Re: [OpenWrt-Devel] RFC: Adding IPv6 support to uci_firewall

2009-06-19 Thread ZioPRoTo (Saverio Proto) 
   Any comments, ideas, flames?  I'm also hanging around on #openwrt as
   moonflux.

Hello Malte,

Just a quick flame to have fun ;)

I see you are doing IPv4 and IPv6 firewall, it is very nice and I'm a
IPv6 supporter as well.

However, before using an IPv6 firewall I'd like to be able to assign
IPv6 addresses to my router !

But how do you assign IPv6 addresses at boot ?
Can you reproduce this bug ?
https://dev.openwrt.org/ticket/5356

there is out there some patch not already committed that fixes this problem ??

thank you :)

Saverio Proto
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] RFC: Adding IPv6 support to uci_firewall

2009-06-17 Thread Malte S. Stretz 
Moin,

On Monday 08 June 2009 14:22:32 I wrote:
 [stuff]

If anybody's interested, my current work (including history) is available on 
GitHub [1].  Current state:

* Works on 8.09.1, should work on trunk as well.

* Moved some stuff around.  Only refactoring, not a single firewall rule 
changed (until now).  Except...

* I introduced an iptables wrapper, see files/lib/iptables.sh and [2] to get 
an idea.

* It applies all rules both to iptables and ip6tables, but only if the needed 
table is available.  Ie. no NAT for IPv6 (if not installed), but broken rules 
if IP addresses are used in a rule.

Next step:

* Look at the IP addresses and apply the rules to the correct tables only.

And again:

   Any comments, ideas, flames?  I'm also hanging around on #openwrt as
   moonflux.

Cheers,
Malte


[1]http://github.com/mss/sixwrt-packages/tree/firewall-hack/package/firewall
[2]http://github.com/mss/sixwrt-
packages/commit/4094d813a1562562761381e05f21d61d09b9dff6


-- 
   
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] RFC: Adding IPv6 support to uci_firewall

2009-06-07 Thread Malte S. Stretz 
Hi folks,

in the context of my diploma thesis I'm currently working on an IPv6 gateway 
based on OpenWrt.  I wrote quite a lengthy synopsis but later found out that 
my idea is already well summarized in RFC 4864 [1], chapter 4.2:

   To implement simple security for IPv6 in, for example, a DSL or cable
   modem-connected home network, the broadband gateway/router should be
   equipped with stateful firewall capabilities.  These should provide a
   default configuration where incoming traffic is limited to return
   traffic resulting from outgoing packets (sometimes known as
   reflective session state).  There should also be an easy interface
   that allows users to create inbound 'pinholes' for specific purposes
   such as online gaming.

That's it (plus some nifty features) because I don't buy (and got some counter 
arguments to) the security-by-obscurity arguments behind the the three bullet 
points previously in the same chapter :)

After fighting with and taming buildroot for some time, I hit my next 
obstacle:  Quite obviously uci_firewall is not IPv6 capable.

So I guess I've got to change that.

[2] suggests to discuss the ideas in advance so double work can be avoided.  I 
like that idea, so here's my proposal to add IPv6 support to uci_firewall:

* uci_firewall will automagically detect if IPv6 rules are needed, based on 
the availability of ip6tables and kmod-ipv6.  There will probably be some 
corner cases, like when kmod-ipv6 is loaded after the firewall was already 
set up, but these should be fixable.

* All rules which don't explicitly state a $src or $dst will be generated for 
both.  (The same is true for chains.)  If one of those is given, the script 
will look at the address format and generate the proper rules.

* This will be done by replacing $IPTABLES with an iptables() funtion which 
does the magic  (guess this will be easier once nftables [3] is around but 
I've got to work with the stuff we have).

* Seems like the uci_firewall needs some general love, there seem to be some 
non-local or even variables with undefined values hanging around.

* Maybe I'll additionally add an explicit src_ipv4 and src_ipv6 (and 
dst_ipv{4,6} respectively) if that makes sense.

* I also thought about introducing host aliases which bundle the IPvX 
addresses of a host and are then referenced in the rules (if you used 
m0n0wall, you know what I mean).  But that would be a later feature.

* Contrary to m0n0wall the host aliases should be accompanied by net aliases 
so renumbering a net becomes trivial.

Any comments, ideas, flames?  I'm also hanging around on #openwrt as moonflux.

Cheers,
Malte

[1]http://tools.ietf.org/rfc/rfc4864.txt
[2]https://dev.openwrt.org/wiki/SubmittingPatches
[3]http://marc.info/?l=linux-netdevm=123735060618579
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel