Firewall Wizards mailing list archives
IP Filter 3.4alpha3 - IPv6 update (fwd)
From: Darren Reed <avalon () coombs anu edu au>
Date: Sun, 19 Dec 1999 01:59:27 +1100 (Australia/NSW)
FYI:
Greetings, IP Filter now supports, almost comlpetely, IPv6. The only parts which aren't covered are: * NAT and that's not something I actually intend on paying any attention to (yet - get another ISP if they only give you one IPv6 address via DHCP/dialup and then send them hatemail for being idiots); * IPv6 ICMP or ICMP6 (all the types and codes have changed, although the header is vaguely the same). So this means that IP Filter can now do stateful filtering of IPv6 packets (excluding matching ICMP6 packets) and IPv6 packets can get logged. There are some limitations: all rules must currently use the numeric form of representation for IPv6 addresses and if you try and use `fancy' IPv6 headers, packets will fail to match rules which specify normal protocols such as TCP, UDP, etc. I've been testing this on interfaces with native IPv6 addresses - not tunnels. Sample output from ipmon: 18/12/1999 13:51:10.954701 STATE:NEW 2002:c0a8:100:1::2,49153 -> 2002:c0a8:100:1::1,23 PR tcp 18/12/1999 13:55:24.030256 STATE:CLOSE 2002:c0a8:100:1::2,49153 -> 2002:c0a8:100:1::1,23 PR tcp Pkts 51 Bytes 3000 and the matching entry from the state table: 2002:c0a8:100:1::2 -> 2002:c0a8:100:1::1 ttl 472 pass 0x100a pr 6 state 5/5 pkts 51 bytes 3000 49153 -> 23 67c7cd03:8f52ac6c 17520:25704 pass in keep state IPv6 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in le0[f5a0c518] out le0[f5a0c518] the rule: # ipfstat -6i 1 pass in on le0 proto tcp from any to any flags S/FSRPAU keep state If you're using NetBSD-current or OpenBSD-current (with the latest KAME IPv6 import), the patches below should help you on your way. I've not tested this with FreeBSD - FreeBSD doesn't seem to have any generic mechanism like PFIL_HOOKS. Last Minute: ------------ One thing, before I forget! When compiling IP Filter, you *will* need to add -DUSE_INET6 to CFLAGS= where it is defined as a part of MFLAGS1 in the top Makefile. Tools compiled _without_ -DUSE_INET6 *will not work* with a kernel using these patches, ipf3.4alpha* if you have "options INET6" present in your config file! I will be attending to this to make it both easier to turn on and detect when trouble a kernel/userland are compiled differently. Solaris8 people, don't worry, it builds for IPv6 regardless. Anyway, that's all for now. Darren http://coombs.anu.edu.au/~avalon/ipf3.4alpha3.tar.gz [patches for NetBSD/OpenBSD deleted - you should really be on the ipfilter] [list if you're going to use them]
Current thread:
- IP Filter 3.4alpha3 - IPv6 update (fwd) Darren Reed (Dec 18)