Date: Mon, 22 Dec 2008 16:31:09 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: beni@brinckman.info Cc: freebsd-questions@freebsd.org Subject: Re: kernel options for ipv6 firewall Message-ID: <494FC0CD.7010903@infracaninophile.co.uk> In-Reply-To: <200812221615.36177.beni@brinckman.info> References: <200812221615.36177.beni@brinckman.info>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigD596B9897422CC360A432ECF Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable beni wrote: > and I tried this also (from http://www.kame.net/~suz/freebsd-ipv6-confi= g- > guide.txt) : >=20 > options IPV6FIREWALL > #options IPV6FIREWALL_VERBOSE > #options IPV6FIREWALL_VERBOSE_LIMIT=3D100 > #options IPV6FIREWALL_DEFAULT_TO_ACCEPT > But all I get is an "unknown option" error when I do a make buildkernel= =2E That information is out of date. ipfw now handles both IPv4 and IPv6 wit= hout any extra kernel configuration required. All you need to do is write rul= es that reference IPv6 addresses etc. > I've added also this to my /etc/rc.conf : > #IPv6 > gateway6_enable=3D"YES" > ipv6_enable=3D"YES" > #ipv6_gateway_enable=3D"YES" > #ipv6_router_enable=3D"YES" > ipv6_network_interfaces=3D"vr0 tun0" >=20 > # Enable ip6fw. > ipv6_firewall_enable=3D"YES" > ipv6_firewall_type=3D"client" > # ipv6_firewall_quiet=3D"NO" > ipv6_firewall_quiet=3D"YES" # suppress rule display. (By default, it's= NO) > ipv6_firewall_logging=3D"YES" # enable events logging. (By default, it'= s NO) > ipv6_firewall_flags=3D"" # Flags passed to ip6fw when type is a "filen= ame" Take a look at /etc/rc.firewall6 -- that just does for IPv6 what rc.firew= all does for IPv4. Your settings above should enable it to work, but you'll = need to put the correct network numbers, prefix len and IP address into the rc.firewall6 file. (Not a particularly nice piece of design: configurati= on information like that shouldn't require you to edit the actual rc script.= ) > pf is enabled for ipv4. pf will also do IPv6 automatically. With pf's really very handy indeed feature of being able to deduce from the interface name the IP numbers / networks to put in the rulesets, you can write rules that operate on IPv4= only: pass in on $ext_if inet proto tcp \ from any to $ext_if port ssh \ flags S/SA keep state \ (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global) IPv6 only: pass in on $ext_if inet6 proto tcp \ from any to $ext_if port ssh \ flags S/SA keep state \ (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global) or both: pass in on $ext_if proto tcp \ from any to $ext_if port ssh \ flags S/SA keep state \ (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global) Although this last is internally transformed into two rules, one for the IPv4 address on the i/f, and the other for the IPv6 address. See 'pfctl = -sr' for the generated rules. So on my machine, that becomes: pass in on de0 inet6 proto tcp from any to fe80::240:5ff:fea5:8db7 port =3D= ssh flags S/SA keep state (source-track rule, max-src-conn-rate 3/30, ov= erload <ssh-bruteforce> flush global, src.track 30) pass in on de0 inet proto tcp from any to 81.187.76.162 port =3D ssh flag= s S/SA keep state (source-track rule, max-src-conn-rate 3/30, overload <s= sh-bruteforce> flush global, src.track 30) (not that I've yet seen any ssh bruteforce attempts over IPv6) If you need bandwidth limiting facilities, you can do this with pf as wel= l, but you will have to compile a custom kernel to enable the ALTQ features.= It's equivalent to IPFW's dummynet but there are subtle differences in th= e way it operates that may or may not be a show stopper for you. > So what option(s) do I need to use a ipv6 firewall in my kernel ?=20 Same as you need for either pf or ipfw with IPv4 -- in fact, you frequent= ly don't need to modify the GENERIC kernel at all. You can just load ipfw a= s a kld. Same with pf, unless you need to use altq which still requires some= compiled-in stuff in the kernel. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigD596B9897422CC360A432ECF Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAklPwNMACgkQ8Mjk52CukIyjzQCgjdvshqjICAbTlTgjdBZXsoxK ZrMAn2CLM4edic1gTqIsG1Vv/ZE4DB2L =2CM9 -----END PGP SIGNATURE----- --------------enigD596B9897422CC360A432ECF--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?494FC0CD.7010903>