Shorewall 4.3.0 is now available for download.
Two new packages are included:
a) Shorewall6 - analagous to Shorewall-common but handles IPv6
rather than IPv4.
b) Shorewall6-lite - analagous to Shorewall-lite but handles IPv6
rather than IPv4.
The packages store their configurations in /etc/shorewall6/ and
/etc/shorewall6-lite/ respectively.
The fact that the packages are separate from their IPv4 counterparts
means that you control IPv4 and IPv6 traffic separately (the same
way that Netfilter does). Starting/Stopping the firewall for one
address family has no effect on the other address family.
Other features of Shorewall6 are:
a) There is no NAT of any kind (most people see this as a giant step
forward). When an ISP assigns you a public IPv6 address, you are
actually assigned an IPv6 ''prefix'' which is like an IPv4
subnet. A 96-bit prefix allows 4 billion individual hosts (the
size of the current IPv4 address space).
b) The default zone type is ipv6.
c) The currently-supported interface options in Shorewall6 are:
blacklist
bridge
optional
routeback
sourceroute
tcpflags
mss
forward (replaces the IP_FORWARDING .conf option -- forwarding
is enabled on a per-interface basis in IPv6).
d) The currently-supported host options in Shorewall6 are:
blacklist
routeback
tcpflags
e) Traffic Shaping and Multi-ISP support are currently disabled.
Packet marking and connection marking are available to feed your
current traffic shaping defined in Shorewall.
f) When both an interface and an IPv6 address, MAC address or
address list need to be specified in a rule, the address or list
must be enclosed in square brackets. Example:
ACCEPT net:eth0:[2001:19f0:feee::dead:beef:cafe] dmz
g) There are currently no Shorewall6 or Shorewall6-lite manpages.
h) The options available in shorewall6.conf are a subset of those
available in shorewall.conf.
The Shorewall6 package is dependent on Shorewall-perl. The new
Shorewall-perl requires the Perl Socket6 library which is normally a
separate package (It''s called perl-Socket6 under OpenSuSE and
libsocket6-perl on Debian Lenny). Warning: The Debian Lenny package is
currently broken. You need to edit Socket6.pm and change this line:
push @EXPORT, qw(AF_INET6) unless defined Socket::AF_INET6();
to
push @EXPORT, qw(AF_INET6) unless defined eval {Socket::AF_INET6()};
-Tom
--
Tom Eastep \ The ultimate result of shielding men from the
Shoreline, \ effects of folly is to fill the world with fools.
Washington, USA \ -Herbert Spencer
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can''t happen without you. Join us at MIX09 to
help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Tom Eastep wrote:> f) When both an interface and an IPv6 address, MAC address or > address list need to be specified in a rule, the address or list > must be enclosed in square brackets. Example: > > ACCEPT net:eth0:[2001:19f0:feee::dead:beef:cafe] dmzThis sytax convention also applies in /etc/shorewall6/hosts. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Tom Eastep wrote:> Tom Eastep wrote: > >> f) When both an interface and an IPv6 address, MAC address or >> address list need to be specified in a rule, the address or list >> must be enclosed in square brackets. Example: >> >> ACCEPT net:eth0:[2001:19f0:feee::dead:beef:cafe] dmz > > This sytax convention also applies in /etc/shorewall6/hosts.Which is broken. Fix attached. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Tom Eastep wrote:> > c) The currently-supported interface options in Shorewall6 are: >...> forward (replaces the IP_FORWARDING .conf option -- forwarding > is enabled on a per-interface basis in IPv6).This is nonsense -- to enable forwarding, /proc/sys/net/ipv6/config/all/forwarding must be set to 1. For now, use echo to set it. Next version will remove the ''forward'' interface option and reinstate IP_FORWARDING in shorewall6.conf. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/