Table of Contents
6wall is for IPv6 what Shorewall is for IPv4
Never heard of Shorewall? Then I suggest that you first get acquainted with this excellent iptables based firewall for IPv4 at www.shorewall.net. 6wall is heavily based on Shorewall 1.4, in fact most of the work on 6wall has been to convert the functionalities for IPv4 in Shorewall to their IPv6 equivalent.
6wall is a Netfilter (ip6tables) based firewall that can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system.
Although 6wall is Linux distribution independant, currently only a ready to use package for Linux Embedded Appliance Firewalls (LEAF) is available. It is currently distributed as part of the Bering-uClibc branch of LEAF.
6wall is based on ip6tables, which currently doesn't support as many features as iptables. Therefore a number of options/features of Shorewall could not be converted to their IPv6 counterpart in 6wall. Below is an overview of the main limitations of 6wall/ip6tables compared to Shorewall/iptables:
No support for connection tracking
Allowed policies are ACCEPT, DROP, CONTINUE and NONE
Allowed actions for rules are ACCEPT, DROP, CONTINUE and LOG
Policies and actions REJECT, REDIRECT are not supported
Log target ULOG is not supported
Network Address Translation (SNAT and DNAT) is not available
More detailed information on the available options/features can be found in the 6wall reference manual.
Comments on 6wall and the 6wall user guide should be addressed to
its maintainer: Eric de Thouars <[email protected]>.
I would like to thank Tom Eastep for his work on Shorewall. Without his very structured programming style it would never have been possible for me to produce 6wall.
A lot of the 6wall documentation has been taken from Tom's site and adapted to reflect the changes I made from Shorewall to 6wall. In most cases the documentation and examples for Shorewall can directly be applied to 6wall by just replacing the IPv4 addresses with IPv6 addresses. Therefore this user guide will mainly give a global overview of 6wall, refer to Shorewall for most documentation and examples, and focus explicitly on the areas where 6wall and Shorewall differ.
Please don't bother Tom with 6wall questions, only Shorewall related questions should be directed to him !!!
Current LEAF/LRP version: 1.0.1 - August 6, 2003
For changes since previous versions check the Changelog.
The best way to get started with 6wall is to read-up on the Shorewall documentation. Once you are familiar with those, setting up 6wall should be a piece of cake.
Recommended reading:
The Shorewall QuickStart Guides
Standalone Linux System
Two-interface Linux System acting as a firewall/router for a small local network
Three-interface Linux System acting as a firewall/router for a small local network and a DMZ
These documents should give you a good idea what Shorewall and therefore 6wall is all about. For more complicated setups check the Shorewall documentation index.
Bering-uClibc user guide
Section on IPv6 configuration.
Download the 6wall.lrp
package an copy it to your LRP diskette. Edit your lrcfg.cfg
file to add 6wall to the list of your
packages.
Reboot. 6wall should be up and running !
The 6wall package LRP configuration menu allows you to define the parameter files that together make up 6wall. If you've read the Shorewall documentation the names of these files should be familiar to you.
The most important parameter files that should be edited are:
Zone definitions
Interface definitions
Policy definitions
Rule definitions
For a complete description of the components that together make up 6wall check 6wall reference manual.
The file /etc/6wall/zones6 is used to define
the network zones. There is one entry for each zone. Columns in an entry
are:
ZONE - short name for the zone. The name
should be 5 characters or less in length and consist of lower-case
letters or numbers. Short names must begin with a letter and the
name assigned to the firewall is reserved for use by 6wall itself.
Note that the output produced by ip6tables is much easier to read if
you select short names that are three characters or less in length.
The name "all" may not be used as a zone name nor may the
zone name assigned to the firewall itself via the
FW variable in /etc/6wall/6wall.conf.
DISPLAY - The name of the zone as displayed during 6wall startup.
COMMENTS - Any comments that you want to make about the zone. 6wall ignores these comments.
The /etc/6wall/zones6 file released with
6wall is as follows:
#ZONE DISPLAY COMMENTS
#
net Net Internet
loc Local Local networks
More details on the /etc/6wall/zones6 in the
6wall reference manual.
The file /etc/6wall/interfaces6 is used to
tell the firewall which of your firewall's network interfaces are
connected to which zone. Columns in an entry are:
ZONE - A zone defined in the
/etc/6wall/zones6 file.
INTERFACE - the name of the interface (examples: eth0, ppp0, ipsec+). Each interface can be listed on only one record in this file.
DO NOT INCLUDE THE LOOPBACK INTERFACE (lo) IN THIS FILE!!!
