Shorewall 4.3.2 ---------------------------------------------------------------------------- R E L E A S E 4 . 3 H I G H L I G H T S ---------------------------------------------------------------------------- 1) Support is included for IPv6. Problems Corrected in 4.3.2 None. Other changes in 4.3.2 1) The 'dhcp' option has been added to accomodate IPv6 DHCP (UDP ports 546 and 547). 2) The 'allowBcast' and 'dropBcast' builtin actions have been added to Shorewall6. Respectively, they accept or silently drop packets with an anycast or multicast destination address. 3) The nosmurfs option has been added to /etc/shorewall8/interfaces. The option drops incoming packets whose source address is an anycast or multicast addreess. Migration Issues. None. New Features in Shorewall 4.3 1) Two new packages are included: a) Shorewall6 - analagous to Shorewall-common but handles IPv6 rather than IPv4. b) Shorewall6-lite - analagous to Shorewall-lite but handles IPv6 rather than IPv4. The packages store their configurations in /etc/shorewall6/ and /etc/shorewall6-lite/ respectively. The fact that the packages are separate from their IPv4 counterparts means that you control IPv4 and IPv6 traffic separately (the same way that Netfilter does). Starting/Stopping the firewall for one address family has no effect on the other address family. Other features of Shorewall6 are: a) There is no NAT of any kind (most people see this as a giant step forward). When an ISP assigns you a public IPv6 address, you are actually assigned an IPv6 'prefix' which is like an IPv4 subnet. A 64-bit prefix allows 4 billion squared individual hosts (the size of the current IPv4 address space squared). b) The default zone type is ipv6. c) The currently-supported interface options in Shorewall6 are: blacklist bridge dhcp optional routeback sourceroute tcpflags mss forward (setting it to 0 makes the router behave like a host on that interface rather than like a router). d) The currently-supported host options in Shorewall6 are: blacklist routeback tcpflags e) Traffic Shaping and Multi-ISP support are currently disabled. Packet marking and connection marking are available to feed your current traffic shaping defined in Shorewall. f) When both an interface and an address or address list need to be specified in a rule, the address or list must be enclosed in square brackets. Example: ACCEPT net:eth0:[2001:19f0:feee::dead:beef:cafe] dmz Note that this includes MAC addresses as well as IPv6 addresses. The HOSTS column in /etc/shorewall6/hosts also uses this convention: #ZONE HOSTS OPTIONS chat6 eth0:[2001:19f0:feee::dead:beef:cafe] Even when an interface is not specified, it is permitted to enclose addresses in [] to improve readability. Example: #ACTION SOURCE DEST ACCEPT net:[2001:1::1] $FW g) There are currently no Shorewall6 or Shorewall6-lite manpages. h) The options available in shorewall6.conf are a subset of those available in shorewall.conf. i) The Socket6.pm Perl module is required if you include DNS names in your Shorewall6 configuration. Note that it is loaded the first time that a DNS name is encountered so if it is missing, you get a message similar to this one: ... Checking /etc/shorewall6/rules... Can't locate Socket6.pm in @INC (@INC contains: /root ... teastep@ursa:~/Configs/standalone6$