Within the next few days, I will be making the first 4.3.0 Alpha release
available. Shorewall 4.3 will feature support for IPV6.
Two new packages will be included:
1) Shorewall6 -- analagous to the current Shorewall-common but for
IPv6.
2) Shorewall6-lite -- analagous to the current Shorewall-lite.
The Shorewall-perl compiler is enhanced to be able to handle either an
IPv4 configuration or an IPv6 configuration.
Key features of Shorewall6 are:
1) There is no NAT of any kind (most people see this as a giant step
forward). When an ISP assigns you a public IPv6 address, you are
actually assigned an IPv6 ''prefix'' which is like an IPv4
subnet. A
64-bit prefix allows 4 billion individual hosts (the size of the current
IPv4 address space).
2) The configuration is kept in /etc/shorewall6
3) The default zone type is ipv6.
4) The currently-supported interface options in Shorewall6 are:
blacklist
bridge
optional
routeback
sourceroute
tcpflags
mss
forward (replaces the IP_FORWARDING .conf option -- forwarding
is enabled on a per-interface basis in IPv6).
5) The currently-supported host options in Shorewall6 are:
blacklist
routeback
tcpflags
6) Traffic Shaping and Multi-ISP support are currently disabled. Packet
marking and connection marking are available to feed your current
traffic shaping defined in Shorewall.
7) When both an interface and an IPv6 address or address list need to
be specified in a rule, the address or list must be enclosed in square
brackets. Example:
ACCEPT net:eth0:[2001:19f0:feee::dead:beef:cafe] dmz
8) There are currently no Shorewall6 or Shorewall6-lite manpages.
9) The options available in shorewall6.conf are a subset of those
available in shorewall.conf
-Tom
--
Tom Eastep \ The ultimate result of shielding men from the
Shoreline, \ effects of folly is to fill the world with fools.
Washington, USA \ -Herbert Spencer
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can''t happen without you. Join us at MIX09 to
help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
On Wed, Dec 10, 2008 at 09:35:16AM -0800, Tom Eastep wrote:> Within the next few days, I will be making the first 4.3.0 Alpha release > available. Shorewall 4.3 will feature support for IPV6. > > Two new packages will be included: > > 1) Shorewall6 -- analagous to the current Shorewall-common but for > IPv6. > 2) Shorewall6-lite -- analagous to the current Shorewall-lite. > > The Shorewall-perl compiler is enhanced to be able to handle either an > IPv4 configuration or an IPv6 configuration. > > Key features of Shorewall6 are: > > 1) There is no NAT of any kind (most people see this as a giant step > forward). When an ISP assigns you a public IPv6 address, you are > actually assigned an IPv6 ''prefix'' which is like an IPv4 subnet. A > 64-bit prefix allows 4 billion individual hosts (the size of the current > IPv4 address space).Well actually you get 4 billion squared. IPv4=32bit, IPv6=128bit, so a 64bit prefix gives you 2^64 addresses. I look forward to playing with shorewall6 though.> 2) The configuration is kept in /etc/shorewall6 > > 3) The default zone type is ipv6.So how does shorewall and shorewall6 interact on a single machine if you use both IPv4 and IPv6?> 4) The currently-supported interface options in Shorewall6 are: > > blacklist > bridge > optional > routeback > sourceroute > tcpflags > mss > forward (replaces the IP_FORWARDING .conf option -- forwarding > is enabled on a per-interface basis in IPv6). > > 5) The currently-supported host options in Shorewall6 are: > > blacklist > routeback > tcpflags > > 6) Traffic Shaping and Multi-ISP support are currently disabled. Packet > marking and connection marking are available to feed your current > traffic shaping defined in Shorewall. > > 7) When both an interface and an IPv6 address or address list need to > be specified in a rule, the address or list must be enclosed in square > brackets. Example: > > ACCEPT net:eth0:[2001:19f0:feee::dead:beef:cafe] dmz > > 8) There are currently no Shorewall6 or Shorewall6-lite manpages. > > 9) The options available in shorewall6.conf are a subset of those > available in shorewall.conf-- Len Sorensen ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Lennart Sorensen wrote:> On Wed, Dec 10, 2008 at 09:35:16AM -0800, Tom Eastep wrote: >> Within the next few days, I will be making the first 4.3.0 Alpha release >> available. Shorewall 4.3 will feature support for IPV6. >> >> Two new packages will be included: >> >> 1) Shorewall6 -- analagous to the current