Re: [Shorewall-devel] Shorewall and IPV6

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Tom Eastep wrote:
> As 2.2.0  is nearing release, I've begun to think about what I'll do for
> 2.3 and I think that it is time for Shorewall to add support for IPV6.
> 
> Because of parsing ambiguities, the need to maintain upward
> compatibility with both Shorewall and 6Wall, and different available
> functionality in IPV4 and IPV6 Netfilter, I believe that it is going to
> be necessary for some files to be spit into two (there will be separate
> IPV4 and IPV6 rules files for example). The questions that I have are:
> 
> a) Should the IPV4 and IPV6 configurations be in the same directory (I
> think so) or should there be separate IPV4 and IPV6 configuration
> directories.
> 
> b) Should there be a single POLICY for traffic between each ordered pair
> of zones or should there be separate IPV4 and IPV6 policies?
> 
> c) If I can resolve parsing and other issues, should I always attempt to
> have a single file rather than two (I think so)?

My general approach to any future IPv6 upgrade is that i see IPv6 as a 
different addressing scheme, but it shouldn't make my network work much 
differently.  I'll still have the same zones and the same rules between 
them, just different addresses in them.  Therefore, i think IPv6 should 
be supported in as similar a manner as possible to IPv4.  Thus i think 
it we should use the same zones, with the same policies and rules, in 
the same files, as far as practical.

I think the most important thing to keep in mind when extending/changing 
shorewall is its motto: "Making iptables easy".  (Perhaps we need to 
modify that slightly now and call it "Making ip(6)?tables easy"? :-)

Shorewall's strength is that it lets me throw the nuts & bolts in at the 
beginning, and forget about them after that and concentrate on 
high-level policies and rules - if you keep that as the goal, then most 
decisions should make themselves.

I'm not aware of any consumer-grade ISPs in Australia that support IPv6, 
so i'm not anticipating needing to use IPv6 in the medium-term, 
nonetheless it will be interesting to see how it pans out in shorewall.

As an aside, can anyone point me to some doco about the IPv6 equivalents 
of NAT and ICMP REJECTs?  I'm struggling to understand how life can go 
on without IP masquerading.  :-)
-- 
Paul
<http://paulgear.webhop.net>
--
If at first you don't succeed, try, try again.  If at first you do
succeed, carefully check your success metrics for accuracy.