Hi there! I just installed Shorewall, and it works really nice! Way better than SuSEfirewall2 I used before. Unfortunately I''ve got a problem (this problem actually led me to Shorewall): I''m not able to do any IPv6 related stuff (ping6, connect to IPv6 IRC servers...) from behind the firewall. As I said, I used to use SuSEfirewall2 until today, and I had the same problem with IPv6 with it, except that IPv6 worked fine when SuSEfirewall2 was not running, so I guess it''s a problem related to the firewall. I hoped switching to Shorewall would solve the problem, but unfortunately it did not :( but I''m keeping Shorewall, that''s for sure ;) So... does anybody know what exactly I have to do to get IPv6 working with Shorewall? My system: SuSE 8.0 prof.; Shorewall 1.3.7b; using ipng.org.uk as IPv6 tunnel broker. Thanks in advance for any help! PS: everything works fine with Shorewall, except IPv6 -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net
On Friday 30 August 2002 05:52 pm, Tarin@gmx.net wrote:> Hi there! > > I just installed Shorewall, and it works really nice! Way better than > SuSEfirewall2 I used before. Unfortunately I''ve got a problem (this problem > actually led me to Shorewall): I''m not able to do any IPv6 related stuff > (ping6, connect to IPv6 IRC servers...) from behind the firewall.Shorewall has no IPV6 capability. Sorry, -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> On Friday 30 August 2002 05:52 pm, Tarin@gmx.net wrote: > > Hi there! > > > > I just installed Shorewall, and it works really nice! Way better than > > SuSEfirewall2 I used before. Unfortunately I''ve got a problem (this > problem > > actually led me to Shorewall): I''m not able to do any IPv6 related stuff > > (ping6, connect to IPv6 IRC servers...) from behind the firewall. > > Shorewall has no IPV6 capability. > > Sorry, > -TomToo bad :( Are there any plans on making Shorewall IPv6 capable? Or are there any ways I can make the firewall handle IPv6 manually *after* Shorewall is loaded? -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net
On Saturday 31 August 2002 04:08 pm, Tarin@gmx.net wrote:> > On Friday 30 August 2002 05:52 pm, Tarin@gmx.net wrote: > > > Hi there! > > > > > > I just installed Shorewall, and it works really nice! Way better than > > > SuSEfirewall2 I used before. Unfortunately I''ve got a problem (this > > > > problem > > > > > actually led me to Shorewall): I''m not able to do any IPv6 related > > > stuff (ping6, connect to IPv6 IRC servers...) from behind the firewall. > > > > Shorewall has no IPV6 capability. > > > > Sorry, > > -Tom > > Too bad :( Are there any plans on making Shorewall IPv6 capable?No.> Or are > there any ways I can make the firewall handle IPv6 manually *after* > Shorewall is loaded?I have no idea. I haven''t touched IPv6.... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
>> Or are >> there any ways I can make the firewall handle IPv6 manually *after* >> Shorewall is loaded? > > I have no idea. I haven''t touched IPv6.... > > -TomJust set this up myself. Yes, ipv6 is completely outside the control of shorewall. I''m using freenet6.net for a tunnel server, so I have extra rules to allow the tunnel configuration protocol (TCP port 4343). ipv6 rules in /etc/shorewall/rules # tsp client ACCEPT fw net tcp 4343 # IPv6 Rules # NOTE - these may be completely ineffective. They make me feel better though. # I''m a little troubled by this first one. It will also allow IPv6 access # to IPv4 based machines behind the firewall using the 6to4 address. # Better have ip6tables rules in place first. Comment it out if you''re uncomfortable. # In theory, you can still ping and connect without it. (just no incoming connections) ACCEPT net fw ipv6 - ACCEPT fw net ipv6 - ACCEPT loc fw ipv6 - ACCEPT fw loc ipv6 - That''s all it took for shorewall to ignore ipv6 traffic (ie - not block it). (Though I never saw it being blocked without those rules...) Still, I''m not certain these rules have any effect. ipv6 netfilter is a separate entity from standard netfilter iptables. I''m not specifically allowing or denying icmp6 (ping6 packets) and they get through without any trouble. For ipv6 firewall rules, use the "ip6tables" command just like you would iptables. You might even be able to take your ipv4 rules as a starting point and just replace the command and ip addresses. For hosts behind the firewall, run zebra, or radvd and "echo 1 > /proc/sys/net/ipv6/conf/all/forwarding". This should enable autoconfiguration and routing on the firewall. If you want to make shorewall run your ipv6 rules, put them in one of the extension scripts - init or start / refresh. It''s just a shell script.>> >> Too bad :( Are there any plans on making Shorewall IPv6 capable? > > No. >As for direct shorewall support, since the rules are completely separate, shorewall6 can be a completely separate project, though it would have a lot in common with the current shorewall. It''s probably not a big priority to most, since it''s still in the experimental phase. Still - Tom, it''s as easy as replacing "iptables" with "ip6tables" and addresses like 192.168.2.10 with 3ffe:11d0:3be:1::1 and fe80::2a0:ccff:fe33:20db. It wouldn''t be very hard to extend shorewall to handle ipv6, having it establish nearly identical rulesets for both ipv4 and ipv6 traffic. But, like I said before, I''m sure it''s not a big priority. Hope this helps, ~Jonathan
On Tue, 3 Sep 2002, Jonathan Manning wrote:> Still - Tom, it''s as easy as replacing "iptables" with "ip6tables" and > addresses like 192.168.2.10 with 3ffe:11d0:3be:1::1 and > fe80::2a0:ccff:fe33:20db. It wouldn''t be very hard to extend shorewall to > handle ipv6, having it establish nearly identical rulesets for both ipv4 > and ipv6 traffic. But, like I said before, I''m sure it''s not a big priority.And I''ll leave it to you to figure out how to unambiguouosly parse all of the Shorewall constructs that use ":" as a separator. -Tom Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net