<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article>
  <!--$Id$-->

  <articleinfo>
    <title>Shorewall IPv6 Support</title>

    <authorgroup>
      <author>
        <firstname>Tom</firstname>

        <surname>Eastep</surname>
      </author>
    </authorgroup>

    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
      <year>2008</year>

      <year>2009</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>

    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>

  <caution>
    <para><emphasis role="bold">This article applies to Shorewall 4.3 and
    later. If you are running a version of Shorewall earlier than Shorewall
    4.3.5 then please see the documentation for that
    release.</emphasis></para>
  </caution>

  <section>
    <title>Overview</title>

    <para>Beginning with Shorewall 4.2.4, support for firewalling IPv6 is
    included as part of Shorewall.</para>

    <section>
      <title>Prerequisites</title>

      <para>In order to use Shorewall with IPv6, your firewall must meet the
      following prerequisites:</para>

      <orderedlist>
        <listitem>
          <para><ulink url="FAQ.htm#faq80a">Kernel 2.6.24 or
          later</ulink>.</para>
        </listitem>

        <listitem>
          <para>Iptables 1.4.0 or later (1.4.1.1 is strongly
          recommended)</para>
        </listitem>

        <listitem>
          <para>If you wish to include DNS names in your IPv6 configuration
          files, you must have Perl 5.10 and must install the Perl Socket6
          library.</para>
        </listitem>
      </orderedlist>
    </section>

    <section>
      <title>Packages</title>

      <para>Shorewall IPv6 support introduced two new packages:</para>

      <orderedlist>
        <listitem>
          <para>Shorewall6. This package provides
          <filename>/sbin/shorewall6</filename> which is the IPv6 equivalent
          of <filename>/sbin/shorewall</filename>.
          <filename>/sbin/shorewall</filename> only handles IPv4 while
          <filename>/sbin/shorewall6</filename> handles only IPv6.. Shorewall6
          depends on Shorewall. The Shorewall6 configuration is stored in
          <filename class="directory">/etc/shorewall6</filename>.</para>
        </listitem>

        <listitem>
          <para>Shorewall6 Lite. This package is to IPv6 what Shorewall Lite
          is to IPv4. The package stores its configuration in <filename
          class="directory">/etc/shorewall6-lite</filename>. As with Shorewall
          Lite, Shorewall6 Lite usually requires no configuration changes on
          the firewall system.</para>
        </listitem>
      </orderedlist>
    </section>

    <section>
      <title>IPv4/IPv6 Interaction</title>

      <para>IP connections are either IPv4 or IPv6; there is no such thing as
      a mixed IPv4/6 connecton. IPv4 connections are controlled by Shorewall
      (or Shorewall-lite); IPv6 connections are controlled by Shorewall6 (or
      Shorewall6-lite). Starting and stopping the firewall for one address
      family has no effect on the other address family.</para>

      <para>As a consequence, there is very little interaction between
      Shorewall and Shorewall6.</para>

      <section>
        <title>DISABLE_IPV6</title>

        <para>An obvious area where the configuration of Shorewall affects
        Shorewall6 is the DISABLE_IPV6 setting in
        <filename>/etc/shorewall/shorewall.conf</filename>. When configuring
        Shorewall6, you will want to set DISABLE_IPV6=No and restart Shorewall
        or Shorewall-lite.</para>
      </section>

      <section>
        <title>TC_ENABLED</title>

        <para>Another area where their configurations overlap is in traffic
        shaping; the <filename>tcdevices</filename> and tcclasses files do
        exactly the same thing in both Shorewall and Shorewall6. Consequently,
        you will have TC_ENABLED=Internal in Shorewall or in Shorewall6 and
        TC_ENABLED=No in the other product. Also, you will want CLEAR_TC=No in
        the configuration with TC_ENABLED=No.</para>

        <para>Regardless of which product has TC_ENABLED=Internal:</para>

        <itemizedlist>
          <listitem>
            <para>IPv4 packet marking is controlled by /etc/shorewall/mangle
            (Shorewall 4.6.0 and later) or by /etc/shorewall/tcrules</para>
          </listitem>

          <listitem>
            <para>IPv6 packet marking is controlled by /etc/shorewall6/mangle
            (Shorewall 4.6.0 and later) or by /etc/shorewall6/tcrules</para>
          </listitem>
        </itemizedlist>
      </section>

      <section>
        <title>KEEP_RT_TABLES</title>

        <para>Multi-ISP users will need to be aware of this one. When there
        are entries in the providers file, Shorewall normally installs a
        modified <filename>/etc/iproute2/rt_tables</filename> during
        <command>shorewall start</command> and <command>shorewall
        restart</command> and restores a default file during
        <command>shorewall stop</command>. Setting KEEP_RT_TABLES=Yes in
        <ulink url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
        stops Shorewall (Shorewall lite) from modifying
        <filename>/etc/iproute2/rt_tables</filename>.</para>

        <para>Shorewall6 is also capable of modifying
        <filename>/etc/iproute2/rt_tables</filename> in a similar way.</para>

