Which Linux-based firewall supports IPv6?

Which Linux-based firewall supports IPv6?

Out of the box neither IPCop nor ipfire support IPv6, not even on the green interface (internal LAN).

How do I add IPv6 support to one of them? If that's not possible, is there a linux-based embedded firewall (I run them on PC Engines) which supports IPv6?

答案1

Take a look at mOnOwall. http://m0n0.ch/wall/features.php

It supports ipv6 and pcengines hardware.

答案2

The "ip6tables" firewall is likely what you're looking for. This web page explains how to install it: http://www.cyberciti.biz/faq/ip6tables-ipv6-firewall-for-linux/

Additionally, if your flavour of Linux has "pf" then you could also use that (I'm using it for IPv6 and IPv4 firewalling on my NetBSD Unix systems, and I'm very pleased with its flexibility, reliability, and high quality documentation).

Regarding IPCop, most of the information I found with Google was a lot of people wondering how to get IPv6 support (and a few responses suggesting "don't worry about it right now because it's not in demand," which is disappointing). According to a response on SourceForge.net, it is "somewhere on the roadmap" as per this web page: http://sourceforge.net/tracker/index.php?func=detail&aid=1364092&group_id=40604&atid=428519

It apperas that IPFire doesn't have IPv6 support yet either, although this request from the year 2010 indicates a need for it: http://redmine.ipfire.org/issues/83

IPv4 address space depleted in February, 2011

For those of you who aren't thinking about IPv6 yet, it's time to start looking into it and learning how to use it, because the world has run out of IPv4 addresses.

The fact that there are no more IPv4 addresses available means that ISPs that need more IP address space can only get IPv6 address blocks from the numbering authorities now (unless they can buy an IPv4 block from someone else, such as by purchasing an existing ISP, but this is not a reliable approach).

This article addresses the IPv4 shortage: http://www.nro.net/news/ipv4-free-pool-depleted

Firewalls that haven't had IPv6 support for the last 5 to 10 years have fallen behind the times in my strong opinion because there has been more than adequate notice that IPv6 addressing is coming, and there is a great deal of free information about IPv6 and a lot of expertise out there that has been available for free for developers who want/need to implement it in their software (e.g., the IPv6 channel on the FreeNode.net IRC network).

答案3

If you want a flashy web-based-with-cute-pictures interface, you can disregard this answer, but if you want things to just work, and you are OK with command-line interfaces, I have a pair of suggestions.

  1. openSUSE. I have built many router/firewalls on openSUSE over the years, and I even used the ALIX 2D2 for some of them. (I used KIWI to build images to dd onto CF cards)

    IPv6 "just works" in openSUSE, and is not considered a second class citizen. I can put IPADDR="ipv6_address" in an ifcfg file and it does the right thing. Most importantly, SuSEfirewall2 supports IPv6 in the same manner, and is a very easy-to-use zone-based drop-by-default firewall. If I wanted to allow incoming ssh to the router, for example, I would have:

    FW_SERVICES_EXT_TCP="22"
    

    From this, SuSEfirewall2 will create the accept rules for both IPv4 and IPv6.

    For forwarding/routing to specific machines, you can use IPv4 and IPv6 addresses interchangeably. This is how you can allow ssh to an internal machine with both IPv4 and IPv6 addresses:

    FW_FORWARD="\
    0/0,1.2.3.4/32,tcp,ssh \
    ::/0,2001:1:2:3::4/128,tcp,ssh \
    "
    

    SuSEfirewall2 will automatically figure out what do with those rules.

  2. Vyatta. This also has integrated "just works" IPv6 support. It also has a very nice CLI and tons of documentation. I switched my router from openSUSE to Vyatta for about a month a while back, and it was able to handle my rather complex network config, which included a combination of IPv6, bridging, tunneling, and OpenVPN. The only thing IPv6-related that didn't work was host identifier fixed address mapping, due to a bug. (I think it's fixed in the more recent 6.3 release, which I am actually now about to test)

In comparing the 2, there are some tradeoffs.

Pros for Vyatta:

  • I really like the CLI and the single configuration in Vyatta

  • I have also noticed that it performs better with certain workloads. (I have been trying to figure out why, but I haven't found the magic setting yet)

Pros for OpenSUSE:

  • I prefer the easy-to-use zone-based firewall in OpenSUSE. Vyatta implemented a very thin layer over iptables/ip6tables (Though I ended up writing a script to generate Vyatta firewall rules that is zone-based and automatically creates IPv4 and IPv6 rules where necessary...)

  • I like being able to run certain things on my router, such as Nginx. A general purpose distro like OpenSUSE makes that easy. I can build it myself on Vyatta, but it's unsupported and can break in an upgrade

相关内容