Re: Firewalling for IPv6
On 24 Apr 2005, Wesley J. Landaker wrote:
> I have a few questions regarding the current state of firewalling for IPv6
> in Debian.
> Searching through packages and the web, the best I could find is the
> existance of ip6tables, and a bunch of articles talking about how Linux
> *would* support (implying that it doesn't now(?)) IPv6 firewalling in the
> future (one site I saw mentioned it would be in 2.6.11--I'm running
Well, it has /some/ firewalling today. The IPv6 support doesn't
resemble a modern firewall system at all, though. :/
There is no connection tracking for IPv6 at the moment, "pending" work
to integrate it with the IPv4 infrastructure. This has been the case
for several years now, and as far as I can tell, looks unlikely to
change any time soon.
> So, I guess what I'm wondering is:
> 1) Is there a FAQ about Linux and/or Debian + IPv6 firewalling? I'm more
> than happy to R the FM if I can locate T right one. =)
Not that I know of.
> 2) Are there any packages currently in Debian that support making IPv6
> firewalls? (For IPv4, I am currently using firehol; I have used shorewall
> in the past (I've heard of, but no little about 6wall); I'm not an iptables
> expert, but I roughly know how to make it work).
It shouldn't be too hard, in theory, to enhance firehol to support IPv6
table construction as well as IPv4, but most of the functionality
firehol provides depends on conntrack.
You /could/ just use 'iptables' to build a stateless IPv6 firewall
yourself, while using firehol for the IPv4 stateful firewall, and
keeping the nice configuration file, etc, support.
> 3) Assuming the answer is to use xyz/6wall/ip6tables, are there any critical
> limitations I should be aware of? i.e. Are there known
> features/bugs/workarounds missing/added/required?
No conntrack. Nothing that would imply, as a result, like state matches
and the like. IIRC, the REJECT target is still not working without
third party patches. Many of the IPv4 match and target things don't
exist for IPv6, even where they do make sense.
Overall - not great. :/
 Not a developer, and not looking /that/ closely.
 As in, the integrated support for calling raw iptables commands
within the firehol framework.
It has been discovered that C++ provides a remarkable facility for concealing
the trival details of a program -- such as where its bugs are.
-- David Keppel