mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-20 21:30:44 +01:00
a1e46b68f0
Signed-off-by: Tom Eastep <teastep@shorewall.net>
560 lines
18 KiB
XML
560 lines
18 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
<article>
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>Shorewall IPv6 Support</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
|
|
|
<copyright>
|
|
<year>2008</year>
|
|
|
|
<year>2009</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<caution>
|
|
<para><emphasis role="bold">This article applies to Shorewall 4.3 and
|
|
later. If you are running a version of Shorewall earlier than Shorewall
|
|
4.3.5 then please see the documentation for that
|
|
release.</emphasis></para>
|
|
</caution>
|
|
|
|
<section>
|
|
<title>Overview</title>
|
|
|
|
<para>Beginning with Shorewall 4.2.4, support for firewalling IPv6 is
|
|
included as part of Shorewall.</para>
|
|
|
|
<section>
|
|
<title>Prerequisites</title>
|
|
|
|
<para>In order to use Shorewall with IPv6, your firewall must meet the
|
|
following prerequisites:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para><ulink url="FAQ.htm#faq80a">Kernel 2.6.24 or
|
|
later</ulink>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Iptables 1.4.0 or later (1.4.1.1 is strongly
|
|
recommended)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If you wish to include DNS names in your IPv6 configuration
|
|
files, you must have Perl 5.10 and must install the Perl Socket6
|
|
library.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Packages</title>
|
|
|
|
<para>Shorewall IPv6 support introduced two new packages:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Shorewall6. This package provides
|
|
<filename>/sbin/shorewall6</filename> which is the IPv6 equivalent
|
|
of <filename>/sbin/shorewall</filename>.
|
|
<filename>/sbin/shorewall</filename> only handles IPv4 while
|
|
<filename>/sbin/shorewall6</filename> handles only IPv6.. Shorewall6
|
|
depends on Shorewall. The Shorewall6 configuration is stored in
|
|
<filename class="directory">/etc/shorewall6</filename>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Shorewall6 Lite. This package is to IPv6 what Shorewall Lite
|
|
is to IPv4. The package stores its configuration in <filename
|
|
class="directory">/etc/shorewall6-lite</filename>. As with Shorewall
|
|
Lite, Shorewall6 Lite usually requires no configuration changes on
|
|
the firewall system.</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>IPv4/IPv6 Interaction</title>
|
|
|
|
<para>IP connections are either IPv4 or IPv6; there is no such thing as
|
|
a mixed IPv4/6 connecton. IPv4 connections are controlled by Shorewall
|
|
(or Shorewall-lite); IPv6 connections are controlled by Shorewall6 (or
|
|
Shorewall6-lite). Starting and stopping the firewall for one address
|
|
family has no effect on the other address family.</para>
|
|
|
|
<para>As a consequence, there is very little interaction between
|
|
Shorewall and Shorewall6.</para>
|
|
|
|
<section>
|
|
<title>DISABLE_IPV6</title>
|
|
|
|
<para>An obvious area where the configuration of Shorewall affects
|
|
Shorewall6 is the DISABLE_IPV6 setting in
|
|
<filename>/etc/shorewall/shorewall.conf</filename>. When configuring
|
|
Shorewall6, you will want to set DISABLE_IPV6=No and restart Shorewall
|
|
or Shorewall-lite.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>TC_ENABLED</title>
|
|
|
|
<para>Another area where their configurations overlap is in traffic
|
|
shaping; the <filename>tcdevices</filename> and tcclasses files do
|
|
exactly the same thing in both Shorewall and Shorewall6. Consequently,
|
|
you will have TC_ENABLED=Internal in Shorewall or in Shorewall6 and
|
|
TC_ENABLED=No in the other product. Also, you will want CLEAR_TC=No in
|
|
the configuration with TC_ENABLED=No.</para>
|
|
|
|
<para>Regardless of which product has TC_ENABLED=Internal:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>IPv4 packet marking is controlled by
|
|
/etc/shorewall/tcrules</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>IPv6 packet marking is controlled by
|
|
/etc/shorewall6/tcrules</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>KEEP_RT_TABLES</title>
|
|
|
|
<para>Multi-ISP users will need to be aware of this one. When there
|
|
are entries in the providers file, Shorewall normally installs a
|
|
modified <filename>/etc/iproute2/rt_tables</filename> during
|
|
<command>shorewall start</command> and <command>shorewall
|
|
restart</command> and restores a default file during
|
|
<command>shorewall stop</command>. Setting KEEP_RT_TABLES=Yes in
|
|
<ulink url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
|
|
stops Shorewall (Shorewall lite) from modifying
|
|
<filename>/etc/iproute2/rt_tables</filename>.</para>
|
|
|
|
<para>Shorewall6 is also capable of modifying
|
|
<filename>/etc/iproute2/rt_tables</filename> in a similar way.</para>
