I'm only suggesting an idea here, but you may be able to use shell variables to make something like this happen in your params file.
On 1/24/2012 11:20, Troy Telford wrote: > I've used a tunnel broker for IPv6 for quite some time; the biggest > advantage is a static IP address. > > For bandwidth& latency reasons, I've been considering switching to > using my ISP's 6to4 - which means a dynamic IPv6 subnet. > > The thing is: I want to have some hosts inside the firewall with open > SSH ports, but not every host. While the stateless autoconfig 'suffix' > (I don't know the proper term) is going to be the same, as it's based > on the Ethernet MAC address, the IPv6 prefix is obviously going to > change (as it's based on the IPv4 address with 6to4). > > Is there any sort of mechanism so I can say "This host (on the inside > of the firewall) has a MAC address of<foo>. The IPv6 prefix is going > to change. The IP address will only be found on (the firewall's) eth2. > I want a stateful firewall to block incoming connections for everything > but SSH for that host. > > Is this sort of a pipe dream? > > It seems to me that with a dynamically assigned IPv6 subnet, firewalls > become impossible to really manage, as the IPv6 prefix keeps changing, > which in turn changes the 'destination' IP of every computer that is on > the subnet... > > Is there something that is supposed to handle this? If so, what's it > called so I can RTFM? > > I realize a workaround would be to use multiple IPv6 tunnels (similar > to the multi-ISP shorewall example) - where I use the tunnel broker's > static subnet for incoming connections. I'm wondering if its also the > only solution. ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