        <para>Our recommendation to Multi-ISP users is to:</para>

        <itemizedlist>
          <listitem>
            <para>Select the same names for similar providers.</para>
          </listitem>

          <listitem>
            <para>Set KEEP_RT_TABLES=No in <ulink
            url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5) and
            set KEEP_RT_TABLES=Yes in <ulink
            url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
          </listitem>
        </itemizedlist>

        <para>These setting allow Shorewall to control the contents of
        <filename>/etc/iproute2/rt_tables</filename>.</para>
      </section>

      <section>
        <title>6TO4</title>

        <para>If you are using a 6to4 tunnel for your IPv6 connectivity, you
        need an entry in
        <filename>/etc/shorewall/tunnels</filename>.<programlisting>#TYPE    ZONE    GATEWAY        GATEWAY
#                               ZONE
6to4     net
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
      </section>
    </section>
  </section>

  <section>
    <title>Shorewall6 Differences from Shorewall</title>

    <para>Configuring and operating Shorewall6 is very similar to configuring
    Shorewall with some notable exceptions:</para>

    <variablelist>
      <varlistentry>
        <term>No NAT</term>

        <listitem>
          <para>In Shorewall6, there is no NAT of any kind (Netfilter6 doesn't
          support any form of NAT). Most people consider this to be a giant
          step forward.</para>

          <para>When an ISP assigns you an IPv6 address, you are actually
          assigned an IPv6 <firstterm>prefix</firstterm> (similar to a
          subnet). A 64-bit prefix defines a subnet with 4 billion hosts
          squared (the size of the IPv4 address space squared). Regardless of
          the length of your prefix, you get to assign local addresses within
          that prefix.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>Default Zone Type</term>

        <listitem>
          <para>The default zone type in Shorewall6 is
          <firstterm>ipv6</firstterm>. It is suggested that you specify
          <emphasis role="bold">ipv6</emphasis> in the TYPE column of
          <filename>/etc/shorewall6/zones</filename> and a type of <emphasis
          role="bold">ipv4</emphasis> in
          <filename>/etc/shorewall/zones</filename>; that way, if you run the
          wrong utility on a configuration, you will get an instant
          error.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>Interface Options</term>

        <listitem>
          <para>The following interface options are available in
          <filename>/etc/shorewall6/interfaces</filename>:</para>

          <variablelist>
            <varlistentry>
              <term>blacklist</term>

              <listitem>
                <para>Same as in Shorewall</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>bridge</term>

              <listitem>
                <para>Same as in Shorewall</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>dhcp</term>

              <listitem>
                <para>Interface is assigned by IPv6 DHCP or the firewall hosts
                an IPv6 DHCP server on the interface.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>maclist</term>

              <listitem>
                <para>Same as in Shorewall</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>nosmurfs</term>

              <listitem>
                <para>Checks the source IP address of packets arriving on the
                interface and drops packets whose SOURCE address is:</para>

                <itemizedlist>
                  <listitem>
                    <para>An IPv6 multicast address</para>
                  </listitem>

                  <listitem>
                    <para>The subnet-router anycast address for any of the
                    global unicast addresses assigned to the interface.</para>
                  </listitem>

                  <listitem>
                    <para>An RFC 2526 anycast address for any of the global
                    unicast addresses assigned to the interface.</para>
                  </listitem>
                </itemizedlist>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>optional</term>

              <listitem>
                <para>Same as in Shorewall</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>routeback</term>

              <listitem>
                <para>Same as in Shorewall</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>sourceroute[={0|1}]</term>

              <listitem>
                <para>Same as in Shorewall</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>tcpflags</term>

              <listitem>
                <para>Same as in Shorewall</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>mss=<replaceable>mss</replaceable></term>

              <listitem>
                <para>Same as in Shorewall</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>forward[={0|1}]</term>

              <listitem>
                <para>Override the setting of IP_FORWARDING in shorewall6.conf
                with respect to how the system behaves on this interface. If
                1, behave as a router; if 0, behave as a host.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>Host Options</term>

        <listitem>
          <para>The following host options are available in<filename>
          /etc/shorewall6/hosts</filename>:</para>

          <variablelist>
            <varlistentry>
              <term>blacklist</term>

              <listitem>
                <para>Same as in Shorewall</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>maclist</term>

              <listitem>
                <para>Same as in Shorewall</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>routeback</term>

              <listitem>
                <para>Same as in Shorewall</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>tcpflags</term>

              <listitem>
                <para>Same as in Shorewall</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>Specifying Addresses</term>

        <listitem>
          <para>Shorewall follows the usual convention of distinguishing IPv6
          address by enclosing them in square brackets ("[" and "]").</para>

          <para>Anywhere that an address or address list follows a colon
          (":"), the address or list may be enclosed in square brackets to
          improve readability.</para>

          <para>Example (<filename>/etc/shorewall6/rules</filename>):</para>

          <programlisting>#ACTION        SOURCE              DEST                        PROTO          DEST
#                                                                             PORT(S)
ACCEPT         net                 $FW:[2002:ce7c:92b4::3]     tcp            22</programlisting>

