Difference between revisions of "Bering-uClibc 4.x - User Guide - IPv6 Networking - Configure Shorewall6"
Davidmbrooke (Talk | contribs) (Corrected statement on Shorewall6 macros.) |
(add a small sample configuration) |
||
Line 16: | Line 16: | ||
'''Note:''' The full name "Shorewall" was abbreviated to "shorwall" in order to comply with the 8 character filename length limit for MS-DOS floppy disks, hence the package file is <tt>shorwall.lrp</tt>. The name of the Shorewall6 package, <tt>shorwall6.lrp</tt>, is based on the name of the Shorewall package even though the 8 character filename length limit is no longer in effect. | '''Note:''' The full name "Shorewall" was abbreviated to "shorwall" in order to comply with the 8 character filename length limit for MS-DOS floppy disks, hence the package file is <tt>shorwall.lrp</tt>. The name of the Shorewall6 package, <tt>shorwall6.lrp</tt>, is based on the name of the Shorewall package even though the 8 character filename length limit is no longer in effect. | ||
− | In general, configuration of Shorewall6 is equivalent to configuration of Shorewall, so refer to the [[Bering-uClibc 4.x - User Guide - IPv4 Networking - Configure Shorewall|Shorewall]] chapter of this guide. | + | In general, configuration of Shorewall6 is equivalent to configuration of Shorewall, so refer to the [[Bering-uClibc 4.x - User Guide - IPv4 Networking - Configure Shorewall|Shorewall]] chapter of this guide. For a simple setup is described below. |
However, note the following differences: | However, note the following differences: | ||
* There are far fewer macros defined specifically for Shorewall6 than for Shorewall (in other word far fewer matches for <code class="filename">/usr/share/shorewall6/macro.*</code> than for <code class="filename">/usr/share/shorewall/macro.*)</code> '''but''' all of the Shorewall(4) macros can be used for Shorewall6. Where both files are present (e.g. for <tt>mDNS</tt>) the Shorewall6 macro takes priority. | * There are far fewer macros defined specifically for Shorewall6 than for Shorewall (in other word far fewer matches for <code class="filename">/usr/share/shorewall6/macro.*</code> than for <code class="filename">/usr/share/shorewall/macro.*)</code> '''but''' all of the Shorewall(4) macros can be used for Shorewall6. Where both files are present (e.g. for <tt>mDNS</tt>) the Shorewall6 macro takes priority. | ||
Line 24: | Line 24: | ||
In file <code class="filename">/etc/shorewall/shorewall.conf</code> ensure that <tt>DISABLE_IPV6</tt> is set to <tt>No</tt>. | In file <code class="filename">/etc/shorewall/shorewall.conf</code> ensure that <tt>DISABLE_IPV6</tt> is set to <tt>No</tt>. | ||
+ | |||
+ | |||
+ | == A small sample setup== | ||
+ | The following setup will establish a firewall for your IPV6 router, that rejects all traffic initiated anywhere on the Internet to your router and LAN, but allows any traffic from your LAN to the Net. It also allows any traffic from your router/firewall to the LAN, but rejects traffic from your router/firewall to the Internet. So it's the easiest setup with a standard low-level protection for your LAN. ('''Note:''' The sample setup is based on a IPv6 tunnel to SiXXS.) | ||
+ | |||
+ | === Configure your Zones === | ||
+ | |||
+ | The | ||
+ | |||
+ | ############################################################################### | ||
+ | #ZONE TYPE OPTIONS IN OUT | ||
+ | # OPTIONS OPTIONS | ||
+ | fw firewall | ||
+ | net ipv6 | ||
+ | loc ipv6 | ||
+ | |||
+ | === Configure your Interfaces === | ||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | #ZONE INTERFACE ANYCAST OPTIONS | ||
+ | net sixxs detect | ||
+ | loc eth1 detect | ||
+ | |||
+ | === Configure your Policy === | ||
+ | |||
+ | ############################################################################### | ||
+ | #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: | ||
+ | # LEVEL BURST MASK | ||
+ | fw loc ACCEPT | ||
+ | loc net ACCEPT | ||
+ | all all REJECT INFO | ||
---- | ---- |
Revision as of 14:26, 16 January 2011
IPv6 Networking - Configure Shorewall6 | ||
---|---|---|
Prev | Bering-uClibc 4.x - User Guide | Next |
Earlier Bering-uClibc versions provided a package called 6wall.lrp which implemented an IPv6 firewall.
Bering-uClibc 4.x provides shorwall6.lrp instead.
Unlike 6wall.lrp, shorwall6.lrp is an official variant of the IPv4 shorwall.lrp and is supported by the same team.
Improvements in the Linux kernel since 2.6.24 make Bering-uClibc 4.x a rather better IPv6 firewall platform than Bering-uClibc 3.x.
Note: The full name "Shorewall" was abbreviated to "shorwall" in order to comply with the 8 character filename length limit for MS-DOS floppy disks, hence the package file is shorwall.lrp. The name of the Shorewall6 package, shorwall6.lrp, is based on the name of the Shorewall package even though the 8 character filename length limit is no longer in effect.
In general, configuration of Shorewall6 is equivalent to configuration of Shorewall, so refer to the Shorewall chapter of this guide. For a simple setup is described below. However, note the following differences:
- There are far fewer macros defined specifically for Shorewall6 than for Shorewall (in other word far fewer matches for
/usr/share/shorewall6/macro.*
than for/usr/share/shorewall/macro.*)
but all of the Shorewall(4) macros can be used for Shorewall6. Where both files are present (e.g. for mDNS) the Shorewall6 macro takes priority.
Important: If you are running both Shorewall and Shorewall6 (rather than only Shorewall6) you need to make a modification to the Shorewall configuration otherwise Shorewall6 will be stopped whenever Shorewall is restarted.
In file /etc/shorewall/shorewall.conf
ensure that DISABLE_IPV6 is set to No.
Contents
A small sample setup
The following setup will establish a firewall for your IPV6 router, that rejects all traffic initiated anywhere on the Internet to your router and LAN, but allows any traffic from your LAN to the Net. It also allows any traffic from your router/firewall to the LAN, but rejects traffic from your router/firewall to the Internet. So it's the easiest setup with a standard low-level protection for your LAN. (Note: The sample setup is based on a IPv6 tunnel to SiXXS.)
Configure your Zones
The
############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv6 loc ipv6
Configure your Interfaces
############################################################################### #ZONE INTERFACE ANYCAST OPTIONS net sixxs detect loc eth1 detect
Configure your Policy
############################################################################### #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK fw loc ACCEPT loc net ACCEPT all all REJECT INFO
Prev | Up | Next |