I fixed a minor problem with the UFW in my Lubuntu installation a few minutes ago.
I installed the Lubuntu using the download at http://www.lemaker.org/ and enabled the UFW for IPv4 and IPv6, but I was running into the following error:
ip6tables-restore: line 73 failed
Problem running '/etc/ufw/before6.rules'
Using an iteration of commenting in
/lib/ufw/ufw-init force-reload I finally fixed the error by dropping the reference to Netfilter’s hl module:
# for stateless autoconfiguration (restrict NDP messages to hop limit of 255)
#-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
#-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
#-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
#-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
#-A ufw6-before-input -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
#-A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
It seems, the kernel in this Lubuntu release is just not supporting the hl module.
With these changes the error disappears and the UFW will also work for IPv6.
Relaying DNS queries to local dnsmasq instances, debugging DNS servers in newer Ubuntu releases is no longer file-based.
I personally appreciate the usage of dnsmasq for caching, since it’s a fine piece of software, but you should use now the nm-tool command for querying the current DNS servers.
resolv.conf or files in
/run will no longer help, if you just want to know the DNS setup of the current connection.
nm-tool | fgrep -iw dns to show the active nameservers, and apply
host $NAME $DNS for queries on $NAME using nameserver $DNS from the results reported by the first command.
Since last week I am testing a seconds uplink at home providing a lot more bandwidth, but also a very limited cable modem implementing DualStack Lite (TANSTAAFL).
This is my chance to switch to preferred IPv6 instead of my former IPv6 tests using a tunnel.
But IPv6 over consumer uplink seems to setup a few issues I have not seen before. The network prefix is changing (not often, but I have to expect it to change every 10 days), so I still need dynamic DNS, at least my current ddns service supports IPv6.
I heard the first time about the concept of tokenized interface identifiers, providing static interface identifiers with changing network prefixes.
I changed the certificate for SSL to a self-signed successor with the following attributes:
I applied a classical (in the context of Debian) upgrade on my Mint installation and even though Mint is not recommending this option (instead the favorite is a fresh install with restore), my system still works, satisfying my expectations.
See also http://www.tecmint.com/upgrade-linux-mint-16-to-linux-mint-17/ for more information about the non-recommended method of Mint Upgrading.
Please find a nearly chronological comment about this upgrade procedure in the list below:
- Changes in /etc/apt according to the proposal from tecmint.com.
- apt-get update
- apt-get dist-upgrade
- apt-get upgrade
- Do some cleanup, using
- apt-get clean
- apt-get autoremove
- apt-get install debfoster; debfoster
- You can drop the former Linux Kernel from Petra.
- Fix missing networking widget in KDE’s tray by installation of plasma-widget-networkmanagement.
- Fix problems with Suspend and Hibernation after analyzing /var/log/pm-suspend.log by re-installing the rfkill package.
- And if you want to handle multiple displays, check for kscreen package.
- Edit my tcplay-wrappers, since the automatic mounting of the encrypted volumes is no longer working. I had to use sudo on an explicit mount to get the full automation back.
The final problem are the missing tray icons of Chromium, but the next release 35 of the package is hopefully fixing this issue, since similar problems are already discussed in the issues at Google Code.