OPTIONS - a comma-separated list of options. Possible options include:
routeback - This option causes 6wall to set up handling for routing packets that arrive on this interface back out the same interface. If this option is specified, the ZONE column may not contain "-".
tcpflags
- This option causes 6wall to make sanity checks on the header flags
in TCP packets arriving on this interface. Checks include Null
flags, SYN+FIN, SYN+RST and FIN+URG+PSH; these flag combinations are
typically used for "silent" port scans. Packets failing
these checks are logged according to the TCP_FLAGS_LOG_LEVEL
option in /etc/6wall/6wall.conf and are
disposed of according to the TCP_FLAGS_DISPOSITION
option.
blacklist - This option causes incoming packets on this interface to be checked against the blacklist.
nositelocal - Packets arriving on this interface and that have a site-local source address will be dropped after being optionally logged.
maclist - If this option is specified, all connection requests from this interface are subject to MAC Verification. May only be specified for ethernet interfaces.
The /etc/6wall/zones6 file released with
6wall is as follows:
#ZONE INTERFACE OPTIONS # net tun6to4 nositelocal loc eth1
More details on the /etc/6wall/zones6 in the
6wall reference manual.
The file /etc/6wall/policy6 is used to
describe the firewall policy regarding establishment of connections.
Connection establishment is described in terms of clients
who initiate connections and servers who receive
those connection requests. Policies describe which zones are allowed to
establish connections with other zones.
Four policies are defined:
ACCEPT - The connection is allowed.
DROP - The connection request is ignored.
CONTINUE - The connection is neither ACCEPTed nor DROPped. CONTINUE may be used when one or both of the zones named in the entry are sub-zones of or intersect with another zone. Where zones are nested or overlapping, the CONTINUE policy allows hosts that are within multiple zones to be managed under the rules of all of these zones.
NONE - 6wall should not set up any infrastructure for handling traffic from the SOURCE zone to the DEST zone. When this policy is specified, the LOG LEVEL and BURST:LIMIT columns must be left blank.
Entries in /etc/6wall/policy6 have four
columns as follows:
SOURCE - The name of a client zone (a
zone defined in the /etc/6wall/zones6, the name
of the firewall zone or "all").
DEST - The name of a client zone (a zone
defined in the /etc/6wall/zones6, the name of
the firewall zone or "all"). 6wall automatically allows all
traffic from the firewall to itself so the name of the firewall zone
cannot appear in both the SOURCE and DEST columns.
POLICY - The default policy for connection requests from the SOURCE zone to the DESTINATION zone.
LOG LEVEL - Optional. If left empty, no log message is generated when the policy is applied. Otherwise, this column should contain an integer or name indicating a syslog level.
LIMIT:BURST - Optional. If left empty, TCP connection requests from the SOURCE zone to the DEST zone will not be rate-limited. Otherwise, this column specifies the maximum rate at which TCP connection requests will be accepted followed by a colon (":") followed by the maximum burst size that will be tolerated. Example: 10/sec:40 specifies that the maximum rate of TCP connection requests allowed will be 10 per second and a burst of 40 connections will be tolerated. Connection requests in excess of these limits will be dropped.
The /etc/6wall/zones6 file released with
6wall is as follows:
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST # loc net ACCEPT - - net all DROP info - all all DROP info -
More details on the /etc/6wall/policy6 in the
6wall reference manual.
Policies established in /etc/6wall/policy6
can be viewed as default policies. Rules in /etc/6wall/rules6
define exceptions to these policies. Entries in the file have the
following columns:
ACTION
ACCEPT, DROP, CONTINUE. These have the same meaning here as in the policy file above.
LOG - Log the packet -- requires a syslog level (see below).
The ACTION may optionally be followed by ":" and a syslog level (example: DROP:info). This causes the packet to be logged at the specified level prior to being processed according to the specified ACTION. Note: if the ACTION is LOG then you MUST specify a syslog level.
SOURCE - Describes the source hosts to
which the rule applies. The contents of this field must begin with
the name of a zone defined in the /etc/6wall/zones6,
the name of the firewall zone or "all".
If the source is not 'all' then the source may be further restricted by adding a colon (":") followed by a comma-separated list of qualifiers. Qualifiers are may include:
An interface name - refers to any connection requests arriving on the specified interface (example loc:eth4). The interface name may optionally be followed by a colon (":") and an IP address or prefix (examples: net:eth0:2002:888::2ef, loc:eth1:fec0::/64).
An IP address - refers to a connection request from the host with the specified address (example net:2002:888::2ef).
A MAC Address in Shorewall format.
A prefix - refers to a connection request from any host in the specified subnet (example loc:fec0:1::/64).
DEST - Describes the destination host(s) to which the rule applies. May take most of the forms described above for SOURCE. Restrictions:
MAC addresses may not be specified.
