Difference between revisions of "Bering-uClibc 4.x - User Guide - IPv6 Networking - Configure Shorewall6"

From bering-uClibc
Jump to: navigation, search
(Corrected statement on Shorewall6 macros.)
m (Configure Radvd -> Configure Router Advertisements)
 
(4 intermediate revisions by 2 users not shown)
Line 4: Line 4:
 
| width="20%" align="left"  | [[Bering-uClibc 4.x - User Guide - IPv6 Networking - Internal Network Connections|Prev]]
 
| width="20%" align="left"  | [[Bering-uClibc 4.x - User Guide - IPv6 Networking - Internal Network Connections|Prev]]
 
! width="60%" align="center" | [[Bering-uClibc 4.x - User Guide]]
 
! width="60%" align="center" | [[Bering-uClibc 4.x - User Guide]]
| width="20%" align="right"  | [[Bering-uClibc 4.x - User Guide - IPv6 Networking - Configure Radvd|Next]]
+
| width="20%" align="right"  | [[Bering-uClibc 4.x - User Guide - IPv6 Networking - Configure Router Advertisements|Next]]
 
|}
 
|}
 
----
 
----
  
  
Earlier [[Bering-uClibc]] versions provided a package called <tt>6wall.lrp</tt> which implemented an IPv6 firewall.
+
== Introduction ==
[[Bering-uClibc 4.x]] provides <tt>shorwall6.lrp</tt> instead.
+
Earlier [[Bering-uClibc]] versions provided a Package called <tt>6wall.lrp</tt> which implemented an IPv6 firewall.
 +
[[Bering-uClibc 4.x]] provides Package <tt>shorwall6.lrp</tt> instead.
 
Unlike <tt>6wall.lrp</tt>, <tt>shorwall6.lrp</tt> is an official variant of the IPv4 <tt>shorwall.lrp</tt> and is supported by the same team.
 
Unlike <tt>6wall.lrp</tt>, <tt>shorwall6.lrp</tt> is an official variant of the IPv4 <tt>shorwall.lrp</tt> and is supported by the same team.
 
Improvements in the Linux kernel since 2.6.24 make [[Bering-uClibc 4.x]] a rather better IPv6 firewall platform than [[Bering-uClibc 3.x]].
 
Improvements in the Linux kernel since 2.6.24 make [[Bering-uClibc 4.x]] a rather better IPv6 firewall platform than [[Bering-uClibc 3.x]].
Line 16: Line 17:
 
'''Note:''' The full name "Shorewall" was abbreviated to "shorwall" in order to comply with the 8 character filename length limit for MS-DOS floppy disks, hence the package file is <tt>shorwall.lrp</tt>. The name of the Shorewall6 package, <tt>shorwall6.lrp</tt>, is based on the name of the Shorewall package even though the 8 character filename length limit is no longer in effect.
 
'''Note:''' The full name "Shorewall" was abbreviated to "shorwall" in order to comply with the 8 character filename length limit for MS-DOS floppy disks, hence the package file is <tt>shorwall.lrp</tt>. The name of the Shorewall6 package, <tt>shorwall6.lrp</tt>, is based on the name of the Shorewall package even though the 8 character filename length limit is no longer in effect.
  
In general, configuration of Shorewall6 is equivalent to configuration of Shorewall, so refer to the [[Bering-uClibc 4.x - User Guide - IPv4 Networking - Configure Shorewall|Shorewall]] chapter of this guide.
+
In general, configuration of Shorewall6 is equivalent to configuration of Shorewall, so refer to the [[Bering-uClibc 4.x - User Guide - IPv4 Networking - Configure Shorewall|Shorewall]] chapter of this guide. A simple setup is described below.
 
However, note the following differences:
 
However, note the following differences:
 
* There are far fewer macros defined specifically for Shorewall6 than for Shorewall (in other word far fewer matches for <code class="filename">/usr/share/shorewall6/macro.*</code> than for <code class="filename">/usr/share/shorewall/macro.*)</code> '''but''' all of the Shorewall(4) macros can be used for Shorewall6. Where both files are present (e.g. for <tt>mDNS</tt>) the Shorewall6 macro takes priority.  
 
* There are far fewer macros defined specifically for Shorewall6 than for Shorewall (in other word far fewer matches for <code class="filename">/usr/share/shorewall6/macro.*</code> than for <code class="filename">/usr/share/shorewall/macro.*)</code> '''but''' all of the Shorewall(4) macros can be used for Shorewall6. Where both files are present (e.g. for <tt>mDNS</tt>) the Shorewall6 macro takes priority.  
  
 +
 +
ICMP is rather more important for IPv6 than for IPv4, and an IPv6 network will not function unless at least some ICMP packet types are enabled. RFC 4890 defines "Recommendations for Filtering ICMPv6 Messages in Firewalls" and these recommendations are implemented as standard within Shorewall6. Refer to file <code class="filename">/usr/share/shorewall6/action.AllowICMPs</code> for more details.
  
