 |
|
|
|
Next: DDP CVS commit by jseidel: ddp/manuals.sgml/relea..
|
| Author |
Message |
External
Since: May 29, 2006
Posts: 25
|
(Msg. 1) Posted: Sun Aug 12, 2007 11:47 am
Post subject: Firewalling IPv6 - an easy way?
Archived from groups: linux>debian>maint>ipv6 (more info?)
|
|
|
All,
I've been running IPv6 locally without much trouble at all. Now I'd like
to build a firewall on my router and had a good look around for debian
packages for IPv6 compatible firewall software and I came up blank. I
currently use Shorewall for IPv4 and it works really nicely but there
clearly isn't any support in that for IPv6. I see there's a 6wall that's
based on Shorewall in LEAF/Bering, but it's really old and not packaged.
I'd rather not have to build my own rules using ip6tables if possible.
Many thanks,
Chris
--
To UNSUBSCRIBE, email to debian-ipv6-REQUEST.TakeThisOut@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.TakeThisOut@lists.debian.org |
|
| Back to top |
|
 | |
External
Since: May 29, 2006
Posts: 25
|
(Msg. 2) Posted: Sun Aug 12, 2007 3:47 pm
Post subject: Re: Firewalling IPv6 - an easy way? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Hi Andrew,
Andrew Ruthven wrote:
> Hi Chris
>
> On Sun, 2007-08-12 at 17:07 +0100, Chris Boot wrote:
>
>> I've been running IPv6 locally without much trouble at all. Now I'd like
>> to build a firewall on my router and had a good look around for debian
>> packages for IPv6 compatible firewall software and I came up blank. I
>> currently use Shorewall for IPv4 and it works really nicely but there
>> clearly isn't any support in that for IPv6. I see there's a 6wall that's
>> based on Shorewall in LEAF/Bering, but it's really old and not packaged.
>> I'd rather not have to build my own rules using ip6tables if possible.
>>
>
> I'm sorry, but the bad news is that currently you'll have to write the
> ip6table rules by hand. The good news is that you might be able to use
> the IPv4 rules as a base and just do some heavy editting.
>
Thanks. Never mind, I guess it is the manual method then. Is there a
Debian-recommended way of applying manual ip6tables rules? I was
thinking of running an ip6tables-restore in post-up in
/etc/network/interfaces, would that be a sensible option?
Does anyone have any best-practice sample IPv6 firewall rules for a
server (i.e. not router/workstation)?
Many thanks,
Chris
--
To UNSUBSCRIBE, email to debian-ipv6-REQUEST.TakeThisOut@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.TakeThisOut@lists.debian.org |
|
| Back to top |
|
| |
External
Since: May 29, 2006
Posts: 25
|
(Msg. 3) Posted: Sun Aug 12, 2007 4:47 pm
Post subject: Re: Firewalling IPv6 - an easy way? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Chris Boot wrote:
> Hi Andrew,
>
> Andrew Ruthven wrote:
>> Hi Chris
>>
>> On Sun, 2007-08-12 at 17:07 +0100, Chris Boot wrote:
>>
>>> I've been running IPv6 locally without much trouble at all. Now I'd
>>> like to build a firewall on my router and had a good look around for
>>> debian packages for IPv6 compatible firewall software and I came up
>>> blank. I currently use Shorewall for IPv4 and it works really nicely
>>> but there clearly isn't any support in that for IPv6. I see there's
>>> a 6wall that's based on Shorewall in LEAF/Bering, but it's really
>>> old and not packaged. I'd rather not have to build my own rules
>>> using ip6tables if possible.
>>>
>>
>> I'm sorry, but the bad news is that currently you'll have to write the
>> ip6table rules by hand. The good news is that you might be able to use
>> the IPv4 rules as a base and just do some heavy editting.
>>
>
> Thanks. Never mind, I guess it is the manual method then. Is there a
> Debian-recommended way of applying manual ip6tables rules? I was
> thinking of running an ip6tables-restore in post-up in
> /etc/network/interfaces, would that be a sensible option?
>
> Does anyone have any best-practice sample IPv6 firewall rules for a
> server (i.e. not router/workstation)?
And to add to that I can't seem to get conntrack connection tracking to
work properly on IPv6 either. This seems to have been the case in Sarge
but shouldn't it work in Etch?