You may not specify both an IP address and an interface name in the DEST column.
PROTO - Protocol. Must be a protocol name
from /etc/protocols, a number or "all".
Specifies the protocol of the connection request.
DEST PORT(S) - Port or port range
(<low port>:<high port>) being connected to. May
only be specified if the protocol is tcp, udp or icmpv6. For icmpv6,
this column's contents are interpreted as an icmpv6 type. If you
don't want to specify DEST PORT(S) but need to include
information in one of the columns to the right, enter "-" in
this column. You may give a list of ports and/or port ranges
separated by commas. Port numbers may be either integers or service
names from /etc/services.
SOURCE PORTS(S) - May be used to restrict
the rule to a particular client port or port range (a port range is
specified as <low port number>:<high port number>).
If you don't want to restrict client ports but want to specify
something in the next column, enter "-" in this column. If
you wish to specify a list of port number or ranges, separate the
list elements with commas (with no embedded white space). Port
numbers may be either integers or service names from
/etc/services.
The /etc/6wall/rules6 file released with
6wall is as follows:
#ACTION SOURCE DEST PROTO DEST SOURCE # PORT PORT(S) # # Allow ping6 from the firewall # ACCEPT fw all icmpv6 echo-request # # # Allow ping6 from the local network to the firewall # ACCEPT loc fw icmpv6 echo-request
More details on the /etc/6wall/rules6 in the
6wall reference manual.
6wall can be controlled via the command 6wall.
# 6wall
Usage: 6wall [debug] [nolock] [-c <directory>] <command>
where <command> is one of:
show [<chain>|log|mangle]
start
stop
reset
restart
status
clear
refresh
hits
version
check
drop <address> ...
allow <address> ...
After the configuration steps in the previous chapter, you can (re)start 6wall with the command 6wall start or 6wall restart
Stopping the firewall with the command 6wall stop
results in denying all traffic through your system, except the traffic
via the interfaces defined in /etc/6wall/routestopped6.
The use and effects of this file are identical to the
routestopped file of Shorewall, which is described
here.
To disable 6wall completely and to allow all traffic, give the command 6wall clear
Using the 6wall show ... and 6wall status commands, you can get information on the current status of the ip6tables configuration and the last 6wall entries in your logfile
6wall hits gives a summary of all 6wall entries in your logfile.
The 6wall configuration can be validated with 6wall check
6wall uses two forms of blacklisting: static and dynamic
blacklisting. Static blacklisting uses the configuration file
/etc/6wall/blacklist. Dynamic blacklisting is
controlled via the 6wall drop <ip address>
and 6wall allow <ip address>
commands.
For more information on blacklisting check the Shorewall documentation
As stated in the introduction, 6wall was derived from Shorewall. If there are any unclarities about how to configure a specific file or option for 6wall, a good starting point is to check out the documentation of Shorewall for your issue. The Shorewall documentation is very exhaustive and there is a good chance that you'll find what you're looking for.
Remeber, the documentation here mainly focusses on the differences between Shorewall and 6wall. The section Reference goes into the 6wall specifics of the available configuration files.
6wall consists of the following components:
6wall -- a shell
program (requiring a Bourne shell or derivative) used to control and
monitor the firewall. This should be placed in /sbin
or in /usr/sbin.
6wall.conf
-- a parameter file installed in /etc/6wall
that is used to set several firewall parameters.
blacklist6
-- a parameter file installed in /etc/6wall and
used to list blacklisted IP/prefix/MAC addresses.
common6.def
-- a parameter file installed in /etc/6wall
that defines firewall-wide rules that are applied before DROP policy
is applied.
firewall -- a shell
program that reads the configuration files in /etc/6wall
and configures your firewall. This file is installed in
/usr/share/6wall.
functions -- a set
of shell functions used by both the firewall and 6wall shell
programs. Installed in /usr/share/6wall.
hosts6
-- a parameter file installed in /etc/6wall and
used to describe individual hosts or prefixes in zones.
interfaces6
-- a parameter file installed in /etc/6wall and
used to describe the interfaces on the firewall system.
maclist6 -- a
parameter file installed in /etc/6wall and used
to verify the MAC address (and possibly also the IP address(es)) of
devices.
modules6
-- a parameter file installed in /etc/6wall and
that specifies kernel modules and their parameters. 6wall will
automatically load the modules specified in this file.
params6
-- a parameter file installed in /etc/6wall
that can be used to establish the values of shell variables for use
in other files.
policy6
-- a parameter file installed in /etc/6wall
that establishes overall firewall policy.
rules6
-- a parameter file installed in /etc/6wall and
used to express firewall rules that are exceptions to the high-level
policies established in /etc/6wall/policy6.
routestopped6 -- a
parameter file in /etc/6wall used to define
those hosts that can access the firewall when 6wall is stopped. The
use and effects of this file are identical to the
routestopped file of Shorewall, which is
described here.
sitelocal
-- a parameter file in /etc/6wall used to
define the treatment of packets under the nositelocal
interface option.
version -- a file
created in /usr/share/6wall that describes the
version of 6wall installed on your system.
zones6
-- a parameter file installed in /etc/6wall
that defines a network partitioning into "zones".
