Hi folks,
in the context of my diploma thesis I'm currently working on an IPv6 gateway
based on OpenWrt. I wrote quite a lengthy synopsis but later found out that
my idea is already well summarized in RFC 4864 [1], chapter 4.2:
To implement simple security for IPv6 in, for example, a DSL or cable
modem-connected home network, the broadband gateway/router should be
equipped with stateful firewall capabilities. These should provide a
default configuration where incoming traffic is limited to return
traffic resulting from outgoing packets (sometimes known as
reflective session state). There should also be an easy interface
that allows users to create inbound 'pinholes' for specific purposes
such as online gaming.
That's it (plus some nifty features) because I don't buy (and got some counter
arguments to) the security-by-obscurity arguments behind the the three bullet
points previously in the same chapter :)
After fighting with and taming buildroot for some time, I hit my next
obstacle: Quite obviously uci_firewall is not IPv6 capable.
So I guess I've got to change that.
[2] suggests to discuss the ideas in advance so double work can be avoided. I
like that idea, so here's my proposal to add IPv6 support to uci_firewall:
* uci_firewall will automagically detect if IPv6 rules are needed, based on
the availability of ip6tables and kmod-ipv6. There will probably be some
corner cases, like when kmod-ipv6 is loaded after the firewall was already
set up, but these should be fixable.
* All rules which don't explicitly state a $src or $dst will be generated for
both. (The same is true for chains.) If one of those is given, the script
will look at the address format and generate the proper rules.
* This will be done by replacing $IPTABLES with an iptables() funtion which
does the magic (guess this will be easier once nftables [3] is around but
I've got to work with the stuff we have).
* Seems like the uci_firewall needs some general love, there seem to be some
non-local or even variables with undefined values hanging around.
* Maybe I'll additionally add an explicit src_ipv4 and src_ipv6 (and
dst_ipv{4,6} respectively) if that makes sense.
* I also thought about introducing host aliases which bundle the IPvX
addresses of a host and are then referenced in the rules (if you used
m0n0wall, you know what I mean). But that would be a later feature.
* Contrary to m0n0wall the host aliases should be accompanied by net aliases
so renumbering a net becomes trivial.
Any comments, ideas, flames? I'm also hanging around on #openwrt as moonflux.
Cheers,
Malte
[1]http://tools.ietf.org/rfc/rfc4864.txt
[2]https://dev.openwrt.org/wiki/SubmittingPatches
[3]http://marc.info/?l=linux-netdevm=123735060618579
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel