Hi folks, in the context of my diploma thesis I'm currently working on an IPv6 gateway based on OpenWrt. I wrote quite a lengthy synopsis but later found out that my idea is already well summarized in RFC 4864 [1], chapter 4.2:
To implement simple security for IPv6 in, for example, a DSL or cable modem-connected home network, the broadband gateway/router should be equipped with stateful firewall capabilities. These should provide a default configuration where incoming traffic is limited to return traffic resulting from outgoing packets (sometimes known as reflective session state). There should also be an easy interface that allows users to create inbound 'pinholes' for specific purposes such as online gaming. That's it (plus some nifty features) because I don't buy (and got some counter arguments to) the security-by-obscurity arguments behind the the three bullet points previously in the same chapter :) After fighting with and taming buildroot for some time, I hit my next obstacle: Quite obviously uci_firewall is not IPv6 capable. So I guess I've got to change that. [2] suggests to discuss the ideas in advance so double work can be avoided. I like that idea, so here's my proposal to add IPv6 support to uci_firewall: * uci_firewall will automagically detect if IPv6 rules are needed, based on the availability of ip6tables and kmod-ipv6. There will probably be some corner cases, like when kmod-ipv6 is loaded after the firewall was already set up, but these should be fixable. * All rules which don't explicitly state a $src or $dst will be generated for both. (The same is true for chains.) If one of those is given, the script will look at the address format and generate the proper rules. * This will be done by replacing $IPTABLES with an iptables() funtion which does the magic (guess this will be easier once nftables [3] is around but I've got to work with the stuff we have). * Seems like the uci_firewall needs some general love, there seem to be some non-local or even variables with undefined values hanging around. * Maybe I'll additionally add an explicit src_ipv4 and src_ipv6 (and dst_ipv{4,6} respectively) if that makes sense. * I also thought about introducing host aliases which bundle the IPvX addresses of a host and are then referenced in the rules (if you used m0n0wall, you know what I mean). But that would be a later feature. * Contrary to m0n0wall the host aliases should be accompanied by net aliases so renumbering a net becomes trivial. Any comments, ideas, flames? I'm also hanging around on #openwrt as moonflux. Cheers, Malte [1]http://tools.ietf.org/rfc/rfc4864.txt [2]https://dev.openwrt.org/wiki/SubmittingPatches [3]http://marc.info/?l=linux-netdev&m=123735060618579 _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel