Hi Malte, Le Sunday 07 June 2009 15:59:20 Malte S. Stretz, vous avez écrit : > Hi folks, > > in the context of my diploma thesis I'm currently working on an IPv6 > gateway based on OpenWrt. I wrote quite a lengthy synopsis but later found > out that my idea is already well summarized in RFC 4864 [1], chapter 4.2: > > To implement simple security for IPv6 in, for example, a DSL or cable > modem-connected home network, the broadband gateway/router should be > equipped with stateful firewall capabilities. These should provide a > default configuration where incoming traffic is limited to return > traffic resulting from outgoing packets (sometimes known as > reflective session state). There should also be an easy interface > that allows users to create inbound 'pinholes' for specific purposes > such as online gaming. > > That's it (plus some nifty features) because I don't buy (and got some > counter arguments to) the security-by-obscurity arguments behind the the > three bullet points previously in the same chapter :) > > After fighting with and taming buildroot for some time, I hit my next > obstacle: Quite obviously uci_firewall is not IPv6 capable.
Definitively not :)
>
> So I guess I've got to change that.
>
> [2] suggests to discuss the ideas in advance so double work can be avoided.
> I like that idea, so here's my proposal to add IPv6 support to
> uci_firewall:
>
> * uci_firewall will automagically detect if IPv6 rules are needed, based on
> the availability of ip6tables and kmod-ipv6. There will probably be some
> corner cases, like when kmod-ipv6 is loaded after the firewall was already
> set up, but these should be fixable.
Why not get ip6tables install its uci_firewall6 script for instance? Just like
iptables installs its firewall script, since firewalling without ip6tables is
not possible.
>
> * All rules which don't explicitly state a $src or $dst will be generated
> for both. (The same is true for chains.) If one of those is given, the
> script will look at the address format and generate the proper rules.
I am fine with this.
>
> * This will be done by replacing $IPTABLES with an iptables() funtion which
> does the magic (guess this will be easier once nftables [3] is around but
> I've got to work with the stuff we have).
Last I tried, there was quite a lot of IPv4 specific cases which did make all
rules apply, and those which were would not give a coherent firewall. This
was with the old firewall though.
>
> * Seems like the uci_firewall needs some general love, there seem to be
> some non-local or even variables with undefined values hanging around.
>
> * Maybe I'll additionally add an explicit src_ipv4 and src_ipv6 (and
> dst_ipv{4,6} respectively) if that makes sense.
Ok
>
> * I also thought about introducing host aliases which bundle the IPvX
> addresses of a host and are then referenced in the rules (if you used
> m0n0wall, you know what I mean). But that would be a later feature.
If it does not add that much overhead, I am ok with that. An user is most
likely to know that computer with IPv4 a.b.c.d is named foo or bar on his
local network
>
> * Contrary to m0n0wall the host aliases should be accompanied by net
> aliases so renumbering a net becomes trivial.
>
> Any comments, ideas, flames? I'm also hanging around on #openwrt as
> moonflux.
I really like the idea, being an IPv6 user and enthousiast ;)
>
> Cheers,
> Malte
>
> [1]http://tools.ietf.org/rfc/rfc4864.txt
> [2]https://dev.openwrt.org/wiki/SubmittingPatches
> [3]http://marc.info/?l=linux-netdev&m=123735060618579
> _______________________________________________
> openwrt-devel mailing list
> [email protected]
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
--
Best regards, Florian Fainelli
Email : [email protected]
http://openwrt.org
-------------------------------
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