Thanks,
Chris
--
To UNSUBSCRIBE, email to debian-ipv6-REQUEST RemoveThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster RemoveThis @lists.debian.org |
|
| Back to top |
|
| |
External
Since: May 29, 2006
Posts: 25
|
(Msg. 4) Posted: Sun Aug 12, 2007 5:47 pm
Post subject: Re: Firewalling IPv6 - an easy way? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Andrew Ruthven wrote:
> Hi Chris,
>
> On Sun, 2007-08-12 at 22:29 +0100, Chris Boot wrote:
>
>> And to add to that I can't seem to get conntrack connection tracking to
>> work properly on IPv6 either. This seems to have been the case in Sarge
>> but shouldn't it work in Etch?
>>
>
> Erm, unfortunately IPv6 connection tracking was only added in the 2.6.21
> kernel, so you'll need to compile your own kernel as the stock Etch
> kernel is too old.
>
Aha! I installed 2.6.21 from backports and it works. Thanks very much.
Cheers,
Chris
--
To UNSUBSCRIBE, email to debian-ipv6-REQUEST.RemoveThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.RemoveThis@lists.debian.org |
|
| Back to top |
|
| |
External
Since: Jan 23, 2007
Posts: 17
|
(Msg. 5) Posted: Sun Aug 12, 2007 5:47 pm
Post subject: Re: Firewalling IPv6 - an easy way? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Hello,
Andrew Ruthven a écrit :
>
> Erm, unfortunately IPv6 connection tracking was only added in the 2.6.21
> kernel
Actually IPv6 connection tracking capability was added in kernel 2.6.15,
based on a new layer 3 independant connection tracking called
nf_conntrack. But until version 2.6.20, it was not possible to enable
both IPv6 conntrack and IPv4 NAT at the same time. So I guess most
builds, including etch 2.6.18 kernel builds, had IPv4 NAT enabled and
IPv6 conntrack disabled.
--
To UNSUBSCRIBE, email to debian-ipv6-REQUEST.RemoveThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.RemoveThis@lists.debian.org |
|
| Back to top |
|
| |
External
Since: Aug 20, 2007
Posts: 1
|
(Msg. 6) Posted: Mon Aug 20, 2007 2:47 am
Post subject: Re: Firewalling IPv6 - an easy way? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Andrew Ruthven skrev:
> Hi Chris,
>
> On Sun, 2007-08-12 at 21:33 +0100, Chris Boot wrote:
>>> I'm sorry, but the bad news is that currently you'll have to write the
>>> ip6table rules by hand. The good news is that you might be able to use
>>> the IPv4 rules as a base and just do some heavy editting.
>>>
>> Thanks. Never mind, I guess it is the manual method then. Is there a
>> Debian-recommended way of applying manual ip6tables rules? I was
>> thinking of running an ip6tables-restore in post-up in
>> /etc/network/interfaces, would that be a sensible option?
>
> I'm not sure of a Debian recommended way, but a post-up line or a file
> in /etc/network/if-up.d which only runs for the interface you want would
> work okay.
Hi,
Shouldn't that be pre-up instead?
Otherwise a reboot of the firewall would leave it vulnerable for some
split seconds.
/Mikael Frykholm
--
To UNSUBSCRIBE, email to debian-ipv6-REQUEST.TakeThisOut@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.TakeThisOut@lists.debian.org |
|
| Back to top |
|
| |
External
Since: Jan 23, 2007
Posts: 17
|
(Msg. 7) Posted: Mon Aug 20, 2007 4:47 am
Post subject: Re: Firewalling IPv6 - an easy way? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Hello,
Mikael Frykholm a écrit :
> Andrew Ruthven skrev:
>>
>> I'm not sure of a Debian recommended way, but a post-up line or a file
>> in /etc/network/if-up.d which only runs for the interface you want would
>> work okay.
Or in /etc/ppp/ipv6-up.d/ for PPP interfaces.
> Shouldn't that be pre-up instead?
> Otherwise a reboot of the firewall would leave it vulnerable for some
> split seconds.
Not if the filter default policies have been set to DROP earlier.
Default policies are not a per-interface setting.
--
To UNSUBSCRIBE, email to debian-ipv6-REQUEST RemoveThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster RemoveThis @lists.debian.org |
|
| Back to top |
|
| |
External
Since: Jan 23, 2007
Posts: 17
|
(Msg. 8) Posted: Mon Aug 20, 2007 4:47 am
Post subject: Re: Firewalling IPv6 - an easy way? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Andrew Ruthven a écrit :
>>
>>Shouldn't that be pre-up instead?
