Shorewall users - Jan 2012 - Slightly off topic: I don't know the terms to look for to RTFM (IPv6)

I''ve used a tunnel broker for IPv6 for quite some time; the biggest 
advantage is a static IP address.

For bandwidth & latency reasons, I''ve been considering switching to
using my ISP''s 6to4 - which means a dynamic IPv6 subnet.

The thing is: I want to have some hosts inside the firewall with open 
SSH ports, but not every host. While the stateless autoconfig
''suffix''
(I don''t know the proper term) is going to be the same, as
it''s based
on the Ethernet MAC address, the IPv6 prefix is obviously going to 
change (as it''s based on the IPv4 address with 6to4).

Is there any sort of mechanism so I can say "This host (on the inside 
of the firewall) has a MAC address of <foo>. The IPv6 prefix is going 
to change. The IP address will only be found on (the firewall''s) eth2.
I want a stateful firewall to block incoming connections for everything 
but SSH for that host.

Is this sort of a pipe dream?

It seems to me that with a dynamically assigned IPv6 subnet, firewalls 
become impossible to really manage, as the IPv6 prefix keeps changing, 
which in turn changes the ''destination'' IP of every computer
that is on
the subnet...

Is there something that is supposed to handle this? If so, what''s it 
called so I can RTFM?

I realize a workaround would be to use multiple IPv6 tunnels (similar 
to the multi-ISP shorewall example) - where I use the tunnel broker''s 
static subnet for incoming connections. I''m wondering if its also the 
only solution.
-- 
Troy Telford



------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

I''m only suggesting an idea here, but you may be able to use shell 
variables to make something like this happen in your params file.

On 1/24/2012 11:20, Troy Telford wrote:
> I''ve used a tunnel broker for IPv6 for quite some time; the
biggest
> advantage is a static IP address.
>
> For bandwidth&  latency reasons, I''ve been considering
switching to
> using my ISP''s 6to4 - which means a dynamic IPv6 subnet.
>
> The thing is: I want to have some hosts inside the firewall with open
> SSH ports, but not every host. While the stateless autoconfig
''suffix''
> (I don''t know the proper term) is going to be the same, as
it''s based
> on the Ethernet MAC address, the IPv6 prefix is obviously going to
> change (as it''s based on the IPv4 address with 6to4).
>
> Is there any sort of mechanism so I can say "This host (on the inside
> of the firewall) has a MAC address of<foo>. The IPv6 prefix is going
> to change. The IP address will only be found on (the firewall''s)
eth2.
> I want a stateful firewall to block incoming connections for everything
> but SSH for that host.
>
> Is this sort of a pipe dream?
>
> It seems to me that with a dynamically assigned IPv6 subnet, firewalls
> become impossible to really manage, as the IPv6 prefix keeps changing,
> which in turn changes the ''destination'' IP of every
computer that is on
> the subnet...
>
> Is there something that is supposed to handle this? If so, what''s
it
> called so I can RTFM?
>
> I realize a workaround would be to use multiple IPv6 tunnels (similar
> to the multi-ISP shorewall example) - where I use the tunnel
broker''s
> static subnet for incoming connections. I''m wondering if its also
the
> only solution.
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d