Ralph Aichinger <r...@h5.or.at> writes:
> I am currently fighting with the following problem: I've got a system
> that has 3 relevant interfaces: ppp0, en0 and en2, for external,
> internal and dmz respectively.
>
> The dmz is IPv6 only, a homelab testbed more or less.
>
> I've got the follwing rules in /etc/nftables.conf for ipv6 (i am
> abreviating the chain input, because i am only fighting with
> forwarding):
>
> table ip6 filter {
> chain input {
> ...
> }
>
>
> chain forward {
> type filter hook forward priority 0; policy drop;
>
> iifname ppp0 oifname en0 ct state established,related accept
> iifname en0 oifname ppp0 accept
>
> iifname en2 oifname ppp0 accept
> iifname ppp0 oifname en2 accept
>
> iifname en0 oifname en2 accept
> iifname en2 oifname en0 ct state established,related accept
>
> meta l4proto ipv6-icmp accept
>
>
> }
> }
>
> What does not work, and this puzzles me, is that UDP does not work.
> E.g. if I lookup a DNS name in my dmz (connected to en2), I see no
> udp packets if i start tcpdump on the external interface ppp0. I see
> them entering on en2.
>
Where is the DNS server the dmz host is resolving against? In your dmz,
your internal network, on the firewall machine, outside? You may have
other input/output rules that are interfering, but since you've abridged
your ruleset we have no way of knowing.
