From 4889d5860c9995cdab6eb4ba7930b6d88795eb42 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 16 Dec 2008 22:10:53 +0000 Subject: [PATCH] Add IPv6 document git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9078 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- docs/IPv6Support.xml | 391 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 391 insertions(+) create mode 100644 docs/IPv6Support.xml diff --git a/docs/IPv6Support.xml b/docs/IPv6Support.xml new file mode 100644 index 000000000..b3e85fa2a --- /dev/null +++ b/docs/IPv6Support.xml @@ -0,0 +1,391 @@ + + +
+ + + + Shorewall IPv6 Support + + + + Tom + + Eastep + + + + + + + 2008 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation + License. + + + +
+ Overview + + Beginning with a future Shorewall 4.2.x release, support for + firewalling IPv6 will be included. In the meantime, the support is + avilable in the 4.3 development releases. + +
+ Prerequisites + + In order to use Shorewall with IPv6, your firewall must meet the + following prerequisites: + + + + Kernel 2.6.25 or later. + + + + Iptables 1.4.0 or later (1.4.1.1 is strongly + recommended) + + + + If you wish to include DNS names in your IPv6 configuration + files, you must have Perl 5.10 and must install the Perl Socket6 + library. + + +
+ +
+ Packages + + Shorewall IPv6 support introduced two new packages: + + + + Shorewall6. This package provides + /sbin/shorewall6 which is the IPv6 equivalent + of /sbin/shorewall which only handles IPv4. + Shorewall6 depends on both Shorewall-common and on Shorewall-perl. + The Shorewall6 configuration is stored in /etc/shorewall6. + + + + Shorewall6 Lite. This package is to IPv6 what Shorewall Lite + is to IPv4. The package stores its configuration in /etc/shorewall6-lite. + + +
+ +
+ IPv4/IPv6 Interaction + + IP connections are either IPv4 or IPv6; there is no such thing as + a mixed IPv4/6 connecton. IPv4 connections are controlled by Shorewall + (or Shorewall-lite); IPv6 connections are controlled by Shorewall6 (or + Shorewall6-lite). Starting and stopping the firewall for one address + family has no effect on the other address family. + + As a consequence, there is very little interaction between + Shorewall and Shorewall6. + +
+ DISABLE_IPV6 + + An obvious area where the configuration of Shorewall affects + Shorewall6 is the DISABLE_IPV6 setting in + /etc/shorewall/shorewall.conf. When configuring + Shorewall6, you will want to set DISABLE_IPV6=No and restart Shorewall + or Shorewall-lite. + +
+ TC_ENABLED + + The other area where their configurations overlap is in + traffic shaping; the tcdevices and tcclasses + files do exactly the same thing in both Shorewall and Shorewall6. + Consequently, you will have TC_ENABLED=Internal in Shorewall or in + Shorewall6 and TC_ENABLED=No in the other product. Also, you will + want CLEAR_TC=No in the configuration with TC_ENABLED=No. + + Regardless of which product has TC_ENABLED=Internal: + + + + IPv4 packet marking is controlled by + /etc/shorewall/tcrules + + + + IPv6 packet marking is controlled by + /etc/shorewall6/tcrules + + +
+
+
+
+ +
+ Shorewall6 Differences from Shoreawall + + Configuring Shorewall6 is very similar to configuring Shorewall with + some notable exceptions: + + + + No NAT + + + In Shorewall6, there is no NAT of any kind (Netfilter6 doesn't + support any form of NAT). Most people consider this to be a giant + step forward. + + When an ISP assigns you an IPv6 address, you are actually + assigned an IPv6 prefix (similar to a + subnet). A 64-bit prefix defines a subnet with 4 billion hosts + squared (the size of the IPv4 address space squared). Regardless of + the length of your prefix, you get to assign local addresses within + that prefix. + + + + + Default Zone Type + + + The default zone type in Shorewall6 is + ipv6. It is suggested that you specify + ipv6 in the TYPE column of + /etc/shorewall6/zones and a type of ipv4 in + /etc/shorewall/zones; that way, if you run the + wrong utility on a configuration, you will get an instant + error. + + + + + Interface Options + + + The following interface options are available in + /etc/shorewall6/interfaces: + + + + blacklist + + + Same as in Shorewall + + + + + bridge + + + Same as in Shorewall + + + + + dhcp + + + Interface is assigned by IPv6 DHCP or the firewall hosts + an IPv6 DHCP server on the interface. + + + + + maclist + + + Same as in Shorewall + + + + + nosmurfs + + + Checks the source IP address of packets arriving on the + interface and drops packets whose SOURCE address is: + + + + An IPv6 multicast address + + + + The subnet-router anycast address for any of the + global unicast addresses assigned to the interface. + + + + An RFC 2526 anycast address for any of the global + unicast addresses assigned to the interface. + + + + + + + optional + + + Same as in Shorewall + + + + + routeback + + + Same as in Shorewall + + + + + sourceroute[={0|1}] + + + Same as in Shorewall + + + + + tcpflags + + + Same as in Shorewall + + + + + mss=mss + + + Same as in Shorewall + + + + + forward[={0|1}] + + + Override the setting of IP_FORWARDING in shorewall6.conf + with respect to how the system behaves on this interface. If + 1, behave as a router; if 0, behave as a host. + + + + + + + + Host Options + + + The following host options are available in + /etc/shorewall6/hosts: + + + + blacklist + + + Same as in Shorewall + + + + + maclist + + + Same as in Shorewall + + + + + routeback + + + Same as in Shorewall + + + + + tcpflags + + + Same as in Shorewall + + + + + + + + Specifying Addresses + + + Anywhere that an address or address list follows a colon + (":"), the address or list may be enclosed in angled brackets + ("<" and ">") to improve readability. + + Example (/etc/shorewall6/rules): + + #ACTION SOURCE DEST PROTO DEST +# PORT(S) +ACCEPT net $FW:<2002:ce7c:92b4::3> tcp 22 + + When the colon is preceeded by an interface name, + the angle brackets are required. This is true + even when the address is a MAC address in Shorewall format. + + Example (/etc/shorewall6/rules): + + #ACTION SOURCE DEST PROTO DEST +# PORT(S) +ACCEPT net:wlan0:<2002:ce7c:92b4::3> tcp 22 + + + +
+ +
+ Installing IPv6 Support + + You will need at least the following packages: + + + + Shorewall-common 4.3.4 or later. + + + + Shorewall-perl 4.3.4 or later. + + + + Shorewall6 4.3.4 or later. + + + + You may also with to install Shorewall6-lite 4.3.4 or later on your + remote firewalls to allow for central IPv6 firewall administration. +
+