|
|
|
|
<para>Our recommendation to Multi-ISP users is to:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Select the same names for similar providers.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Set KEEP_RT_TABLES=No in <ulink
|
|
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5) and
|
|
set KEEP_RT_TABLES=Yes in <ulink
|
|
url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>These setting allow Shorewall to control the contents of
|
|
<filename>/etc/iproute2/rt_tables</filename>.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>6TO4</title>
|
|
|
|
<para>If you are using a 6to4 tunnel for your IPv6 connectivity, you
|
|
need an entry in
|
|
<filename>/etc/shorewall/tunnels</filename>.<programlisting>#TYPE ZONE GATEWAY GATEWAY
|
|
# ZONE
|
|
6to4 net
|
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
|
|
</section>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Shorewall6 Differences from Shorewall</title>
|
|
|
|
<para>Configuring and operating Shorewall6 is very similar to configuring
|
|
Shorewall with some notable exceptions:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>No NAT</term>
|
|
|
|
<listitem>
|
|
<para>In Shorewall6, there is no NAT of any kind (Netfilter6 doesn't
|
|
support any form of NAT). Most people consider this to be a giant
|
|
step forward.</para>
|
|
|
|
<para>When an ISP assigns you an IPv6 address, you are actually
|
|
assigned an IPv6 <firstterm>prefix</firstterm> (similar to a
|
|
subnet). A 64-bit prefix defines a subnet with 4 billion hosts
|
|
squared (the size of the IPv4 address space squared). Regardless of
|
|
the length of your prefix, you get to assign local addresses within
|
|
that prefix.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Default Zone Type</term>
|
|
|
|
<listitem>
|
|
<para>The default zone type in Shorewall6 is
|
|
<firstterm>ipv6</firstterm>. It is suggested that you specify
|
|
<emphasis role="bold">ipv6</emphasis> in the TYPE column of
|
|
<filename>/etc/shorewall6/zones</filename> and a type of <emphasis
|
|
role="bold">ipv4</emphasis> in
|
|
<filename>/etc/shorewall/zones</filename>; that way, if you run the
|
|
wrong utility on a configuration, you will get an instant
|
|
error.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Interface Options</term>
|
|
|
|
<listitem>
|
|
<para>The following interface options are available in
|
|
<filename>/etc/shorewall6/interfaces</filename>:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>blacklist</term>
|
|
|
|
<listitem>
|
|
<para>Same as in Shorewall</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>bridge</term>
|
|
|
|
<listitem>
|
|
<para>Same as in Shorewall</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>dhcp</term>
|
|
|
|
<listitem>
|
|
<para>Interface is assigned by IPv6 DHCP or the firewall hosts
|
|
an IPv6 DHCP server on the interface.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>maclist</term>
|
|
|
|
<listitem>
|
|
<para>Same as in Shorewall</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>nosmurfs</term>
|
|
|
|
<listitem>
|
|
<para>Checks the source IP address of packets arriving on the
|
|
interface and drops packets whose SOURCE address is:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>An IPv6 multicast address</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The subnet-router anycast address for any of the
|
|
global unicast addresses assigned to the interface.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>An RFC 2526 anycast address for any of the global
|
|
unicast addresses assigned to the interface.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>optional</term>
|
|
|
|
<listitem>
|
|
<para>Same as in Shorewall</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>routeback</term>
|
|
|
|
<listitem>
|
|
<para>Same as in Shorewall</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>sourceroute[={0|1}]</term>
|
|
|
|
<listitem>
|
|
<para>Same as in Shorewall</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>tcpflags</term>
|
|
|
|
<listitem>
|
|
<para>Same as in Shorewall</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>mss=<replaceable>mss</replaceable></term>
|
|
|
|
<listitem>
|
|
<para>Same as in Shorewall</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>forward[={0|1}]</term>
|
|
|
|
<listitem>
|
|
<para>Override the setting of IP_FORWARDING in shorewall6.conf
|
|
with respect to how the system behaves on this interface. If
|
|
1, behave as a router; if 0, behave as a host.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Host Options</term>
|
|
|
|
<listitem>
|
|
<para>The following host options are available in<filename>
|
|
/etc/shorewall6/hosts</filename>:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>blacklist</term>
|
|
|
|
<listitem>
|
|
<para>Same as in Shorewall</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>maclist</term>
|
|
|
|
<listitem>
|
|
<para>Same as in Shorewall</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>routeback</term>
|
|
|
|
<listitem>
|
|
<para>Same as in Shorewall</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>tcpflags</term>
|
|
|
|
<listitem>
|
|
<para>Same as in Shorewall</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Specifying Addresses</term>
|
|
|
|
<listitem>
|
|
<para>Anywhere that an address or address list follows a colon
|
|
(":"), the address or list may be enclosed in angled brackets
|
|
("<" and ">") to improve readability.</para>
|
|
|
|
<para>Example (<filename>/etc/shorewall6/rules</filename>):</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
|
# PORT(S)
|
|
ACCEPT net $FW:<2002:ce7c:92b4::3> tcp 22</programlisting>
|
|
|
|
<para>When the colon is preceeded by an interface name,
|
|
<emphasis>the angle brackets are required</emphasis>. This is true
|
|
even when the address is a MAC address in Shorewall format.</para>
|
|
|
|
<para>Example (<filename>/etc/shorewall6/rules</filename>):</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
|
# PORT(S)
|
|
ACCEPT net:wlan0:<2002:ce7c:92b4::3> tcp 22</programlisting>
|
|
|
|
<para>Beginning with Shorewall 4.4.6 and 4.5.4, square brackets ("["
|
|
and "]") may also be used.</para>
|
|
|
|
<para>Example (<filename>/etc/shorewall6/rules</filename>):</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
|
# PORT(S)
|
|
ACCEPT net:wlan0:[2002:ce7c:92b4::3] tcp 22</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Stopped State</term>
|
|
|
|
<listitem>
|
|
<para>When Shorewall6 or Shorewall6 Lite is in the stopped state,
|
|
the following traffic is still allowed.</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Traffic with a multicast destination IP address
|
|
(ff00::/8).</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Traffic with a link local source address
|
|
(ff800::/8)</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Traffic with a link local destination address.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Multi-ISP</term>
|
|
|
|
<listitem>
|
|
<para>The Linux IPv6 stack does not support balancing (multi-hop)
|
|
routes. Hence, neither the <option>balance</option> option in <ulink
|
|
url="manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5)
|
|
nor USE_DEFAULT_RT=Yes in <ulink
|
|
url="manpages6/shorewall.conf.html">shorewall6.conf</ulink>(5) is
|
|
supported.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>/sbin/shorewall6 and /sbin/shorewall6-lite Commands</term>
|
|
|
|
<listitem>
|
|
<para>Several commands supported by
|
|
<filename>/sbin/shorewall</filename> and
|
|
<filename>/sbin/shorewall-lite</filename> are not supported by
|
|
<filename>/sbin/shorewall6</filename> and
|
|
<filename>/sbin/shorewall6-lite</filename>:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>hits</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>ipcalc</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>iprange</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para></para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Macros</term>
|
|
|
|
<listitem>
|
|
<para>The Shorewall6 package depends on Shorewall-common for
|
|
application macros. Only certain address-family specific macros such
|
|
as macro.AllowICMPs are included in Shorewall6. As a consequence,
|
|
/usr/share/shorewall/ is included in the default Shorewall6
|
|
CONFIG_PATH.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Installing IPv6 Support</title>
|
|
|
|
<para>You will need at least the following packages:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Shorewall 4.3.5 or later.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Shorewall6 4.3.5 or later.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>You may also with to install Shorewall6-lite 4.3.5 or later on your
|
|
remote firewalls to allow for central IPv6 firewall administration.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>More information about IPv6</title>
|
|
|
|
<para>I strongly suggest that you read the<ulink
|
|
url="http://tldp.org/HOWTO/Linux+IPv6-HOWTO/"> Linux IPv6 HOWTO</ulink>.
|
|
The <ulink url="6to4.htm">6to4 Tunnels</ulink> page also includes
|
|
instructions for setting up your first IPv6 environment.</para>
|
|
|
|
<para>In addition to the Linux IPv6 HOWTO, I have found the following two
|
|
books to be useful:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis>IPv6 Essentials</emphasis>, Silvia Hagen, 2002,
|
|
O'Reilly Media, Inc, ISBN 0-596-00125-8.</para>
|
|
|
|
<para>O'Reilly published a second edition of this book in 2006.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><emphasis>IPV6 Theory, Protocol, and Practice</emphasis>, Second
|
|
Edition, Pete Loshin, 2004, Morgan-Kaufmann Publishers, IBSN
|
|
1-55860-820-9</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
</article>
|