<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> <article> <!--$Id$--> <articleinfo> <title>Shorewall IPv6 Support</title> <authorgroup> <author> <firstname>Tom</firstname> <surname>Eastep</surname> </author> </authorgroup> <pubdate><?dbtimestamp format="Y/m/d"?></pubdate> <copyright> <year>2008</year> <year>2009</year> <holder>Thomas M. Eastep</holder> </copyright> <legalnotice> <para>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> </legalnotice> </articleinfo> <caution> <para><emphasis role="bold">This article applies to Shorewall 4.3 and later. If you are running a version of Shorewall earlier than Shorewall 4.3.5 then please see the documentation for that release.</emphasis></para> </caution> <section> <title>Overview</title> <para>Beginning with Shorewall 4.2.4, support for firewalling IPv6 is included as part of Shorewall.</para> <section> <title>Prerequisites</title> <para>In order to use Shorewall with IPv6, your firewall must meet the following prerequisites:</para> <orderedlist> <listitem> <para><ulink url="FAQ.htm#faq80a">Kernel 2.6.24 or later</ulink>.</para> </listitem> <listitem> <para>Iptables 1.4.0 or later (1.4.1.1 is strongly recommended)</para> </listitem> <listitem> <para>If you wish to include DNS names in your IPv6 configuration files, you must have Perl 5.10 and must install the Perl Socket6 library.</para> </listitem> </orderedlist> </section> <section> <title>Packages</title> <para>Shorewall IPv6 support introduced two new packages:</para> <orderedlist> <listitem> <para>Shorewall6. This package provides <filename>/sbin/shorewall6</filename> which is the IPv6 equivalent of <filename>/sbin/shorewall</filename>. <filename>/sbin/shorewall</filename> only handles IPv4 while <filename>/sbin/shorewall6</filename> handles only IPv6.. Shorewall6 depends on Shorewall. The Shorewall6 configuration is stored in <filename class="directory">/etc/shorewall6</filename>.</para> </listitem> <listitem> <para>Shorewall6 Lite. This package is to IPv6 what Shorewall Lite is to IPv4. The package stores its configuration in <filename class="directory">/etc/shorewall6-lite</filename>. As with Shorewall Lite, Shorewall6 Lite usually requires no configuration changes on the firewall system.</para> </listitem> </orderedlist> </section> <section> <title>IPv4/IPv6 Interaction</title> <para>IP connections are either IPv4 or IPv6; there is no such thing as a mixed IPv4/6 connecton. IPv4 connections are controlled by Shorewall (or Shorewall-lite); IPv6 connections are controlled by Shorewall6 (or Shorewall6-lite). Starting and stopping the firewall for one address family has no effect on the other address family.</para> <para>As a consequence, there is very little interaction between Shorewall and Shorewall6.</para> <section> <title>DISABLE_IPV6</title> <para>An obvious area where the configuration of Shorewall affects Shorewall6 is the DISABLE_IPV6 setting in <filename>/etc/shorewall/shorewall.conf</filename>. When configuring Shorewall6, you will want to set DISABLE_IPV6=No and restart Shorewall or Shorewall-lite.</para> </section> <section> <title>TC_ENABLED</title> <para>Another area where their configurations overlap is in traffic shaping; the <filename>tcdevices</filename> and tcclasses files do exactly the same thing in both Shorewall and Shorewall6. Consequently, you will have TC_ENABLED=Internal in Shorewall or in Shorewall6 and TC_ENABLED=No in the other product. Also, you will want CLEAR_TC=No in the configuration with TC_ENABLED=No.</para> <para>Regardless of which product has TC_ENABLED=Internal:</para> <itemizedlist> <listitem> <para>IPv4 packet marking is controlled by /etc/shorewall/mangle (Shorewall 4.6.0 and later) or by /etc/shorewall/tcrules</para> </listitem> <listitem> <para>IPv6 packet marking is controlled by /etc/shorewall6/mangle (Shorewall 4.6.0 and later) or by /etc/shorewall6/tcrules</para> </listitem> </itemizedlist> </section> <section> <title>KEEP_RT_TABLES</title> <para>Multi-ISP users will need to be aware of this one. When there are entries in the providers file, Shorewall normally installs a modified <filename>/etc/iproute2/rt_tables</filename> during <command>shorewall start</command> and <command>shorewall restart</command> and restores a default file during <command>shorewall stop</command>. Setting KEEP_RT_TABLES=Yes in <ulink url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5) stops Shorewall (Shorewall lite) from modifying <filename>/etc/iproute2/rt_tables</filename>.</para> <para>Shorewall6 is also capable of modifying <filename>/etc/iproute2/rt_tables</filename> in a similar way.</para> <para>Our recommendation to Multi-ISP users is to:</para> <itemizedlist> <listitem> <para>Select the same names for similar providers.