You may use the file /etc/6wall/params6 file
to set shell variables that you can then use in some of the other
configuration files.
It is suggested that variable names begin with an upper case letter to distinguish them from variables used internally within the 6wall programs.
Example:
NET_IF=eth0 NET_OPTIONS=blacklist,nositelocal
Example /etc/6wall/interfaces6 record:
net $NET_IF $NET_BCAST $NET_OPTIONS
The result will be the same as if the record had been written
net eth0 blacklist,nositelocal
Variables may be used anywhere in the other configuration files.
This file is used to define the network zones. There is one entry
in /etc/6wall/zones6 for each zone. Columns in an
entry are:
ZONE - short name for the zone. The name
should be 5 characters or less in length and consist of lower-case
letters or numbers. Short names must begin with a letter and the
name assigned to the firewall is reserved for use by 6wall itself.
Note that the output produced by ip6tables is much easier to read if
you select short names that are three characters or less in length.
The name "all" may not be used as a zone name nor may the
zone name assigned to the firewall itself via the
FW variable in /etc/6wall/6wall.conf.
DISPLAY - The name of the zone as displayed during 6wall startup.
COMMENTS - Any comments that you want to make about the zone. 6wall ignores these comments.
The /etc/6wall/zones6 file released with
6wall is as follows:
#ZONE DISPLAY COMMENTS net Net Internet loc Local Local networks
You may add, delete and modify entries in the
/etc/6wall/zones6 file as desired so long as you
have at least one zone defined.
Warning 1: If you rename or delete a zone, you should perform 6wall stop; 6wall start to install the change rather than 6wall restart.
Warning 2: The order of entries in the /etc/6wall/zones6
file is significant in some cases (see Shorewall
doc).
This file is used to tell the firewall which of your
firewall's network interfaces are connected to which zone. There
will be one entry in /etc/6wall/interfaces6 for
each of your interfaces. Columns in an entry are:
ZONE - a zone defined in the /etc/6wall/zones6 file
or "-". If you specify "-", you must use the /etc/6wall/hosts6 file
to define the zones accessed via this interface.
INTERFACE - the name of the interface (examples: eth0, ppp0, ipsec+). Each interface can be listed on only one record in this file.
DO NOT INCLUDE THE LOOPBACK INTERFACE (lo) IN THIS FILE!!!
OPTIONS - a comma-separated list of options. Possible options include:
routeback - This option causes 6wall to set up handling for routing packets that arrive on this interface back out the same interface. If this option is specified, the ZONE column may not contain "-".
tcpflags
- This option causes 6wall to make sanity checks on the header flags
in TCP packets arriving on this interface. Checks include Null
flags, SYN+FIN, SYN+RST and FIN+URG+PSH; these flag combinations are
typically used for "silent" port scans. Packets failing
these checks are logged according to the TCP_FLAGS_LOG_LEVEL
option in /etc/6wall/6wall.conf
and are disposed of according to the TCP_FLAGS_DISPOSITION
option.
blacklist - This option causes incoming packets on this interface to be checked against the blacklist.
nositelocal - Packets arriving on this interface and that have a site-local source address will be dropped after being optionally logged.
Addresses
blocked by this option are defined in the sitelocal
file.
maclist - If this option is specified, all connection requests from this interface are subject to MAC Verification. May only be specified for ethernet interfaces.
The /etc/6wall/interfaces6 file released with
6wall is as follows:
#ZONE INTERFACE OPTIONS net tun6to4 nositelocal loc eth1
Some recommendations concerning options:
External Interface -- tcpflags,blacklist,nositelocal
Wireless Interface -- maclist,tcpflags
For most applications, specifying zones entirely in terms of
network interfaces is sufficient. There may be times though where you
need to define a zone to be a more general collection of hosts. This is
the purpose of the /etc/6wall/hosts6 file.
WARNING: The only times that you need entries in
/etc/6wall/hosts6 are:
You have more than one zone connecting through a single interface; or
You have a zone that has multiple subnetworks that connect through a single interface and you want the 6wall box to route traffic between those subnetworks.
