[Firehol-devs] IPv6 support
Phil Whineray
phil at sanewall.org
Wed Jan 8 20:01:32 CET 2014
On Wed, Jan 08, 2014 at 07:48:24AM +0000, Andreas Unterkircher wrote:
> May I ask about the forthcome integrating sanewalls IPv6 into firehol?
> Time rushes on and IPv6 is moving more and more into focus.
Thanks for making me write this - I probably should have done so some
time back.
At this moment I would say that the ipv6 code in firehol is as complete
and stable as the code in sanewall. The intention is to merge it to
master and release as firehol 2.0 as soon as the documentation and
website are complete, since there are some important changes.
> I'm willing to contribute - but I just want to make sure that not
> some one else is already working on this.
Thanks for the offer. To get a release ready, most of the work
is not code at this point. If you have any time to offer, help
is more than welcome! some pointers are below.
Further testing (and fixes if possible) with real-world configs is
always appreciated. You can get the source from github or a version
which builds automatically from the branch is here:
http://firehol.org/download/unsigned/ipv6/
The man pages are up to date for FireHOL but the website tutorials need
to be updated to account for IPv6. See the bottom of the email for
some tips. Ongoing work is in the 'test' branch here:
https://github.com/philwhineray/firehol-website/tree/test
The test site is published automatically here:
http://test.firehol.org/
The FireQOS part of the manual needs creating - I am putting together
an outline (but very slowly) so Costa can fill in the gaps. The website
also needs to include more information.
As a truly simple starting task, I guess there would be no harm in
documenting the above tasks and adding them to the GitHub issue tracker:
https://github.com/ktsaou/firehol/issues
If anything takes your fancy, please feel free to dig in, and if you
need any help or explanations just let me know.
Cheers
Phil
There is one big difference for those who will migrate from sanewall
to firehol with IPv6.
Firehol will not attempting autodetection by IP address. When specifying
source or destination you will need to either include both explicitly
(e.g. src4 and src6) or mark the rule as ipv4 or ipv6 only.
This change forces configs to be more explicit: the result is that the
behaviour of rules is much more obvious when reading them back,
especially when negation is involved and is IMHO still a marked
improvement over separate IPv4 and IPv6 config files used by most
solutions.
More information about the Firehol-devs
mailing list