 
'''Important:''' If you are running both Shorewall and Shorewall6 (rather than only Shorewall6) you need to make a modification to the Shorewall configuration otherwise Shorewall6 will be stopped whenever Shorewall is restarted.
 
'''Important:''' If you are running both Shorewall and Shorewall6 (rather than only Shorewall6) you need to make a modification to the Shorewall configuration otherwise Shorewall6 will be stopped whenever Shorewall is restarted.
 
In file <code class="filename">/etc/shorewall/shorewall.conf</code> ensure that <tt>DISABLE_IPV6</tt> is set to <tt>No</tt>.
 
In file <code class="filename">/etc/shorewall/shorewall.conf</code> ensure that <tt>DISABLE_IPV6</tt> is set to <tt>No</tt>.
 +
 +
 +
 +
== A small sample setup==
 +
The following setup will establish a firewall for your IPV6 router, that rejects all traffic initiated anywhere on the Internet to your router and LAN, but allows any traffic from your LAN to the Net. It also allows any traffic from your router/firewall to the LAN, but rejects traffic from your router/firewall to the Internet. So it's the easiest setup with a standard  low-level protection for your LAN. ('''Note:''' The sample setup is based on a IPv6 tunnel to SiXXS.)
 +
 +
=== Configure your Zones ===
 +
 +
The <code class="filename">/etc/shorewall6/zones</code> file declares your network zones. You specify the hosts in each zone through entries in <code class="filename">/etc/shorewall6/interfaces</code>.
 +
 +
###############################################################################
 +
#ZONE  TYPE            OPTIONS        IN                      OUT           
 +
#                                      OPTIONS                OPTIONS       
 +
fw      firewall
 +
net    ipv6
 +
loc    ipv6
 +
 +
=== Configure your Interfaces ===
 +
 +
The <code class="filename">/etc/shorewall6/interfaces</code> file serves to define the firewall's network interfaces to shorewall6. The order of entries in this file is not significant in determining zone composition.
 +
 +
###############################################################################
 +
#ZONE  INTERFACE      ANYCAST        OPTIONS
 +
net    sixxs          detect                                       
 +
loc    eth1            detect
 +
 +
(It is assumed that your SiXXS tunnel interface is named <code class="filename">sixxs</code>; you may need to change, to fit your setup.)
 +
 +
=== Configure your Policy ===
 +
The file <code class="filename">/etc/shorewall6/policy</code> defines the high-level policy for connections between zones defined in <code class="filename">/etc/shorewall6/zones</code>.
 +
###############################################################################
 +
#SOURCE DEST    POLICY          LOG    LIMIT:          CONNLIMIT:             
 +
#                              LEVEL  BURST          MASK                   
 +
fw    loc      ACCEPT                 
 +
loc    net      ACCEPT
 +
all    all      REJECT    INFO
 +
 +
'''Important:''' If you change any of the shorewall6 parameters, remember to save your configuration!
 +
 +
 +
==Logfiles==
 +
With [[Bering-uClibc 4.x]] Shorewall6-related messages are written to two different logfiles:
 +
* Shorewall6 startup messages are written to file <code class="filename">/var/log/shorewall6-init.log</code>
 +
** This is because that file is specified as <tt>STARTUP_LOG</tt> in <code class="filename">/etc/shorewall6/shorewall6.conf</code>
 +
* Any messages from the Linux kernel "Netfilter" code which contain the string "<tt>Shorewall</tt>" ''and'' relate to IPv6 addresses are written to file <code class="filename">/var/log/shorewall6.log</code>
 +
** This is controlled by the entries in file <code class="filename">/etc/syslog-ng/syslog-ng.conf</code>
 +
 +
In addition, the logfile rotation logic defined in file <code class="filename">/etc/lrp.conf</code> means that <code class="filename">/var/log/shorewall6.log</code> gets renamed to <code class="filename">/var/log/shorewall6.log.0</code> and then <code class="filename">/var/log/shorewall6.log.1.gz</code> etc. on a daily basis.
  
  
Line 29: Line 80:
 
| width="40%" align="left"  | [[Bering-uClibc 4.x - User Guide - IPv6 Networking - Internal Network Connections|Prev]]
 
| width="40%" align="left"  | [[Bering-uClibc 4.x - User Guide - IPv6 Networking - Internal Network Connections|Prev]]
 
| width="20%" align="center" | [[Bering-uClibc 4.x - User Guide - IPv6 Networking|Up]]
 
| width="20%" align="center" | [[Bering-uClibc 4.x - User Guide - IPv6 Networking|Up]]
| width="40%" align="right"  | [[Bering-uClibc 4.x - User Guide - IPv6 Networking - Configure Radvd|Next]]
+
| width="40%" align="right"  | [[Bering-uClibc 4.x - User Guide - IPv6 Networking - Configure Router Advertisements|Next]]
 
|}
 
|}
  
 
[[Category:Bering-uClibc 4.x]]
 