>
> I've just tried this and confirmed my suspicion. This will fail if you
> refer to the interface in your firewall. Since the interface isn't up
> yet (pre-up) iptables can't find the device to apply the against.
Huh ? AFAIK iptables does not care whether the specified interface is up
or even exists. It is just text, possibly including a wildcard (+).
Doesn't your script try to extract information about the interface from
ifconfig or the like ? Of course this may fail if the interface is not
up yet.
--
To UNSUBSCRIBE, email to debian-ipv6-REQUEST.RemoveThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.RemoveThis@lists.debian.org |
|
| Back to top |
|
| |
External
Since: Nov 21, 2006
Posts: 5
|
(Msg. 9) Posted: Mon Aug 20, 2007 7:47 pm
Post subject: Re: Firewalling IPv6 - an easy way? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
> Aha! I installed 2.6.21 from backports and it works. Thanks very much.
IPv6 under 2.6.21 is buggy (at least the upstream version, don't know
about the Debian kernel). Please use 2.6.20 or 2.6.22, both seem to
be fine.
http://lkml.org/lkml/2007/5/28/299
Juliusz
--
To UNSUBSCRIBE, email to debian-ipv6-REQUEST.RemoveThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.RemoveThis@lists.debian.org |
|
| Back to top |
|
| |
External
Since: Jan 23, 2007
Posts: 17
|
(Msg. 10) Posted: Tue Aug 21, 2007 3:47 am
Post subject: Re: Firewalling IPv6 - an easy way? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Juliusz Chroboczek a écrit :
>>Aha! I installed 2.6.21 from backports and it works. Thanks very much.
>
> IPv6 under 2.6.21 is buggy (at least the upstream version, don't know
> about the Debian kernel). Please use 2.6.20 or 2.6.22, both seem to
> be fine.
>
> http://lkml.org/lkml/2007/5/28/299
It is not that simple. Upstream kernel versions have 4 numbers, but
Debian kernel versions use only the first 3 numbers.
Bug #8349 was caused by a patch introduced in upstream 2.6.20.5 and
2.6.21. According to the changelogs it was fixed in upstream 2.6.20.14,
2.6.21.5 and 2.6.22.
So I believe that a 2.6.20 Debian kernel may contain the bug and a
2.6.21 Debian kernel may not, depending on the 4th-number of the
upstream version there were built from.
--
To UNSUBSCRIBE, email to debian-ipv6-REQUEST DeleteThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster DeleteThis @lists.debian.org |
|
| Back to top |
|
| |
External
Since: Jan 23, 2007
Posts: 17
|
(Msg. 11) Posted: Tue Aug 21, 2007 4:47 am
Post subject: Re: Firewalling IPv6 - an easy way? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Andrew Ruthven a écrit :
>
> I had thought I could just refer to a dummy interface and it'd
> be created, it appears that isn't the case.
IIRC it was possible with a 2.4 kernel, but not any more with a 2.6
kernel. I won't complain, this looked like scary black magic to me.
--
To UNSUBSCRIBE, email to debian-ipv6-REQUEST DeleteThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster DeleteThis @lists.debian.org |
|
| Back to top |
|
| |
External
Since: Nov 21, 2006
Posts: 5
|
(Msg. 12) Posted: Wed Aug 22, 2007 4:47 pm
Post subject: Re: Firewalling IPv6 - an easy way? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
>> IPv6 under 2.6.21 is buggy (at least the upstream version, don't know
>> about the Debian kernel). Please use 2.6.20 or 2.6.22, both seem to
>> be fine.
> It is not that simple. Upstream kernel versions have 4 numbers, but
> Debian kernel versions use only the first 3 numbers.
[..]
> So I believe that a 2.6.20 Debian kernel may contain the bug and
> a 2.6.21 Debian kernel may not, depending on the 4th-number of the
> upstream version there were built from.
I stand corrected.
In case anyone needs help with chosing a kernel version, all I can say
is that, we have been happily running IPv6 on a mixture of upstream
2.6.22rcx, for various values of x, and Debian's 2.6.18-y, for various
values of y, with no apparent problems.
Juliusz
--
To UNSUBSCRIBE, email to debian-ipv6-REQUEST.DeleteThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.DeleteThis@lists.debian.org |
|
| Back to top |
|
| |
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
|
|
|
FAQ
Search
Profile
Private Messages
Log in
Linux