Re: IPv6 uptake

[Stephen Satchell <list () satchell net>]

On 2/17/24 10:22 AM, Justin Streiner wrote:
> Getting back to the recently revised topic of this thread - IPv6 uptake -
> what have peoples' experiences been related to crafting sane v6 firewall
> rulesets in recent products from the major firewall players (Palo Alto,
> Cisco, Fortinet, etc)?  On the last major v6 deployment I did, working with
> the firewalls was definitely one of the major pain points because the
> support / stability was really lacking, or there wasn't full feature parity
> between their v4 and v6 capabilities.

Depends on how complex you want to be with firewall rules.

My web server is on Ubuntu 20.04.  During the IPv4-only days, I used UFW 
(uncomplicated firewall) to implement a mostly-closed firewall, punching 
pin-holes for 80 and 443, and disable any interface forwarding.  When I 
upgraded to IPv4 and IPv6, the process of duplicating the policy in IPv6 
was easy.

The UFW package is built on top of IPTABLES and IP6TABLES.

Now, my edge router is going to be a different story.  As the number of 
rules goes up, UFW becomes tedious and finicky. Manually crafting rules 
in NFT is tedious and error-prone.  Getting all the rules right the 
first time is, um, hard.  Automation is absolutely required.  So I'm 
writing the automation in Python, and driving the rules generator from a 
YAML database.

Expect this to be published on Github.  When?  Depends on when I find 
the time.  This is not a priority project -- I'm so mad at my upstream 
that I find playing Mahjongg is necessary to settle my nerves.

I've said this earlier: by the time the NEED for IPv6 arises, I expect 
to be dead.