Shorewall-common but for >> IPv6. >> 2) Shorewall6-lite -- analagous to the current Shorewall-lite. >> >> The Shorewall-perl compiler is enhanced to be able to handle either an >> IPv4 configuration or an IPv6 configuration. >> >> Key features of Shorewall6 are: >> >> 1) There is no NAT of any kind (most people see this as a giant step >> forward). When an ISP assigns you a public IPv6 address, you are >> actually assigned an IPv6 ''prefix'' which is like an IPv4 subnet. A >> 64-bit prefix allows 4 billion individual hosts (the size of the current >> IPv4 address space). > > Well actually you get 4 billion squared. IPv4=32bit, IPv6=128bit, so a > 64bit prefix gives you 2^64 addresses.Yes -- a 96 bit prefix gives you 4 billion local addresses.> > I look forward to playing with shorewall6 though. > >> 2) The configuration is kept in /etc/shorewall6 >> >> 3) The default zone type is ipv6. > > So how does shorewall and shorewall6 interact on a single machine if you > use both IPv4 and IPv6?They don''t -- they are completely independent, just as IPv4 and IPv6 are independent in the kernel (separate routing tables, separate netfilter tables, separate routing rules, ...). -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
this is really great. I am really looking forward to this! Expecially since we are moving the firewall in our lab at work to Linux and IPv6 is a high on our wish list there. Shorewall was already the firewall configuration tool of choice. Here at home I am currently using 6wall dues to lack of something better. One question though, you said: The Shorewall-perl compiler is enhanced to be able to handle either an IPv4 configuration or an IPv6 configuration. I hope that should or should read and/or. I hope I can use Ipv4 and IPv6 on the same machine, with just different configuration files? keep up the good work! Louis On Wed, 2008-12-10 at 09:35 -0800, Tom Eastep wrote:> Within the next few days, I will be making the first 4.3.0 Alpha release > available. Shorewall 4.3 will feature support for IPV6. > > Two new packages will be included: > > 1) Shorewall6 -- analagous to the current Shorewall-common but for > IPv6. > 2) Shorewall6-lite -- analagous to the current Shorewall-lite. > > The Shorewall-perl compiler is enhanced to be able to handle either an > IPv4 configuration or an IPv6 configuration. > > Key features of Shorewall6 are: > > 1) There is no NAT of any kind (most people see this as a giant step > forward). When an ISP assigns you a public IPv6 address, you are > actually assigned an IPv6 ''prefix'' which is like an IPv4 subnet. A > 64-bit prefix allows 4 billion individual hosts (the size of the current > IPv4 address space). > > 2) The configuration is kept in /etc/shorewall6 > > 3) The default zone type is ipv6. > > 4) The currently-supported interface options in Shorewall6 are: > > blacklist > bridge > optional > routeback > sourceroute > tcpflags > mss > forward (replaces the IP_FORWARDING .conf option -- forwarding > is enabled on a per-interface basis in IPv6). > > 5) The currently-supported host options in Shorewall6 are: > > blacklist > routeback > tcpflags > > 6) Traffic Shaping and Multi-ISP support are currently disabled. Packet > marking and connection marking are available to feed your current > traffic shaping defined in Shorewall. > > 7) When both an interface and an IPv6 address or address list need to > be specified in a rule, the address or list must be enclosed in square > brackets. Example: > > ACCEPT net:eth0:[2001:19f0:feee::dead:beef:cafe] dmz > > 8) There are currently no Shorewall6 or Shorewall6-lite manpages. > > 9) The options available in shorewall6.conf are a subset of those > available in shorewall.conf > > -Tom > ------------------------------------------------------------------------------ > SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. > The future of the web can''t happen without you. Join us at MIX09 to help > pave the way to the Next Web now. Learn more and register at > http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ > _______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Louis Lagendijk wrote:> One question though, you said: > The Shorewall-perl compiler is enhanced to be able to handle either an > IPv4 configuration or an IPv6 configuration. > I hope that should or should read and/or. I hope I can use Ipv4 and IPv6 > on the same machine, with just different configuration files?Of course. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/