5.2.7. IPv6 Address Object

The IPv6 address object is similar to the IPv4 address object. Like IPv4 address objects, it can be used both as a child of an interface object or as a stand-alone object.

5.2.7.1. IPv6 Address Object When Used as an Address of an Interface

Figure 5.32. IPv6 Address Object Assigned to an Interface Object

IPv6 Address Object Assigned to an Interface Object

If it is used to describe an IPv6 address of an interface, it has a netmask represented as bit length. Unlike with IPv4 address object, an IPv6 netmask is never represented as a colon-separated string of octets.

5.2.7.2. IPv6 Address Object When Used as Stand-Alone Object

Figure 5.33. Stand-Alone IPv6 Address Object

Stand-Alone IPv6 Address Object

In this case this object is located in the Objects / Addresses part of the objects tree (the same place where stand-alone IPv4 addresses are located) and does not have a netmask entry field. To create this kind of an address, use the New Object menu item New Address IPv6 or the right-click menu associated with the addresses folder in the tree.

Policy compilers treat IPv6 addresses in policy rules according to the same algorithms as those for IPv4 rules. For example, just like with IPv4, the compiler for iptables checks whether an address matches an address of any interface of the firewall to determine if the rule should be placed in the INPUT or OUTPUT chain.

Consider the rule shown in the screenshot below where we use two IPv6 address objects. One object belongs to the interface inside of the firewall while another is the IPv6 address of the project's web site.

Figure 5.34. IPv6 Address Objects in a Rule

IPv6 Address Objects in a Rule

For iptables, Firewall Builder generates the following commands from this rule:

$IP6TABLES -A INPUT -p tcp -m tcp  -d fe80::21d:9ff:fe8b:8e94  --dport 80  \
-m state --state NEW  -j ACCEPT 
$IP6TABLES -A FORWARD -p tcp -m tcp  -d 2001:470:1f0e:162::2  --dport 80  \
-m state --state NEW  -j ACCEPT
      

The rule that matches the address described by object guardian-2:eth1:ipv6 went to the INPUT chain because compiler detected that this rule matches packets that are headed for the firewall itself, which iptables inspects in the INPUT chain. The rule that matches the address described by the object ipv6.fwbuilder.org went to the FORWARD chain because these packets go through the firewall.

 

Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.