The IPv6 address object is similar to the IPv4 address object. Like IPv4 address objects, it can be used both as a child of an interface object or as a stand-alone object.
If it is used to describe an IPv6 address of an interface, it has a netmask represented as bit length. Unlike with IPv4 address object, an IPv6 netmask is never represented as a colon-separated string of octets.
In this case this object is located in thepart of the objects tree (the same place where stand-alone IPv4 addresses are located) and does not have a netmask entry field. To create this kind of an address, use the menu item or the right-click menu associated with the addresses folder in the tree.
Policy compilers treat IPv6 addresses in policy rules according to the same algorithms as those for IPv4 rules. For example, just like with IPv4, the compiler for iptables checks whether an address matches an address of any interface of the firewall to determine if the rule should be placed in the INPUT or OUTPUT chain.
Consider the rule shown in the screenshot below where we use two IPv6 address objects. One object belongs to the interface inside of the firewall while another is the IPv6 address of the project's web site.
For iptables, Firewall Builder generates the following commands from this rule:
$IP6TABLES -A INPUT -p tcp -m tcp -d fe80::21d:9ff:fe8b:8e94 --dport 80 \ -m state --state NEW -j ACCEPT $IP6TABLES -A FORWARD -p tcp -m tcp -d 2001:470:1f0e:162::2 --dport 80 \ -m state --state NEW -j ACCEPT
The rule that matches the address described by object guardian-2:eth1:ipv6 went to the INPUT chain because compiler detected that this rule matches packets that are headed for the firewall itself, which iptables inspects in the INPUT chain. The rule that matches the address described by the object ipv6.fwbuilder.org went to the FORWARD chain because these packets go through the firewall.
Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
Using free CSS Templates.