I saw in Tom''s recent changes to the roadmap [0] that there will be a version of Shorewall that supports IPv6. Personally, I am not too sure about the name Shorewall6. Though I know that some other projects have done something similar (like tcpdump and tcpdump6). However, I really have no idea what be a good name for the new IPv6-supporting Shorewall. I think that something like Shorewall-ng is probably not good. What will the name be when the next version of IP comes out? I would like to propose something. Since the 4.0 series is still early in its life we have the ability to change the naming scheme without confusing things too much. I think that keeping the 4.0 releases named in that way would be good. The development of that branch should continue with 4.0 becoming 4.1 eventually and so on. That branch should continue to support only IPv4. The IPv6-supporting version of shorewall would start with a 6.0 release. The releases would continue with 6.1 versions and so on. In this way, Shorewall releases would have the major release number indicate that latest IP version that they support and the following numbers would would indicate the release and patch level. This will also future-proof the version numbering against future releases of the IP standard. I am just thinking off the top of my head, so feel free to modify my idea or tell me that it is no good altogether. Regards, -Roberto [0] http://trac.shorewall.net/roadmap -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Sat, Sep 15, 2007 at 01:02:10PM -0400, Roberto C. S?nchez wrote:> I saw in Tom''s recent changes to the roadmap [0] that there will be a > version of Shorewall that supports IPv6. Personally, I am not too sure > about the name Shorewall6. Though I know that some other projects have > done something similar (like tcpdump and tcpdump6). However, I really > have no idea what be a good name for the new IPv6-supporting Shorewall. > I think that something like Shorewall-ng is probably not good. What > will the name be when the next version of IP comes out? > > I am just thinking off the top of my head, so feel free to modify my > idea or tell me that it is no good altogether.I can see no compelling reason why ipv6 support would require a different piece of software - surely the right solution would be to support both ipv4 and ipv6 at the same time. What''s the motivation? ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Sat, Sep 15, 2007 at 06:13:23PM +0100, Andrew Suffield wrote:> On Sat, Sep 15, 2007 at 01:02:10PM -0400, Roberto C. S?nchez wrote: > > I saw in Tom''s recent changes to the roadmap [0] that there will be a > > version of Shorewall that supports IPv6. Personally, I am not too sure > > about the name Shorewall6. Though I know that some other projects have > > done something similar (like tcpdump and tcpdump6). However, I really > > have no idea what be a good name for the new IPv6-supporting Shorewall. > > I think that something like Shorewall-ng is probably not good. What > > will the name be when the next version of IP comes out? > > > > I am just thinking off the top of my head, so feel free to modify my > > idea or tell me that it is no good altogether. > > I can see no compelling reason why ipv6 support would require a > different piece of software - surely the right solution would be to > support both ipv4 and ipv6 at the same time. What''s the motivation? >I am relatively certain that Tom''s intent is that there will be a version of Shorewall that supports both IPv6 *and* IPv4. However, I don''t think that his intent is to retrofit that support into the structure of the current releases. However, I may just misunderstand. The statement "First development release of Shorewall6, a Shorewall-like firewall for IPv6" makes it seem like it might in fact be a separate tool. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Roberto C. Sánchez wrote:> On Sat, Sep 15, 2007 at 06:13:23PM +0100, Andrew Suffield wrote: >> On Sat, Sep 15, 2007 at 01:02:10PM -0400, Roberto C. S?nchez wrote: >>> I saw in Tom''s recent changes to the roadmap [0] that there will be a >>> version of Shorewall that supports IPv6. Personally, I am not too sure >>> about the name Shorewall6. Though I know that some other projects have >>> done something similar (like tcpdump and tcpdump6). However, I really >>> have no idea what be a good name for the new IPv6-supporting Shorewall. >>> I think that something like Shorewall-ng is probably not good. What >>> will the name be when the next version of IP comes out? >>> >>> I am just thinking off the top of my head, so feel free to modify my >>> idea or tell me that it is no good altogether. >> I can see no compelling reason why ipv6 support would require a >> different piece of software - surely the right solution would be to >> support