User: Password:
|
|
Subscribe / Log in / New account

Stateful ipv6 firewalls are here today

Stateful ipv6 firewalls are here today

Posted Oct 16, 2012 6:14 UTC (Tue) by ebiederm (subscriber, #35028)
In reply to: Schaller: The long journey towards good free video conferencing by bronson
Parent article: Schaller: The long journey towards good free video conferencing

Today ipv6 stateful firewalls are here. Essentially a stateful ipv6 firewall is:

*filter
#By default don't accept anything
:INPUT DROP
:OUTPUT ACCEPT

# Allow existing connections to continue and related connections to start
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

To add a network address and port translation function requires a few more rules, but beyond that the implementation complexity is exactly the same.

Which means all of your ipv4 work for a NAT firewall translates seamlessly to an ipv6 stateless firewall. The functionality has existed in the linux kernel since what looks like November of 2005 and was released in 2.6.15 or 2.6.16.

If you look carefully you can even find consumer routers with stateful ipv6 firewalls.

An ipv6 statefull firewall looks just like an ipv4 NAT firewall except it doesn't scramble your ip address and port number.


(Log in to post comments)

Stateful ipv6 firewalls are here today

Posted Oct 16, 2012 17:40 UTC (Tue) by bronson (subscriber, #4806) [Link]

It sounds like you agree with me? You can't possibly expect the layperson to understand what "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" means.

Actual *clickable* interfaces.

Stateful ipv6 firewalls are here today

Posted Oct 16, 2012 17:56 UTC (Tue) by raven667 (subscriber, #5198) [Link]

Is that supposed to be sarcasm? That doesn't seem like a serious response. The end-user, layperson interface is exactly the same as today because the rules are identical and are managed in the same way with the same tools. The kind of iptables config that your router GUI writes out is the same kind of config it writes out for ip6tables, existing devices that support IPv6 already do this AFAIK.

No one is suggesting that end-users need to write their own rules to an iptables-save file by hand, attacking that is a straw man.

Stateful ipv6 firewalls are here today

Posted Oct 16, 2012 21:29 UTC (Tue) by bronson (subscriber, #4806) [Link]

The rules are the same but the GUIs aren't. It's not easy to buy simple, NAT-equivalent stateful IPv6 firewalls from Belkin/Linksys/NetGear/etc. Using the present tense is a wee bit optimistic, no?

All I'm saying is, once IPv6 routers can be configured to do selective ingress as easily as IPv4 routers, we will all celebrate. That day is not here yet. (or wasn't at the end of 2011, the last time I shopped for a new wifi access point).

Stateful ipv6 firewalls are here today

Posted Oct 18, 2012 0:56 UTC (Thu) by marcH (subscriber, #57642) [Link]

> Once IPv6 routers can be configured to do selective ingress as easily as IPv4 routers,

The interface of IPv4 routers has generally been horrible. It doesn't matter because you don't even have a choice; you need the default setting = NAT enabled. Consumers must find their IPv4 routers very easy to use indeed since most they don't have to use them at all. Even gamers don't have to any more since UPnP. The vast majority has no idea what a NAT is and does not need to know.

So yes: IPv6 is a new problem in a way because now you do have the choice of filtering versus not. A good problem/checkbox to have. Giving people this checkbox is exactly what IPv6 is all about.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds