Shorewall IPv6 Support
Tom
Eastep
2008
Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation
License
.
Overview
Beginning with a future Shorewall 4.2.x release, support for
firewalling IPv6 will be included. In the meantime, the support is
avilable in the 4.3 development releases.
Prerequisites
In order to use Shorewall with IPv6, your firewall must meet the
following prerequisites:
Kernel 2.6.25 or later.
Iptables 1.4.0 or later (1.4.1.1 is strongly
recommended)
If you wish to include DNS names in your IPv6 configuration
files, you must have Perl 5.10 and must install the Perl Socket6
library.
Packages
Shorewall IPv6 support introduced two new packages:
Shorewall6. This package provides
/sbin/shorewall6 which is the IPv6 equivalent
of /sbin/shorewall which only handles IPv4.
Shorewall6 depends on both Shorewall-common and on Shorewall-perl.
The Shorewall6 configuration is stored in /etc/shorewall6.
Shorewall6 Lite. This package is to IPv6 what Shorewall Lite
is to IPv4. The package stores its configuration in /etc/shorewall6-lite.
IPv4/IPv6 Interaction
IP connections are either IPv4 or IPv6; there is no such thing as
a mixed IPv4/6 connecton. IPv4 connections are controlled by Shorewall
(or Shorewall-lite); IPv6 connections are controlled by Shorewall6 (or
Shorewall6-lite). Starting and stopping the firewall for one address
family has no effect on the other address family.
As a consequence, there is very little interaction between
Shorewall and Shorewall6.
DISABLE_IPV6
An obvious area where the configuration of Shorewall affects
Shorewall6 is the DISABLE_IPV6 setting in
/etc/shorewall/shorewall.conf. When configuring
Shorewall6, you will want to set DISABLE_IPV6=No and restart Shorewall
or Shorewall-lite.
TC_ENABLED
Another area where their configurations overlap is in traffic
shaping; the tcdevices and tcclasses files do
exactly the same thing in both Shorewall and Shorewall6. Consequently,
you will have TC_ENABLED=Internal in Shorewall or in Shorewall6 and
TC_ENABLED=No in the other product. Also, you will want CLEAR_TC=No in
the configuration with TC_ENABLED=No.
Regardless of which product has TC_ENABLED=Internal:
IPv4 packet marking is controlled by
/etc/shorewall/tcrules
IPv6 packet marking is controlled by
/etc/shorewall6/tcrules
KEEP_RT_TABLES
Multi-ISP users will need to be aware of this one. When there
are entries in the providers file, Shorewall normally installs a
modified /etc/iproute2/rt_tables during
shorewall start and shorewall
restart and restores a default file during
shorewall stop. Setting KEEP_RT_TABLES=Yes in
shorewall.conf(5)
stops Shorewall (Shorewall lite) from modifying
/etc/iproute2/rt_tables.
Shorewall6 is also capable of modifying
/etc/iproute2/rt_tables in a similar way.
Our recommendation to Multi-ISP users is to:
Select the same names for similar providers.
Set KEEP_RT_TABLES=No in shorewall.conf(5) and
set KEEP_RT_TABLES=Yes in shorewall6.conf(5).
These setting allow Shorewall to control the contents of
/etc/iproute2/rt_tables.
Shorewall6 Differences from Shorewall
Configuring Shorewall6 is very similar to configuring Shorewall with
some notable exceptions:
No NAT
In Shorewall6, there is no NAT of any kind (Netfilter6 doesn't
support any form of NAT). Most people consider this to be a giant
step forward.
When an ISP assigns you an IPv6 address, you are actually
assigned an IPv6 prefix (similar to a
subnet). A 64-bit prefix defines a subnet with 4 billion hosts
squared (the size of the IPv4 address space squared). Regardless of
the length of your prefix, you get to assign local addresses within
that prefix.
Default Zone Type
The default zone type in Shorewall6 is
ipv6. It is suggested that you specify
ipv6 in the TYPE column of
/etc/shorewall6/zones and a type of ipv4 in
/etc/shorewall/zones; that way, if you run the
wrong utility on a configuration, you will get an instant
error.
Interface Options
The following interface options are available in
/etc/shorewall6/interfaces:
blacklist
Same as in Shorewall
bridge
Same as in Shorewall
dhcp
Interface is assigned by IPv6 DHCP or the firewall hosts
an IPv6 DHCP server on the interface.
maclist
Same as in Shorewall
nosmurfs
Checks the source IP address of packets arriving on the
interface and drops packets whose SOURCE address is:
An IPv6 multicast address
The subnet-router anycast address for any of the
global unicast addresses assigned to the interface.
An RFC 2526 anycast address for any of the global
unicast addresses assigned to the interface.
optional
Same as in Shorewall
routeback
Same as in Shorewall
sourceroute[={0|1}]
Same as in Shorewall
tcpflags
Same as in Shorewall
mss=mss
Same as in Shorewall
forward[={0|1}]
Override the setting of IP_FORWARDING in shorewall6.conf
with respect to how the system behaves on this interface. If
1, behave as a router; if 0, behave as a host.
Host Options
The following host options are available in
/etc/shorewall6/hosts:
blacklist
Same as in Shorewall
maclist
Same as in Shorewall
routeback
Same as in Shorewall
tcpflags
Same as in Shorewall
Specifying Addresses
Anywhere that an address or address list follows a colon
(":"), the address or list may be enclosed in angled brackets
("<" and ">") to improve readability.
Example (/etc/shorewall6/rules):
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
ACCEPT net $FW:<2002:ce7c:92b4::3> tcp 22
When the colon is preceeded by an interface name,
the angle brackets are required. This is true
even when the address is a MAC address in Shorewall format.
Example (/etc/shorewall6/rules):
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
ACCEPT net:wlan0:<2002:ce7c:92b4::3> tcp 22
Installing IPv6 Support
You will need at least the following packages:
Shorewall-common 4.3.4 or later.
Shorewall-perl 4.3.4 or later.
Shorewall6 4.3.4 or later.
You may also with to install Shorewall6-lite 4.3.4 or later on your
remote firewalls to allow for central IPv6 firewall administration.