IF YOU DON'T HAVE EITHER OF THOSE SITUATIONS THEN DON'T TOUCH THIS FILE!!
Columns in this file are:
ZONE - a zone defined in the /etc/6wall/zones6 file.
HOST(S) - The name of a network interface followed by a colon (":") followed by either:
an IP address (example - eth1:2001:888::2f4)
a prefix (example - eth2:fec0:1::/64)
The
interface name much match an entry in /etc/6wall/interfaces6.
OPTIONS - A comma-separated list of options:
routeback - This option causes 6wall to set up handling for routing packets sent by this host group back to the same group.
maclist - If specified, connection requests from the hosts specified in this entry are subject to MAC Verification. This option is only valid for ethernet interfaces.
If you don't define any hosts for a zone, the hosts in the zone default to i0:::/0 , i1:::/0, ... where i0, i1, ... are the interfaces to the zone.
Note: You probably DON'T want to specify any hosts for your internet zone since the hosts that you specify will be the only ones that you will be able to access without adding additional rules.
Check the Shorewall doc for examples on how to use this file. Especially the section on Nested and Overlapping Zones.
The /etc/6wall/hosts6 file released with
6wall is empty.
This file is used to describe the firewall policy regarding
establishment of connections. Connection establishment is described in
terms of clients who initiate connections and
servers who receive those connection requests.
Policies defined in /etc/6wall/policy6 describe
which zones are allowed to establish connections with other zones.
Policies established in /etc/6wall/policy6
can be viewed as default policies. If no rule in /etc/6wall/rules6
applies to a particular connection request then the policy from
/etc/6wall/policy6 is applied.
Four policies are defined:
ACCEPT - The connection is allowed.
DROP - The connection request is ignored.
CONTINUE - The connection is neither ACCEPTed nor DROPped. CONTINUE may be used when one or both of the zones named in the entry are sub-zones of or intersect with another zone. Where zones are nested or overlapping, the CONTINUE policy allows hosts that are within multiple zones to be managed under the rules of all of these zones. For more information, see Shorewall doc.
NONE - 6wall should not set up any infrastructure for handling traffic from the SOURCE zone to the DEST zone. When this policy is specified, the LOG LEVEL and BURST:LIMIT columns must be left blank.
For each policy specified in /etc/6wall/policy6,
you can indicate that you want a message sent to your system log each
time that the policy is applied.
Entries in /etc/6wall/policy6 have four
columns as follows:
SOURCE - The name of a client zone (a
zone defined in the /etc/6wall/zones6
file, the name of the firewall zone or
"all").
DEST - The name of a client zone (a zone
defined in the /etc/6wall/zones6
file, the name of the firewall zone or
"all"). Shorewall automatically allows all traffic from the
firewall to itself so the name of the firewall zone cannot appear in
both the SOURCE and DEST columns.
POLICY - The default policy for connection requests from the SOURCE zone to the DESTINATION zone.
LOG LEVEL - Optional. If left empty, no log message is generated when the policy is applied. Otherwise, this column should contain an integer or name indicating a syslog level.
LIMIT:BURST - Optional. If left empty, TCP connection requests from the SOURCE zone to the DEST zone will not be rate-limited. Otherwise, this column specifies the maximum rate at which TCP connection requests will be accepted followed by a colon (":") followed by the maximum burst size that will be tolerated.
Example: 10/sec:40 specifies that the maximum rate of TCP connection requests allowed will be 10 per second and a burst of 40 connections will be tolerated. Connection requests in excess of these limits will be dropped.
In the SOURCE and DEST columns, you can enter "all" to indicate all zones.
The policy file installed by default is as follows:
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST # loc net ACCEPT - - net all DROP info - all all DROP info -
This table may be interpreted as follows:
All connection requests from the local network to hosts on the internet are accepted.
All connection requests originating from the internet are dropped and logged at level KERNEL.INFO.
All other connection requests are dropped and logged.
WARNING -- The firewall script processes the
/etc/6wall/policy6 file from top to bottom and
uses the first applicable policy that it finds. For
example, in the following policy file, the policy for (loc, loc)
connections would be ACCEPT as specified in the first entry even though
the third entry in the file specifies DROP.
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST # loc all ACCEPT - - net all DROP info - loc loc DROP info -
6wall allows a zone to be associated with more than one interface or with multiple networks that interface through a single interface. 6wall will ACCEPT all traffic from a zone to itself provided that there is no explicit policy governing traffic from that zone to itself (an explicit policy does not specify "all" in either the SOURCE or DEST column) and that there are no rules concerning connections from that zone to itself. If there is an explicit policy or if there are one or more rules, then traffic within the zone is handled just like traffic between zones is.