</para> </listitem> <listitem> <para>Set KEEP_RT_TABLES=No in <ulink url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5) and set KEEP_RT_TABLES=Yes in <ulink url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para> </listitem> </itemizedlist> <para>These setting allow Shorewall to control the contents of <filename>/etc/iproute2/rt_tables</filename>.</para> </section> <section> <title>6TO4</title> <para>If you are using a 6to4 tunnel for your IPv6 connectivity, you need an entry in <filename>/etc/shorewall/tunnels</filename>.<programlisting>#TYPE ZONE GATEWAY GATEWAY # ZONE 6to4 net #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para> </section> </section> </section> <section> <title>Shorewall6 Differences from Shorewall</title> <para>Configuring and operating Shorewall6 is very similar to configuring Shorewall with some notable exceptions:</para> <variablelist> <varlistentry> <term>No NAT</term> <listitem> <para>In Shorewall6, there is no NAT of any kind (Netfilter6 doesn't support any form of NAT). Most people consider this to be a giant step forward.</para> <para>When an ISP assigns you an IPv6 address, you are actually assigned an IPv6 <firstterm>prefix</firstterm> (similar to a subnet). A 64-bit prefix defines a subnet with 4 billion hosts squared (the size of the IPv4 address space squared). Regardless of the length of your prefix, you get to assign local addresses within that prefix.</para> </listitem> </varlistentry> <varlistentry> <term>Default Zone Type</term> <listitem> <para>The default zone type in Shorewall6 is <firstterm>ipv6</firstterm>. It is suggested that you specify <emphasis role="bold">ipv6</emphasis> in the TYPE column of <filename>/etc/shorewall6/zones</filename> and a type of <emphasis role="bold">ipv4</emphasis> in <filename>/etc/shorewall/zones</filename>; that way, if you run the wrong utility on a configuration, you will get an instant error.</para> </listitem> </varlistentry> <varlistentry> <term>Interface Options</term> <listitem> <para>The following interface options are available in <filename>/etc/shorewall6/interfaces</filename>:</para> <variablelist> <varlistentry> <term>blacklist</term> <listitem> <para>Same as in Shorewall</para> </listitem> </varlistentry> <varlistentry> <term>bridge</term> <listitem> <para>Same as in Shorewall</para> </listitem> </varlistentry> <varlistentry> <term>dhcp</term> <listitem> <para>Interface is assigned by IPv6 DHCP or the firewall hosts an IPv6 DHCP server on the interface.</para> </listitem> </varlistentry> <varlistentry> <term>maclist</term> <listitem> <para>Same as in Shorewall</para> </listitem> </varlistentry> <varlistentry> <term>nosmurfs</term> <listitem> <para>Checks the source IP address of packets arriving on the interface and drops packets whose SOURCE address is:</para> <itemizedlist> <listitem> <para>An IPv6 multicast address</para> </listitem> <listitem> <para>The subnet-router anycast address for any of the global unicast addresses assigned to the interface.</para> </listitem> <listitem> <para>An RFC 2526 anycast address for any of the global unicast addresses assigned to the interface.</para> </listitem> </itemizedlist> </listitem> </varlistentry> <varlistentry> <term>optional</term> <listitem> <para>Same as in Shorewall</para> </listitem> </varlistentry> <varlistentry> <term>routeback</term> <listitem> <para>Same as in Shorewall</para> </listitem> </varlistentry> <varlistentry> <term>sourceroute[={0|1}]</term> <listitem> <para>Same as in Shorewall</para> </listitem> </varlistentry> <varlistentry> <term>tcpflags</term> <listitem> <para>Same as in Shorewall</para> </listitem> </varlistentry> <varlistentry> <term>mss=<replaceable>mss</replaceable></term> <listitem> <para>Same as in Shorewall</para> </listitem> </varlistentry> <varlistentry> <term>forward[={0|1}]</term> <listitem> <para>Override the setting of IP_FORWARDING in shorewall6.conf with respect to how the system behaves on this interface. If 1, behave as a router; if 0, behave as a host.</para> </listitem> </varlistentry> </variablelist> </listitem> </varlistentry> <varlistentry> <term>Host Options</term> <listitem> <para>The following host options are available in<filename> /etc/shorewall6/hosts</filename>:</para> <variablelist> <varlistentry> <term>blacklist</term> <listitem> <para>Same as in Shorewall</para> </listitem> </varlistentry> <varlistentry> <term>maclist</term> <listitem> <para>Same as in Shorewall</para> </listitem> </varlistentry> <varlistentry> <term>routeback</term> <listitem> <para>Same as in Shorewall</para> </listitem> </varlistentry> <varlistentry> <term>tcpflags</term> <listitem> <para>Same as in Shorewall</para> </listitem> </varlistentry> </variablelist> </listitem> </varlistentry> <varlistentry> <term>Specifying Addresses</term> <listitem> <para>Shorewall follows the usual convention of distinguishing IPv6 address by enclosing them in square brackets ("[" and "]").