[[Category:Bering-uClibc 4.x]]
 
[[Category:User Guide]]
 
[[Category:User Guide]]

Latest revision as of 13:39, 16 June 2012

IPv6 Networking - Configure Shorewall6
Prev Bering-uClibc 4.x - User Guide Next


Introduction

Earlier Bering-uClibc versions provided a Package called 6wall.lrp which implemented an IPv6 firewall. Bering-uClibc 4.x provides Package shorwall6.lrp instead. Unlike 6wall.lrp, shorwall6.lrp is an official variant of the IPv4 shorwall.lrp and is supported by the same team. Improvements in the Linux kernel since 2.6.24 make Bering-uClibc 4.x a rather better IPv6 firewall platform than Bering-uClibc 3.x.

Note: The full name "Shorewall" was abbreviated to "shorwall" in order to comply with the 8 character filename length limit for MS-DOS floppy disks, hence the package file is shorwall.lrp. The name of the Shorewall6 package, shorwall6.lrp, is based on the name of the Shorewall package even though the 8 character filename length limit is no longer in effect.

In general, configuration of Shorewall6 is equivalent to configuration of Shorewall, so refer to the Shorewall chapter of this guide. A simple setup is described below. However, note the following differences:

  • There are far fewer macros defined specifically for Shorewall6 than for Shorewall (in other word far fewer matches for /usr/share/shorewall6/macro.* than for /usr/share/shorewall/macro.*) but all of the Shorewall(4) macros can be used for Shorewall6. Where both files are present (e.g. for mDNS) the Shorewall6 macro takes priority.


ICMP is rather more important for IPv6 than for IPv4, and an IPv6 network will not function unless at least some ICMP packet types are enabled. RFC 4890 defines "Recommendations for Filtering ICMPv6 Messages in Firewalls" and these recommendations are implemented as standard within Shorewall6. Refer to file /usr/share/shorewall6/action.AllowICMPs for more details.

Important: If you are running both Shorewall and Shorewall6 (rather than only Shorewall6) you need to make a modification to the Shorewall configuration otherwise Shorewall6 will be stopped whenever Shorewall is restarted. In file /etc/shorewall/shorewall.conf ensure that DISABLE_IPV6 is set to No.


A small sample setup

The following setup will establish a firewall for your IPV6 router, that rejects all traffic initiated anywhere on the Internet to your router and LAN, but allows any traffic from your LAN to the Net. It also allows any traffic from your router/firewall to the LAN, but rejects traffic from your router/firewall to the Internet. So it's the easiest setup with a standard low-level protection for your LAN. (Note: The sample setup is based on a IPv6 tunnel to SiXXS.)

Configure your Zones

The /etc/shorewall6/zones file declares your network zones. You specify the hosts in each zone through entries in /etc/shorewall6/interfaces.

############################################################################### 
#ZONE   TYPE            OPTIONS         IN                      OUT             
#                                       OPTIONS                 OPTIONS         
fw      firewall
net     ipv6
loc     ipv6

Configure your Interfaces

The /etc/shorewall6/interfaces file serves to define the firewall's network interfaces to shorewall6. The order of entries in this file is not significant in determining zone composition.

###############################################################################
#ZONE   INTERFACE       ANYCAST         OPTIONS
net     sixxs           detect                                        
loc     eth1            detect 

(It is assumed that your SiXXS tunnel interface is named sixxs; you may need to change, to fit your setup.)

Configure your Policy

The file /etc/shorewall6/policy defines the high-level policy for connections between zones defined in /etc/shorewall6/zones.

############################################################################### 
#SOURCE DEST    POLICY          LOG     LIMIT:          CONNLIMIT:              
#                               LEVEL   BURST           MASK                    
fw     loc      ACCEPT                   
loc    net      ACCEPT
all    all      REJECT     INFO

Important: If you change any of the shorewall6 parameters, remember to save your configuration!


Logfiles

With Bering-uClibc 4.x Shorewall6-related messages are written to two different logfiles:

  • Shorewall6 startup messages are written to file /var/log/shorewall6-init.log
    • This is because that file is specified as STARTUP_LOG in /etc/shorewall6/shorewall6.conf
  • Any messages from the Linux kernel "Netfilter" code which contain the string "Shorewall" and relate to IPv6 addresses are written to file /var/log/shorewall6.log
    • This is controlled by the entries in file /etc/syslog-ng/syslog-ng.conf

In addition, the logfile rotation logic defined in file /etc/lrp.conf means that /var/log/shorewall6.log gets renamed to /var/log/shorewall6.log.0 and then /var/log/shorewall6.log.1.gz etc. on a daily basis.



Prev Up Next