[Firehol-support] IPv6 support

Andreas Unterkircher unki at netshadow.at
Wed Feb 9 07:44:51 GMT 2011


Hi Phil,

> Is the behaviour causing you a problem? It could be that you are running
> into a problem with the auto-detection.

Hah, you are right! It works!

I was just fooled by some original v6-only rules now also appearing in  
the v4 ruleset.

For example the stateful matches and logging rules that were only  
intended to appear in v6.

# the rest must be stateful
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -m state --state INVALID -j DROP
# log all other attempts
ip6tables -A FORWARD -m limit --limit 60/minute --limit-burst 10 -j  
LOG --log-level info --log-prefix "v6FWD "

Suddendly with "iptables()" I had log entries appearing in syslog  
containing v4 address - that I only wanted to see for v6 packets. But  
firehol places them into the v4 ruleset too which caused some unwanted  
interactions.

But you are right - just placing "ipv6" infront of these rules and  
they are forced to become ip6tables commands.

Regards,
Andreas





More information about the Firehol-support mailing list