IPv6 is not a valid IP/CIDR

[Jailout2000]

Hi,

I've been using CSF for a while now, it's been very useful and it's great at doing its job, but my server also has IPv6 addressing that it needs to have a firewall for. I have CSF's IPv6 firewall enabled and configured, that's working, but I'm having trouble adding IPv6 addresses into its config files.

Addresses I've tried allowing/ignoring:

• ::1/128
• fe80::/10
• 2601:e:2680:b78::/64

For example, if I try to whitelist my home internet using the command:

Code: Select all

csf -a 2601:e:2680:b78::/64 "Comcast"

I get back the following message:

Code: Select all

[2601:e:2680:b78::/64] is not a valid IP/CIDR

The same happens if I try any other IPv6 CIDR, even the loop back address "::1/128" gets this problem.

Furthermore, if I manually add these to the csf.ignore or csf.allow files, I get the following error message in lfd's log file:

Code: Select all

Feb 24 12:42:30 jailout2000 lfd[4558]: Invalid entry in csf.ignore: [::1/128]
Feb 24 12:42:30 jailout2000 lfd[4558]: Invalid entry in csf.ignore: [fe80::/10]

I've tried looking on Google with all kinds of search queries for this issue, and no one seems to be having the issue. Everything I search for comes back as how to disable IPv6, rather than working with it.

Is this a bug with CSF/LFD or am I doing something wrong here? This is driving me nuts.

Thanks in advance.

[ForumAdmin]

I am unable to recreate this with csf v6.46:

Code: Select all

# csf -a 2601:e:2680:b78::/64 "Comcast"
Adding 2601:e:2680:b78::/64 to csf.allow and iptables ACCEPT...
debug[2298]: Command:/sbin/ip6tables -v -I ALLOWIN ! -i lo -s 2601:e:2680:b78::/64 -j ACCEPT
ACCEPT  all opt    in !lo out *  2601:e:2680:b78::/64  -> ::/0  
debug[2299]: Command:/sbin/ip6tables -v -I ALLOWOUT ! -o lo -d 2601:e:2680:b78::/64 -j ACCEPT
ACCEPT  all opt    in * out !lo  ::/0  -> 2601:e:2680:b78::/64

I also see no errors included the listed IPv6 IPs in /etc/csf/csf.ignore. Are you using the latest version of csf?

[Jailout2000]

I also see no errors included the listed IPv6 IPs in /etc/csf/csf.ignore. Are you using the latest version of csf?

Code: Select all

[carl@jailout2000 ~]$ sudo csf -v
[sudo] password for carl:
csf: v6.46 (generic)
[carl@jailout2000 ~]$

The operating system is Fedora 19 x86_64 running under Xen virtualization from my provider.

I feel listing the Perl version is also necessary:

Code: Select all

[carl@jailout2000 ~]$ perl -v

This is perl 5, version 16, subversion 3 (v5.16.3) built for x86_64-linux-thread-multi

Copyright 1987-2012, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl".  If you have access to the
Internet, point your browser at (url removed because of forum restriction), the Perl Home Page.

[carl@jailout2000 ~]$

Thanks for looking into this.

[ForumAdmin]

Thank for the additional information. I've been able to recreate the problem on Fedora 20, though it is working fine on RHEL/CentOS v5/6/7 so we will need to investigate further.

[Jailout2000]

Let me know what details you need to further investigate and I'll see about providing them.

I am subscribed to this topic via email, and I check my email often, more than once daily, so I should have quick responses.

[ForumAdmin]

I've identified the issue. It's not actually a bug. You are seeing this because the option IPV6 is not enabled in /etc/csf/csf.conf so csf cannot issue ip6tables commands so it rejects IPv6 addresses. If you set the value mentioned you should then be OK.

[Jailout2000]

Ah. That fixes it! Thanks, it is weird I didn't see that earlier.

Perhaps it would be more helpful if it would detect an IPv6 address and warn the administrator that they need to enable the IPV6 directive in the config file first. I could see as IPv6 becoming more and more used, that this could become a headache for others as it did me.

[ForumAdmin]

We'll rewrite the IPv6 checking in the next csf release so the error is more meaningful.

[ForumAdmin]

This change has now been implemented in v6.47:
http://blog.configserver.com/