both ipv4 and ipv6 at the same time. What''s the motivation? >> > I am relatively certain that Tom''s intent is that there will be a > version of Shorewall that supports both IPv6 *and* IPv4. However, I > don''t think that his intent is to retrofit that support into the > structure of the current releases. However, I may just misunderstand. > The statement "First development release of Shorewall6, a Shorewall-like > firewall for IPv6" makes it seem like it might in fact be a separate > tool.iptables is iptables; ip6tables is ip6tables. The rulesets created using these two utilities are totally independent. So there is no reason to have a single product that produces both configuration. Furthermore, the differences between the two protocols and the differences in capabilities of iptables and ip6tables means that a single compiler would be riddled with separate IPv4/IPv6 logic (as would the documentation). Nevertheless, I''ve experimented over the last couple of weeks with hacking up the Shorewall-perl compiler so that it could produce both configurations in a single compilation. From these experiments, I''ve determined that I really don''t want to try to do that. So my plan at the moment is to add two new packages: Shorewall6 and Shorewall6-lite. Both will have their own command-line tool (shorewall6 and shorewall6-lite). It is unlikely that Shorewall6 will ever support traffic shaping or multi-ISP. I''m reluctant to repeat either of those mistakes. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Sat, Sep 15, 2007 at 01:10:04PM -0700, Tom Eastep wrote:> > iptables is iptables; ip6tables is ip6tables. The rulesets created using > these two utilities are totally independent. So there is no reason to > have a single product that produces both configuration. >I was not aware of the separation.> Furthermore, the differences between the two protocols and the > differences in capabilities of iptables and ip6tables means that a > single compiler would be riddled with separate IPv4/IPv6 logic (as would > the documentation). > > Nevertheless, I''ve experimented over the last couple of weeks with > hacking up the Shorewall-perl compiler so that it could produce both > configurations in a single compilation. From these experiments, I''ve > determined that I really don''t want to try to do that. >Makes sense.> So my plan at the moment is to add two new packages: Shorewall6 and > Shorewall6-lite. Both will have their own command-line tool (shorewall6 > and shorewall6-lite). > > It is unlikely that Shorewall6 will ever support traffic shaping or > multi-ISP. I''m reluctant to repeat either of those mistakes. >I see. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Sat, Sep 15, 2007 at 01:10:04PM -0700, Tom Eastep wrote:> iptables is iptables; ip6tables is ip6tables. The rulesets created using > these two utilities are totally independent. So there is no reason to > have a single product that produces both configuration.Urgh. So the braindamage is in netfilter itself. What are you supposed to do when you are running a host that''s acting as a router between multiple ipv4 and ipv6 networks, and want to filter/nat/mangle/whatever traffic between them? ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Andrew Suffield wrote:> On Sat, Sep 15, 2007 at 01:10:04PM -0700, Tom Eastep wrote: >> iptables is iptables; ip6tables is ip6tables. The rulesets created using >> these two utilities are totally independent. So there is no reason to >> have a single product that produces both configuration. > > Urgh. So the braindamage is in netfilter itself. > > What are you supposed to do when you are running a host that''s acting > as a router between multiple ipv4 and ipv6 networks, and want to > filter/nat/mangle/whatever traffic between them?It''s my understanding that uou use ip6tables for that and use the fact that the IPv4 address space is embedded within the IPv6 address space. But beware -- ipt6tables does not support any form of NAT. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Sat, Sep 15, 2007 at 02:54:42PM -0700, Tom Eastep wrote:> Andrew Suffield wrote: > > > > Urgh. So the braindamage is in netfilter itself. > > > > What are you supposed to do when you are running a host that''s acting > > as a router between multiple ipv4 and ipv6 networks, and want to > > filter/nat/mangle/whatever traffic between them? > > It''s my understanding that uou use ip6tables for that and use the fact > that the IPv4 address space is embedded within the IPv6 address space. > > But beware -- ipt6tables does not support any form of NAT. >I sense a coming disturbance in the force. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Sat, Sep 15, 2007 at 02:54:42PM -0700, Tom Eastep wrote:> Andrew Suffield wrote: > > On Sat, Sep 15, 2007 at 01:10:04PM -0700, Tom Eastep wrote: > >> iptables is iptables; ip6tables is ip6tables. The rulesets created using > >> these two utilities are totally independent. So there is no reason to > >> have a single product that produces both configuration. > > > > Urgh. So the braindamage is in netfilter itself. > > > > What are you supposed to do when you are running a host that''s acting > > as a router between multiple ipv4 and ipv6 networks, and want to > > filter/nat/mangle/whatever traffic between them? > > It''s my understanding that uou use ip6tables for that and use the fact > that the IPv4 address space is embedded within the IPv6 address space. > > But beware -- ipt6tables does not support any form of NAT.So if you want to deploy ipv6 in production alongside an existing ipv4 network (like, say, the internet), then you''re screwed. Lovely. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Andrew Suffield wrote:> ... >> But beware -- ipt6tables does not support any form of NAT. > > So if you want to deploy ipv6 in production alongside an existing ipv4 > network (like, say, the internet), then you''re screwed.No, you''re simply obliged to route IPv6, even if your current IPv4 setup uses NAT. My understanding is that the formulators of IPv6 view NAT as a hack that works around the limitations in IPv4 that they removed in IPv6. To a certain extent i understand their philosophy, although i''m not convinced NAT is as evil as they say it is... -- Paul <http://paul.gear.dyndns.org> -- Did you know? Email viruses spread using addresses they find on the host computer. You can help to reduce the spread of these viruses by using Bcc: instead of To: on mass mailings, or using mailing list software such as mailman (http://www.list.org/) instead. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Sun, Sep 16, 2007 at 01:04:07PM +1000, Paul Gear wrote:> Andrew Suffield wrote: > > ... > >> But beware -- ipt6tables does not support any form of NAT. > > > > So if you want to deploy ipv6 in production alongside an existing ipv4 > > network (like, say, the internet), then you''re screwed. > > No, you''re simply obliged to route IPv6, even if your current IPv4 setup > uses NAT. My understanding is that the formulators of IPv6 view NAT as > a hack that works around the limitations in IPv4 that they removed in > IPv6. To a certain extent i understand their philosophy, although i''m > not convinced NAT is as evil as they say it is...I think you missed the point - if the only way to handle a combined ipv4/ipv6 setup is to use ip6tables for everything, then you cannot use NAT for your *ipv4* network. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Andrew Suffield wrote:> On Sun, Sep 16, 2007 at 01:04:07PM +1000, Paul Gear wrote: >> Andrew Suffield wrote: >>> ... >>>> But beware -- ipt6tables does not support any form of NAT. >>> So if you want to deploy ipv6 in production alongside an existing ipv4 >>> network (like, say, the internet), then you''re screwed. >> No, you''re simply obliged to route IPv6, even if your current IPv4 setup >> uses NAT. My understanding is that the formulators of IPv6 view NAT as >> a hack that works around the limitations in IPv4 that they removed in >> IPv6. To a certain extent i understand their philosophy, although i''m >> not convinced NAT is as evil as they say it is... > > I think you missed the point - if the only way to handle a combined > ipv4/ipv6 setup is to use ip6tables for everything, then you cannot > use NAT for your *ipv4* network.Andrew, I''m currently running a combined IPv4/IPv6 router that is using NAT for IPv4 and straight routing for IPv6. I''m using Shorewall (iptables) for the IPv4 firewall and I''m using ip6tables for the IPv6 firewall (until I get Shorewall6 running) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Sat, Sep 15, 2007 at 11:05:06PM -0700, Tom Eastep wrote:> Andrew Suffield wrote: > > On Sun, Sep 16, 2007 at 01:04:07PM +1000, Paul Gear wrote: > >> Andrew Suffield wrote: > >>> ... > >>>> But beware -- ipt6tables does not support any form of NAT. > >>> So if you want to deploy ipv6 in production alongside an existing ipv4 > >>> network (like, say, the internet), then you''re screwed. > >> No, you''re simply obliged to route IPv6, even if your current IPv4 setup > >> uses NAT. My understanding is that the formulators of IPv6 view NAT as > >> a hack that works around the limitations in IPv4 that they removed in > >> IPv6. To a certain extent i understand their philosophy, although i''m > >> not convinced NAT is as evil as they say it is... > > > > I think you missed the point - if the only way to handle a combined > > ipv4/ipv6 setup is to use ip6tables for everything, then you cannot > > use NAT for your *ipv4* network. > > I''m currently running a combined IPv4/IPv6 router that is using NAT for > IPv4 and straight routing for IPv6. I''m using Shorewall (iptables) for > the IPv4 firewall and I''m using ip6tables for the IPv6 firewall (until I > get Shorewall6 running)Interesting - so how do you handle traffic moving between the ipv4 and ipv6 networks? ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Andrew Suffield wrote:> On Sat, Sep 15, 2007 at 11:05:06PM -0700, Tom Eastep wrote: >> Andrew Suffield wrote: >>> On Sun, Sep 16, 2007 at 01:04:07PM +1000, Paul Gear wrote: >>>> Andrew Suffield wrote: >>>>> ... >>>>>> But beware -- ipt6tables does not support any form of NAT. >>>>> So if you want to deploy ipv6 in production alongside an existing ipv4 >>>>> network (like, say, the internet), then you''re screwed. >>>> No, you''re simply obliged to route IPv6, even if your current IPv4 setup >>>> uses NAT. My understanding is that the formulators of IPv6 view NAT as >>>> a hack that works around the limitations in IPv4 that they removed in >>>> IPv6. To a certain extent i understand their philosophy, although i''m >>>> not convinced NAT is as evil as they say it is... >>> I think you missed the point - if the only way to handle a combined >>> ipv4/ipv6 setup is to use ip6tables for everything, then you cannot >>> use NAT for your *ipv4* network. >> I''m currently running a combined IPv4/IPv6 router that is using NAT for >> IPv4 and straight routing for IPv6. I''m using Shorewall (iptables) for >> the IPv4 firewall and I''m using ip6tables for the IPv6 firewall (until I >> get Shorewall6 running) > > Interesting - so how do you handle traffic moving between the ipv4 and > ipv6 networks?I don''t -- the two networks are completely parallel. Each local host has both an IPv4 address and an IPv6 address. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> > I don''t -- the two networks are completely parallel. Each local host has > both an IPv4 address and an IPv6 address.Note that it is possible for an IPv4 client to connect to (or send to) a server whose AF_INET6 socket is bound to ::0 (provided that the server''s host has an IPv4 address). But from the point of view of Netfilter, that is an IPv4-only connection. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Sun, Sep 16, 2007 at 07:12:03AM -0700, Tom Eastep wrote:> >> I''m currently running a combined IPv4/IPv6 router that is using NAT for > >> IPv4 and straight routing for IPv6. I''m using Shorewall (iptables) for > >> the IPv4 firewall and I''m using ip6tables for the IPv6 firewall (until I > >> get Shorewall6 running) > > > > Interesting - so how do you handle traffic moving between the ipv4 and > > ipv6 networks? > > I don''t -- the two networks are completely parallel. Each local host has > both an IPv4 address and an IPv6 address.I find it difficult to see what benefit there is in deploying ipv6 if you still have to allocate an ipv4 address for every host, and keep maintaining the ipv4 network like you always have done. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Andrew Suffield wrote:> On Sun, Sep 16, 2007 at 07:12:03AM -0700, Tom Eastep wrote: >>>> I''m currently running a combined IPv4/IPv6 router that is using NAT for >>>> IPv4 and straight routing for IPv6. I''m using Shorewall (iptables) for >>>> the IPv4 firewall and I''m using ip6tables for the IPv6 firewall (until I >>>> get Shorewall6 running) >>> Interesting - so how do you handle traffic moving between the ipv4 and >>> ipv6 networks? >> I don''t -- the two networks are completely parallel. Each local host has >> both an IPv4 address and an IPv6 address. > > I find it difficult to see what benefit there is in deploying ipv6 if > you still have to allocate an ipv4 address for every host, and keep > maintaining the ipv4 network like you always have done.Well I''m not here to sell IPv6. I''ve got my hands full just trying to make a Shorewall-like firewall that can deal with it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
--- Tom Eastep <teastep@shorewall.net> wrote:> It is unlikely that Shorewall6 will ever support > traffic shaping or > multi-ISP. I''m reluctant to repeat either of those > mistakes.I haven''t used the traffic shaping feature enough to say anything about it but I think that my multi-ISP setup is working really nicely. It''s a *major* feature hard to do without shorewall (I least I think so). Anyway, I know neither when I will need to do multi-ISP in ipv6 nor how difficult it must have been/is to develop/maintain this feature. Jusr wanted to say how much I appreciate the multi-provider shorewall setup even though I understand that it may disappear in the *far* future. Regards, Vieri ____________________________________________________________________________________ Shape Yahoo! in your own image. Join our Network Research Panel today! http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/