[Firehol-devs] IPv6 support

Phil Whineray phil at sanewall.org
Fri Jan 10 19:03:50 GMT 2014


Hi Andreas

On Fri, Jan 10, 2014 at 02:02:14PM +0000, Andreas Unterkircher wrote:
> >Further testing (and fixes if possible) with real-world configs is
> >always appreciated.
> 
> I have started testing the IPv6 branch on some of our border routers
> that usually outputs ~10.000 iptables rules.
> It wasn't a big effort to make the existing ruleset v4/v6 compatible.

Good news, thanks for this.

> Maybe it should be documented somewhere that also a construction
> like below is possible.
> Because first a started to duplicate all the logic into router4 and
> router6 statements :-)
> 
> router DMZ outface eth0
>  ipv4 group with dst "10.0.0.138"
>   ipv4 route all accept
>  ipv4 group end

If it's not obvious, you can also do e.g.:

router DMZ outface eth0
   ipv4 route all accept dst "10.0.0.138"
   ipv6 route all accept dst "::1
   route ssh accept

Looking at your example I think I should look at making the group with
command keep the ipv4 decoration for the enclosed rules, and maybe add
group4 and group6 synonyms.

> >The man pages are up to date for FireHOL but the website tutorials need
> >to be updated to account for IPv6. See the bottom of the email for
> >some tips. Ongoing work is in the 'test' branch here:
> >  https://github.com/philwhineray/firehol-website/tree/test
> 
> Can I help you out somehow on this?
> Is the website auto-generated from a source in the GIT repository?
> I could compare it will the manpages and add missing parts.

The website does indeed auto-generate when the main repository gets
updated, so with luck making updates should become a quick process.
It uses 'nanoc' to build the site - there is a little readme and
Makefile in the repo. If you want to get started straight away you
can just clone the repo, make some changes and submit a patch (or a
merge request through github).

The obvious thing to do would be to try to add to or upgrade the
tutorial to show building up a simultaneous ipv4/ipv6 firewall with
some common rules and some for v4/v6 only. Anything you would like to
try your hand at would be great.

I'll need to look into the details of how I pull changes in when I get
the first one. I don't know how fine-grained the github permissions
are but I may be able to make it so that you can push straight to
somewhere that gets published automatically, so you don't need to wait
for me. That can be my task for tomorrow morning.

Cheers
Phil



More information about the Firehol-devs mailing list