Any time that you have multiple interfaces associated with a single zone, you should ask yourself if you really want traffic routed between those interfaces. Cases where you might not want that behavior are:
Multiple "net" interfaces to different ISPs. You don't want to route traffic from one ISP to the other through your firewall.
Multiple VPN clients. You don't necessarily want them to all be able to communicate between themselves using your gateway/router.
The /etc/6wall/rules6 file defines exceptions
to the policies established in the /etc/6wall/policy6
file. There is one entry in /etc/6wall/rules6 for
each of these rules.
Shorewall automatically enables firewall->firewall traffic over the loopback interface (lo) -- that traffic cannot be regulated using rules and any rule that tries to regulate such traffic will generate a warning and will be ignored.
Entries in the file have the following columns:
ACTION
ACCEPT, DROP, CONTINUE. These have the same meaning here as in the policy file above.
LOG - Log the packet -- requires a syslog level (see below).
The ACTION may optionally be followed by ":" and a syslog level (example: DROP:info). This causes the packet to be logged at the specified level prior to being processed according to the specified ACTION. Note: if the ACTION is LOG then you MUST specify a syslog level.
SOURCE - Describes the source hosts to
which the rule applies. The contents of this field must begin with
the name of a zone defined in the /etc/6wall/zones6,
the name of the firewall zone or "all".
If the source is not "all" then the source may be further restricted by adding a colon (":") followed by a comma-separated list of qualifiers. Qualifiers are may include:
An interface name - refers to any connection requests arriving on the specified interface (example loc:eth4). The interface name may optionally be followed by a colon (":") and an IP address or prefix (examples: net:eth0:2002:888::2ef, loc:eth1:fec0::/64).
An IP address - refers to a connection request from the host with the specified address (example net:2002:888::2ef).
A MAC Address in Shorewall format.
A prefix - refers to a connection request from any host in the specified subnet (example loc:fec0:1::/64).
DEST - Describes the destination host(s) to which the rule applies. May take most of the forms described above for SOURCE. Restrictions:
MAC addresses may not be specified.
You may not specify both an IP address and an interface name in the DEST column.
PROTO - Protocol. Must be a protocol name
from /etc/protocols, a number or "all".
Specifies the protocol of the connection request.
DEST PORT(S) - Port or port range
(<low port>:<high port>) being connected to. May
only be specified if the protocol is tcp, udp or icmpv6. For icmpv6,
this column's contents are interpreted as an icmpv6 type. If you
don't want to specify DEST PORT(S) but need to include
information in one of the columns to the right, enter "-" in
this column. You may give a list of ports and/or port ranges
separated by commas. Port numbers may be either integers or service
names from /etc/services.
SOURCE PORTS(S) - May be used to restrict
the rule to a particular client port or port range (a port range is
specified as <low port number>:<high port number>).
If you don't want to restrict client ports but want to specify
something in the next column, enter "-" in this column. If
you wish to specify a list of port number or ranges, separate the
list elements with commas (with no embedded white space). Port
numbers may be either integers or service names from
/etc/services.
The /etc/6wall/rules6 file released with
6wall is as follows:
#ACTION SOURCE DEST PROTO DEST SOURCE # PORT PORT(S) # # Allow ping6 from the firewall # ACCEPT fw all icmpv6 echo-request # # # Allow ping6 from the local network to the firewall # ACCEPT loc fw icmpv6 echo-request
For examples on how to define rule, check the Shorewall doc.
6wall allows definition of rules that apply between all zones. By
default, these rules are defined in the file /etc/6wall/common6.def
but may be modified to suit individual requirements. Rather than modify
/etc/6wall/common6.def, you should copy that file
to /etc/6wall/common6 and modify that file.
The /etc/6wall/common6 file is expected to
contain iptables commands; rather than running iptables directly, you
should run it indirectly using the 6wall function "run_iptables".
That way, if iptables encounters an error, the firewall will be safely
stopped.