          <para>When the colon is preceeded by an interface name,
          <emphasis>the angle brackets are required</emphasis>. This is true
          even when the address is a MAC address in Shorewall format.</para>

          <para>Example (<filename>/etc/shorewall6/rules</filename>):</para>

          <programlisting>#ACTION        SOURCE                            DEST          PROTO          DEST
#                                                                             PORT(S)
ACCEPT         net:wlan0:[2002:ce7c:92b4::3]     tcp                          22</programlisting>

          <para>Prior to Shorewall 4.5.4, angled brackets ("&lt;" and "&gt;")
          were used. While these are still accepted, their use is deprecated
          in favor of square brackets.</para>

          <para>Example (<filename>/etc/shorewall6/rules</filename>):</para>

          <programlisting>#ACTION        SOURCE                            DEST          PROTO          DEST
#                                                                             PORT(S)
ACCEPT         net:wlan0:&lt;2002:ce7c:92b4::3&gt;     tcp                          22</programlisting>

          <para>Prior to Shorewall 4.5.9, network addresses were required to
          be enclosed in either angle brackets or square brackets (e.g.
          [2001:470:b:787::/64]). Beginning with Shorewall 4.5.9, the more
          common representation that places the VLSM outside the brackets is
          accepted and preferred (e.g., [2001:470:b:787::]/64).</para>

          <para>Beginning with Shorewall 4.5.14, the rules compiler translates
          "&lt;" and "&gt;" to "[" and "]" respectively before parsing. So
          square brackets may appear in error messages even when angled
          brackets were used.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>Stopped State</term>

        <listitem>
          <para>When Shorewall6 or Shorewall6 Lite is in the stopped state,
          the following traffic is still allowed.</para>

          <itemizedlist>
            <listitem>
              <para>Traffic with a multicast destination IP address
              (ff00::/8).</para>
            </listitem>

            <listitem>
              <para>Traffic with a link local source address
              (ff800::/8)</para>
            </listitem>

            <listitem>
              <para>Traffic with a link local destination address.</para>
            </listitem>
          </itemizedlist>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>Multi-ISP</term>

        <listitem>
          <para>The Linux IPv6 stack does not support balancing (multi-hop)
          routes. Thehe <option>balance</option> and <option>fallback</option>
          options in <ulink
          url="manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5)
          and USE_DEFAULT_RT=Yes in <ulink
          url="manpages6/shorewall.conf.html">shorewall6.conf</ulink>(5) are
          supported, but at most one provider can have the
          <option>balance</option> option and at most one provider can have
          the <option>fallback</option> option.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>/sbin/shorewall6 and /sbin/shorewall6-lite Commands</term>

        <listitem>
          <para>Several commands supported by
          <filename>/sbin/shorewall</filename> and
          <filename>/sbin/shorewall-lite</filename> are not supported by
          <filename>/sbin/shorewall6</filename> and
          <filename>/sbin/shorewall6-lite</filename>:</para>

          <itemizedlist>
            <listitem>
              <para>hits</para>
            </listitem>

            <listitem>
              <para>ipcalc</para>
            </listitem>

            <listitem>
              <para>iprange</para>
            </listitem>
          </itemizedlist>

          <para></para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>Macros</term>

        <listitem>
          <para>The Shorewall6 package depends on Shorewall-common for
          application macros. Only certain address-family specific macros such
          as macro.AllowICMPs are included in Shorewall6. As a consequence,
          /usr/share/shorewall/ is included in the default Shorewall6
          CONFIG_PATH.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </section>

  <section>
    <title>Installing IPv6 Support</title>

    <para>You will need at least the following packages:</para>

    <itemizedlist>
      <listitem>
        <para>Shorewall 4.3.5 or later.</para>
      </listitem>

      <listitem>
        <para>Shorewall6 4.3.5 or later.</para>
      </listitem>
    </itemizedlist>

    <para>You may also with to install Shorewall6-lite 4.3.5 or later on your
    remote firewalls to allow for central IPv6 firewall administration.</para>
  </section>

  <section>
    <title>More information about IPv6</title>

    <para>I strongly suggest that you read the<ulink
    url="http://tldp.org/HOWTO/Linux+IPv6-HOWTO/"> Linux IPv6 HOWTO</ulink>.
    The <ulink url="6to4.htm">6to4 Tunnels</ulink> page also includes
    instructions for setting up your first IPv6 environment.</para>

    <para>In addition to the Linux IPv6 HOWTO, I have found the following two
    books to be useful:</para>

    <itemizedlist>
      <listitem>
        <para><emphasis>IPv6 Essentials</emphasis>, Silvia Hagen, 2002,
        O'Reilly Media, Inc, ISBN 0-596-00125-8.</para>

        <para>O'Reilly published a second edition of this book in 2006.</para>
      </listitem>

      <listitem>
        <para><emphasis>IPV6 Theory, Protocol, and Practice</emphasis>, Second
        Edition, Pete Loshin, 2004, Morgan-Kaufmann Publishers, IBSN
        1-55860-820-9</para>
      </listitem>
    </itemizedlist>
  </section>
</article>