</para> <para>Anywhere that an address or address list follows a colon (":"), the address or list may be enclosed in square brackets to improve readability.</para> <para>Example (<filename>/etc/shorewall6/rules</filename>):</para> <programlisting>#ACTION SOURCE DEST PROTO DEST # PORT(S) ACCEPT net $FW:[2002:ce7c:92b4::3] tcp 22</programlisting> <para>When the colon is preceeded by an interface name, <emphasis>the angle brackets are required</emphasis>. This is true even when the address is a MAC address in Shorewall format.</para> <para>Example (<filename>/etc/shorewall6/rules</filename>):</para> <programlisting>#ACTION SOURCE DEST PROTO DEST # PORT(S) ACCEPT net:wlan0:[2002:ce7c:92b4::3] tcp 22</programlisting> <para>Prior to Shorewall 4.5.4, angled brackets ("<" and ">") were used. While these are still accepted, their use is deprecated in favor of square brackets.</para> <para>Example (<filename>/etc/shorewall6/rules</filename>):</para> <programlisting>#ACTION SOURCE DEST PROTO DEST # PORT(S) ACCEPT net:wlan0:<2002:ce7c:92b4::3> tcp 22</programlisting> <para>Prior to Shorewall 4.5.9, network addresses were required to be enclosed in either angle brackets or square brackets (e.g. [2001:470:b:787::/64]). Beginning with Shorewall 4.5.9, the more common representation that places the VLSM outside the brackets is accepted and preferred (e.g., [2001:470:b:787::]/64).</para> <para>Beginning with Shorewall 4.5.14, the rules compiler translates "<" and ">" to "[" and "]" respectively before parsing. So square brackets may appear in error messages even when angled brackets were used.</para> </listitem> </varlistentry> <varlistentry> <term>Stopped State</term> <listitem> <para>When Shorewall6 or Shorewall6 Lite is in the stopped state, the following traffic is still allowed.</para> <itemizedlist> <listitem> <para>Traffic with a multicast destination IP address (ff00::/8).</para> </listitem> <listitem> <para>Traffic with a link local source address (ff800::/8)</para> </listitem> <listitem> <para>Traffic with a link local destination address.</para> </listitem> </itemizedlist> </listitem> </varlistentry> <varlistentry> <term>Multi-ISP</term> <listitem> <para>The Linux IPv6 stack does not support balancing (multi-hop) routes. Thehe <option>balance</option> and <option>fallback</option> options in <ulink url="manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5) and USE_DEFAULT_RT=Yes in <ulink url="manpages6/shorewall.conf.html">shorewall6.conf</ulink>(5) are supported, but at most one provider can have the <option>balance</option> option and at most one provider can have the <option>fallback</option> option.</para> </listitem> </varlistentry> <varlistentry> <term>/sbin/shorewall6 and /sbin/shorewall6-lite Commands</term> <listitem> <para>Several commands supported by <filename>/sbin/shorewall</filename> and <filename>/sbin/shorewall-lite</filename> are not supported by <filename>/sbin/shorewall6</filename> and <filename>/sbin/shorewall6-lite</filename>:</para> <itemizedlist> <listitem> <para>hits</para> </listitem> <listitem> <para>ipcalc</para> </listitem> <listitem> <para>iprange</para> </listitem> </itemizedlist> <para></para> </listitem> </varlistentry> <varlistentry> <term>Macros</term> <listitem> <para>The Shorewall6 package depends on Shorewall-common for application macros. Only certain address-family specific macros such as macro.AllowICMPs are included in Shorewall6. As a consequence, /usr/share/shorewall/ is included in the default Shorewall6 CONFIG_PATH.</para> </listitem> </varlistentry> </variablelist> </section> <section> <title>Installing IPv6 Support</title> <para>You will need at least the following packages:</para> <itemizedlist> <listitem> <para>Shorewall 4.3.5 or later.</para> </listitem> <listitem> <para>Shorewall6 4.3.5 or later.</para> </listitem> </itemizedlist> <para>You may also with to install Shorewall6-lite 4.3.5 or later on your remote firewalls to allow for central IPv6 firewall administration.</para> </section> <section> <title>More information about IPv6</title> <para>I strongly suggest that you read the<ulink url="http://tldp.org/HOWTO/Linux+IPv6-HOWTO/"> Linux IPv6 HOWTO</ulink>. The <ulink url="6to4.htm">6to4 Tunnels</ulink> page also includes instructions for setting up your first IPv6 environment.</para> <para>In addition to the Linux IPv6 HOWTO, I have found the following two books to be useful:</para> <itemizedlist> <listitem> <para><emphasis>IPv6 Essentials</emphasis>, Silvia Hagen, 2002, O'Reilly Media, Inc, ISBN 0-596-00125-8.</para> <para>O'Reilly published a second edition of this book in 2006.</para> </listitem> <listitem> <para><emphasis>IPV6 Theory, Protocol, and Practice</emphasis>, Second Edition, Pete Loshin, 2004, Morgan-Kaufmann Publishers, IBSN 1-55860-820-9</para> </listitem> </itemizedlist> </section> </article>