0x17/0x02 / !fw3 */
After firewall restart (counters are different due to different runs)
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all lo * ::/0 ::/0 /* !fw3 /
1 80 input_rule all * * ::/0 ::/0 / !fw3: Custom input rule chain /
0 0 ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED / !fw3 /
1 80 syn_flood tcp * * ::/0 ::/0 tcp flags:0x17/0x02 / !fw3 /
1 80 zone_wan_input all eth0 * ::/0 ::/0 / !fw3 */