23

In a CentOS 7 server, I type in firewall-cmd --list-all, and it gives me the following: 

public (default, active)
  interfaces: enp3s0
  sources: 
  services: dhcpv6-client https ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

What is the dhcpv6-client service? What does it do? And what are the implications of removing it?

I read the wikipedia page for dhcpv6, but it does not tell me specifically what this service on CentOS 7 Firewalld does.

This server is accessible via https and email via mydomain.com, but it is a private server that can only be accessed via https by a list of known ip addresses. In addition, this server can receive email from a list of known email addresses. Is the dhcpv6-client service required to reconcile the domain addresses from the known ip https requests and for exchanging the email with known email addresses?

CodeMed
  • 5,079
  • 45
  • 100
  • 147
  • dhcpv6-client is obviously a DHCPv6 client which you already read about in Wikipedia. I don't see the purpose of the question then. – Pavel Šimerda Dec 31 '14 at 08:25
  • 1
    firewalld services may or may not be tied to an actual program running on the system. There are a number of different DHCPv6 clients – Matt Dec 15 '15 at 22:01

3 Answers3

29

This is needed if you are using DHCP v6 due to the slightly different way that DHCP works in v4 and v6.

In DHCP v4 the client establishes the connection with the server and because of the default rules to allow 'established' connections back through the firewall, the returning DHCP response is allowed through.

However, in DHCP v6, the initial client request is sent to a statically assigned multicast address while the response has the DHCP server's unicast address as the source (see RFC 3315). As the source is now different to the initial request's destination, the 'established' rule will not allow it through and consequently DHCP v6 will fail.

To combat this, a new firewalld rule was created called dhcpv6-client which allows incoming DHCP v6 responses to pass - this is the dhcpv6-client rule. If you're not running DHCP v6 on your network or you are using static IP addressing, then you can disable it.

garethTheRed
  • 33,289
  • 4
  • 92
  • 101
  • I think it is due to a missing kernel feature rather than differences in protocols. DHCPv4 client also broadcasts but the kernel can already handle it. I don't know whether a recent kernel already handles DHCPv6 as well or not. I'm taking about marking the DHCP responses `ESTABLISHED` in the connection tracking. – Pavel Šimerda Jan 07 '15 at 16:24
  • 1
    Kernel 4.2 still doesn't properly do connection tracking for the unicast DHCPv6 replies to the multicast DHCPv6 soclicitations. – Matt Dec 15 '15 at 22:02
4

dhcpv6-client is the client process for DHCPv6. If you have a static IPv6 address or don't use IPv6, it's safe to disable it. See this serverfault answer

Community
  • 1
Outurnate
  • 1,179
  • 9
  • 19
  • How can I tell if I use ipv6? My dns at the domain registrar point use the ipv4 ip for the server. – CodeMed Dec 31 '14 at 01:14
  • If your DNS entry has an AAAA record, you are using IPv6 – Outurnate Dec 31 '14 at 01:15
  • You cannot always judge by DNS entry and you won't learn anything about the configuration. Why don't you just keep the default configuration. If you're not using a DHCPv6 client at all, you don't need to care about blocking it in the firewall. – Pavel Šimerda Jan 07 '15 at 16:30
  • It's not blocked in his firewall; it's allowed. Additionally, while testing for an AAAA record will not ensure that IPv6 isn't being used, in the context of his question (web hosting), a lack of AAAA record indicates his host does not use IPv6 – Outurnate Jan 08 '15 at 21:52
2

Slightly different perspective. You're using firewalld as an end host firewall that basically blocks all but selected services to avoid publishing a service by mistake. It doesn't make much sense to use a firewall to block services that you'll never be running.

In my opinion, the logic here is flawed. If there's no chance you'll ever use automatic address configuration of IPv6, there's no reason to care about the firewall. If there's a chance that you will want to run it, then the firewall would only be harmful.

There are services that you can use locally, that you can install and start in good faith that they only listen locally or that can get started by mistake. In that case the firewall helps you to avoid making the service accessible from outside your server. That is the value of a firewall on your server connected to the internet, not blocking responses to DHCP clients.

Also note that the firewall rule to allow replies to packets from the DHCP client is just a workaround for a missing kernel feature. The kernel can detect DHCPv4 replies like replies for any other type of communication. But it cannot (or could not at the time of the decision to include the firewall rule) do the same for DHCPv6.

Pavel Šimerda
  • 6,394
  • 2
  • 26
  • 33