kernel options for ipv6 firewall
Matthew Seaman
m.seaman at infracaninophile.co.uk
Mon Dec 22 16:31:27 UTC 2008
beni wrote:
> and I tried this also (from http://www.kame.net/~suz/freebsd-ipv6-config-
> guide.txt) :
>
> options IPV6FIREWALL
> #options IPV6FIREWALL_VERBOSE
> #options IPV6FIREWALL_VERBOSE_LIMIT=100
> #options IPV6FIREWALL_DEFAULT_TO_ACCEPT
> But all I get is an "unknown option" error when I do a make buildkernel.
That information is out of date. ipfw now handles both IPv4 and IPv6 without
any extra kernel configuration required. All you need to do is write rules
that reference IPv6 addresses etc.
> I've added also this to my /etc/rc.conf :
> #IPv6
> gateway6_enable="YES"
> ipv6_enable="YES"
> #ipv6_gateway_enable="YES"
> #ipv6_router_enable="YES"
> ipv6_network_interfaces="vr0 tun0"
>
> # Enable ip6fw.
> ipv6_firewall_enable="YES"
> ipv6_firewall_type="client"
> # ipv6_firewall_quiet="NO"
> ipv6_firewall_quiet="YES" # suppress rule display. (By default, it's NO)
> ipv6_firewall_logging="YES" # enable events logging. (By default, it's NO)
> ipv6_firewall_flags="" # Flags passed to ip6fw when type is a "filename"
Take a look at /etc/rc.firewall6 -- that just does for IPv6 what rc.firewall
does for IPv4. Your settings above should enable it to work, but you'll need
to put the correct network numbers, prefix len and IP address into the
rc.firewall6 file. (Not a particularly nice piece of design: configuration
information like that shouldn't require you to edit the actual rc script.)
> pf is enabled for ipv4.
pf will also do IPv6 automatically. With pf's really very handy indeed
feature of being able to deduce from the interface name the IP numbers /
networks to put in the rulesets, you can write rules that operate on IPv4
only:
pass in on $ext_if inet proto tcp \
from any to $ext_if port ssh \
flags S/SA keep state \
(max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)
IPv6 only:
pass in on $ext_if inet6 proto tcp \
from any to $ext_if port ssh \
flags S/SA keep state \
(max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)
or both:
pass in on $ext_if proto tcp \
from any to $ext_if port ssh \
flags S/SA keep state \
(max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)
Although this last is internally transformed into two rules, one for the
IPv4 address on the i/f, and the other for the IPv6 address. See 'pfctl -sr'
for the generated rules. So on my machine, that becomes:
pass in on de0 inet6 proto tcp from any to fe80::240:5ff:fea5:8db7 port = ssh flags S/SA keep state (source-track rule, max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global, src.track 30)
pass in on de0 inet proto tcp from any to 81.187.76.162 port = ssh flags S/SA keep state (source-track rule, max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global, src.track 30)
(not that I've yet seen any ssh bruteforce attempts over IPv6)
If you need bandwidth limiting facilities, you can do this with pf as well,
but you will have to compile a custom kernel to enable the ALTQ features.
It's equivalent to IPFW's dummynet but there are subtle differences in the
way it operates that may or may not be a show stopper for you.
> So what option(s) do I need to use a ipv6 firewall in my kernel ?
Same as you need for either pf or ipfw with IPv4 -- in fact, you frequently
don't need to modify the GENERIC kernel at all. You can just load ipfw as a
kld. Same with pf, unless you need to use altq which still requires some
compiled-in stuff in the kernel.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20081222/12c937af/signature.pgp
More information about the freebsd-questions
mailing list