Ubuntu Firewall for IPv6 on Banana Pi

I fixed a minor problem with the UFW in my Lubuntu installation a few minutes ago.

I installed the Lubuntu using the download at http://www.lemaker.org/ and enabled the UFW for IPv4 and IPv6, but I was running into the following error:

ip6tables-restore: line 73 failed

Problem running '/etc/ufw/before6.rules'

Using an iteration of commenting in /etc/ufw/before6.rules and /lib/ufw/ufw-init force-reload I finally fixed the error by dropping the reference to Netfilter’s hl module:

# for stateless autoconfiguration (restrict NDP messages to hop limit of 255)
#-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
#-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
#-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
#-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
#-A ufw6-before-input -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
#-A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT

It seems, the kernel in this Lubuntu release is just not supporting the hl module.

With these changes the error disappears and the UFW will also work for IPv6.

NetworkManager DNS

Relaying DNS queries to local dnsmasq instances, debugging DNS servers in newer Ubuntu releases is no longer file-based.
I personally appreciate the usage of dnsmasq for caching, since it’s a fine piece of software, but you should use now the nm-tool command for querying the current DNS servers.
Looking into resolv.conf or files in /run will no longer help, if you just want to know the DNS setup of the current connection.
Try nm-tool | fgrep -iw dns to show the active nameservers, and apply host $NAME $DNS for queries on $NAME using nameserver $DNS from the results reported by the first command.

IPv6 Uplink (DS Lite)

Since last week I am testing a seconds uplink at home providing a lot more bandwidth, but also a very limited cable modem implementing DualStack Lite (TANSTAAFL).
This is my chance to switch to preferred IPv6 instead of my former IPv6 tests using a tunnel.
But IPv6 over consumer uplink seems to setup a few issues I have not seen before. The network prefix is changing (not often, but I have to expect it to change every 10 days), so I still need dynamic DNS, at least my current ddns service supports IPv6.
I heard the first time about the concept of tokenized interface identifiers, providing static interface identifiers with changing network prefixes.

SSL Certificate

I changed the certificate for SSL to a self-signed successor with the following attributes:

  • Serial Number: 00:B2:EB:3A:56:C1:88:66:0E
  • SHA256 Fingerprint: 0A 8A FD 8F B3 1B D9 39 CB 67 7C 5C 08 DD 33 FD EF D5 38 B8 17 93 87 CE 25 08 FA 38 BA BE 2D D5
  • SHA1 Fingerprint: 0B DB 08 37 B7 5C DE 5E 74 3C 60 C7 B7 AB D9 21 42 5A F4 42
  • Expiration Date: 1/13/42

Linux Mint 17 (Qiana) KDE Edition

I applied a classical (in the context of Debian) upgrade on my Mint installation and even though Mint is not recommending this option (instead the favorite is a fresh install with restore), my system still works, satisfying my expectations.

See also http://www.tecmint.com/upgrade-linux-mint-16-to-linux-mint-17/ for more information about the non-recommended method of Mint Upgrading.

Please find a nearly chronological comment about this upgrade procedure in the list below:

  • Changes in /etc/apt according to the proposal from tecmint.com.
  • apt-get update
  • apt-get dist-upgrade
  • apt-get upgrade
  • Reboot
  • Do some cleanup, using
    • apt-get clean
    • apt-get autoremove
    • apt-get install debfoster; debfoster
  • You can drop the former Linux Kernel from Petra.
  • Fix missing networking widget in KDE’s tray by installation of plasma-widget-networkmanagement.
  • Fix problems with Suspend and Hibernation after analyzing /var/log/pm-suspend.log by re-installing the rfkill package.
  • And if you want to handle multiple displays, check for kscreen package.
  • Edit my tcplay-wrappers, since the automatic mounting of the encrypted volumes is no longer working. I had to use sudo on an explicit mount to get the full automation back.

The final problem are the missing tray icons of Chromium, but the next release 35 of the package is hopefully fixing this issue, since similar problems are already discussed in the issues at Google Code.