The /etc/6wall/common6.def file released with
6wall is as follows:
############################################################################ # Allow ping and traceroute return traffic as long as connection tracking # is not available # run_ip6tables -A common -p icmpv6 --icmpv6-type echo-reply -j ACCEPT run_ip6tables -A common -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT ############################################################################ # NETBIOS chatter # run_ip6tables -A common -p udp --dport 135 -j reject run_ip6tables -A common -p udp --dport 137:139 -j reject run_ip6tables -A common -p udp --dport 445 -j reject run_ip6tables -A common -p tcp --dport 139 -j reject run_ip6tables -A common -p tcp --dport 445 -j reject run_ip6tables -A common -p tcp --dport 135 -j reject ############################################################################ # UPnP # run_ip6tables -A common -p udp --dport 1900 -j DROP ############################################################################ # AUTH -- Silently reject it so that connections don't get delayed. # run_ip6tables -A common -p tcp --dport 113 -j reject ############################################################################ # Allow Neighbour and Router Advertisement messages # run_ip6tables -A common -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT run_ip6tables -A common -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT run_ip6tables -A common -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT run_ip6tables -A common -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT ############################################################################
This file is used to set the following firewall parameters:
TCP_FLAGS_DISPOSITION - Determines the disposition of TCP packets that fail the checks enabled by the tcpflags interface option and must have a value of ACCEPT (accept the packet) or DROP (ignore the packet). If not set or if set to the empty value (e.g., TCP_FLAGS_DISPOSITION= ) then TCP_FLAGS_DISPOSITION=DROP is assumed.
TCP_FLAGS_LOG_LEVEL - Determines the syslog level for logging packets that fail the checks enabled by the tcpflags interface option. The value must be a valid syslogd log level. If you don't want to log these packets, set to the empty value (e.g., TCP_FLAGS_LOG_LEVEL= ).
MACLIST_DISPOSITION - Determines the disposition of connection requests that fail MAC Verification and must have the value ACCEPT (accept the connection request anyway) or DROP (ignore the connection request). If not set or if set to the empty value (e.g., MACLIST_DISPOSITION= ) then MACLIST_DISPOSITION=DROP is assumed.
MACLIST_LOG_LEVEL - Determines the syslog level for logging connection requests that fail MAC Verification. The value must be a valid syslogd log level. If you don't want to log these connection requests, set to the empty value (e.g., MACLIST_LOG_LEVEL= ).
BLACKLIST_DISPOSITION - This parameter determines the disposition of packets from blacklisted hosts. It may only have the value DROP if the packets are to be dropped.
BLACKLIST_LOGLEVEL - This parameter determines if packets from blacklisted hosts are logged and it determines the syslog level that they are to be logged at. Its value is a syslog level. If you do not assign a value or if you assign an empty value then packets from blacklisted hosts are not logged.
SITELOCAL_LOG_LEVEL - This parameter determines the level at which packets logged under the "nositelocal" mechanism are logged. The value must be a valid syslog level and if no level is given, then info is assumed.
LOGRATE and LOGBURST - These parameters set the match rate and initial burst size for logged packets. Please see the ip6tables man page for a description of the behavior of these parameters (the ip6tables option --limit is set by LOGRATE and --limit-burst is set by LOGBURST). If both parameters are set empty, no rate-limiting will occur.
LOGFORMAT - The value of this variable generate the --log-prefix setting for 6wall logging rules. It contains a 'printf' formatting template which accepts three arguments (the chain name, logging rule number (optional) and the disposition). To use LOGFORMAT with fireparse.
LOGFORMAT="fp=%s:%d a=%s "
If the LOGFORMAT value contains the substring '%d' then the logging rule number is calculated and formatted in that position; if that substring is not included then the rule number is not included. If not supplied or supplied as empty (LOGFORMAT="") then "6wall:%s:%s:" is assumed.
/sbin/6wall uses the leading part of
the LOGFORMAT string (up to but not including the first
'%') to find log messages in the 'show log',
'status' and 'hits' commands. This part should not
be omitted (the LOGFORMAT should not begin with "%") and
the leading part should be sufficiently unique for
/sbin/6wall to identify 6wall messages.
LOGFILE - This parameter tells the
/sbin/6wall program where to look for 6wall messages when processing
the show log, monitor,
status and hits commands. If
not assigned or if assigned an empty value, /var/log/messages
is assumed.
IP_FORWARDING - This parameter determines
whether 6wall enables or disables IPv6 Packet Forwarding (/proc/sys/net/ipv6/conf/all/forwarding).
Possible values are:
On or on - packet forwarding will be enabled.
Off or off - packet forwarding will be disabled.
Keep or keep - 6wall will neither enable nor disable packet forwarding.
If this variable is not set or is given an empty value (IP_FORWARD= ) then IP_FORWARD=On is assumed.
MULTIPORT - If set to "Yes" or
"yes", 6wall will use the Netfilter multiport facility. In
order to use this facility, your kernel must have multiport support
(CONFIG_IP_NF_MATCH_MULTIPORT). When this support is used, 6wall
will generate a single rule from each record in the
/etc/6wall/rules6 file that meets these
criteria:
No port range(s) specified
Specifies 15 or fewer ports
Rules not meeting those criteria will continue to generate an individual rule for each listed port or port range.
