Re: [Shorewall-devel] Shorewall and IPV6

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Thu, 2005-01-06 at 19:11 +1000, Paul Gear wrote:

> 
> My general approach to any future IPv6 upgrade is that i see IPv6 as a 
> different addressing scheme, but it shouldn't make my network work much 
> differently.  I'll still have the same zones and the same rules between 
> them, just different addresses in them.  Therefore, i think IPv6 should 
> be supported in as similar a manner as possible to IPv4.  Thus i think 
> it we should use the same zones, with the same policies and rules, in 
> the same files, as far as practical.

Possibly this isn't as hard as I'm trying to make it. If I look at the
rules file, for example, the SOURCE and DEST columns are the only ones
that are problematic. If we allow both ":" and "/" as separators before
the IP address *and require the use of "/" if the address is IPV6* then
I believe we might be able to keep existing rules.

> 
> As an aside, can anyone point me to some doco about the IPv6 equivalents 
> of NAT and ICMP REJECTs?  I'm struggling to understand how life can go 
> on without IP masquerading.  :-)

I'll let you know after I read the two books I referred to in my
previous post :-). Note that there is an IPV6 REJECT target available in
Patch-o-matic and I assume that will be part of the kernel.org
distributions before I release the Shorewall IPV6 code (it's in iptables
1.2.11 so it should be in the kernel before too long -- FLW).

REJECT options:
--reject-with type              drop input packet and send back
                                a reply packet according to type:
Valid reject types:
    icmp6-no-route              ICMPv6 no route
    no-route                    alias
    icmp6-adm-prohibited        ICMPv6 administratively prohibited
    adm-prohibited              alias
    icmp6-addr-unreachable      ICMPv6 address unreachable
    addr-unreach                alias
    icmp6-port-unreachable      ICMPv6 port unreachable
    port-unreach                alias
    tcp-reset                   TCP RST packet
    tcp-reset                   alias

I think that there was some NAT code floating around as well but it may
have gotten squashed.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ te...@sh...
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key