SUBSYSLOCK - This parameter should be set
to the name of a file that the firewall should create if it starts
successfully and remove when it stops. Creating and removing this
file allows 6wall to work with your distribution's initscripts.
For LEAF it is /var/run/shorwall.
STATEDIR - This parameter specifies the name of a directory where 6wall stores state information. If the directory doesn't exist when 6wall starts, it will create the directory.
NOTE: If you change the STATEDIR variable while the firewall is running, create the new directory if necessary then copy the contents of the old directory to the new directory.
MODULESDIR - This parameter specifies the
directory where your kernel netfilter modules may be found. If you
leave the variable empty, 6wall will supply the value
/lib/modules/`uname -r`/kernel/net/ipv6/netfilter.
FW - Name of the firewall zone -- if not set or if set to an empty string, "fw" is assumed.
MUTEX_TIMEOUT - The value of this variable determines the number of seconds that programs will wait for exclusive access to the 6wall lock file. After the number of seconds corresponding to the value of this variable, programs will assume that the last program to hold the lock died without releasing the lock. If not set or set to the empty value, a value of 60 (60 seconds) is assumed. An appropriate value for this parameter would be twice the length of time that it takes your firewall system to process a "6wall restart" command.
SHOW_IP6TABLES_COMMANDS - When the value of this variable is set to "yes" all ip6tables commands generated by 6wall are also echoed to the terminal. This can be used for debugging. Default value is "no".
The /etc/6wall/6wall.conf file released with
6wall is as follows:
# L O G G I N G LOGFILE=/var/log/messages LOGMARKER='6wall:' LOGRATE= LOGBURST= BLACKLIST_LOGLEVEL=info MACLIST_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info SITELOCAL_LOG_LEVEL=info # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SUBSYSLOCK=/var/run/6wall STATEDIR=/tmp/6wall MODULESDIR=/lib/modules # F I R E W A L L O P T I O N S FW=fw IP_FORWARDING=On MULTIPORT=No MUTEX_TIMEOUT=60 SHOW_IP6TABLES_COMMANDS=no # P A C K E T D I S P O S I T I O N BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP
The file /etc/6wall/modules6 contains
commands for loading the kernel modules required by 6wall-defined
firewall rules. 6wall will source this file during start/restart
provided that it exists and that the directory specified by the
MODULESDIR parameter exists (see /etc/6wall/6wall.conf
above).
The file that is released with 6wall calls the 6wall function "loadmodule" for the set of modules that are loaded.
The loadmodule function is called as follows:
loadmodule
<modulename>[<module parameters>]
where
<modulename>is the name of the modules without the trailing ".o".
<module parameters>Optional parameters to the insmod utility.
The function determines if the module named by <modulename>
is already loaded and if not then the function determines if the
".o" file corresponding to the module exists in the
moduledirectory; if so, then the following
command is executed:
insmod
moduledirectory/<modulename>.o<module parameters>
If the file doesn't exist, the function determines of the
".o.gz" file corresponding to the module exists in the
moduledirectory. If it does, the function assumes
that the running configuration supports compressed modules and execute
the following command:
insmod
moduledirectory/<modulename>.o<module parameters>
Each 1ine in /etc/6wall/blacklist6 contains
an IP address, a MAC address in Shorewall
Format or prefix. Example:
| 2001:86a:9631::e3:1234 |
| fec0:1::/64 |
Packets from hosts listed in the blacklist
file will be disposed of according to the value assigned to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL
variables in /etc/6wall/6wall.conf. Only packets
arriving on interfaces that have the "blacklist" option in
/etc/6wall/interfaces6 are checked against the
blacklist. The blacklist is designed to prevent listed hosts/prefixes
from accessing services on your network.
The blacklist file has three columns:
ADDRESS/PREFIX - As described above.
PROTOCOL - Optional. If specified, only packets specifying this protocol will be blocked.
PORTS - Optional; may only be given if
PROTOCOL is tcp, udp or icmp. Expressed as a comma-separated list of
port numbers or service names (from /etc/services).
If present, only packets destined for the specified protocol and one
of the listed ports are blocked. When the PROTOCOL is icmp, the
PORTS column contains a comma-separated list of ICMP type numbers or
names (see "ip6tables -h icmpv6").
6wall also has a dynamic blacklist capability.
The /etc/6wall/blacklist6 file released with
6wall is empty.
This file lists the prefixes affected by the nositelocal interface option. Columns in the file are:
PREFIX - The prefix (e.g., fec0::/12).
TARGET - What to do with packets to/from the PREFIX:
RETURN - Process the packet normally thru the rules and policies.
DROP - Silently drop the packet.
logdrop - Log then drop the packet -- see the SITELOCAL_LOG_LEVEL parameter above.