 |
FirewallBuilder |
|
Search Users Guide
We start with a firewall object that has some basic IPv4 policy. First, we need to add IPv6 addresses to its interfaces. Right-click to open the context menu associated with the interface object in the tree and click the item "Add IPv6 address".
Enter the address and netmask length, using the address required by your topology.
Adding IPv6 to an Internal Interface
We also need to create a network object to represent our local IPv6 network. Click in the new object menu.
Enter the name and address of this network. We are using the link-local address for illustration purposes.
Inspect the regular policy object. To see its parameters, double-click it in the tree to open it in the editor (see screenshot below). This object has a Name, IPv4/IPv6 setting and a Top ruleset checkbox. For iptables firewalls, there is also a pair of radio buttons that indicates whether the policy should affect filter+mangle tables or just mangle table.
The IPv4/IPv6 setting tells the compiler how it should interpret addresses of objects that appear in the rules. Possible configurations are "IPv4 only", "IPv6 only" and "Mixed IPv4 and IPv6":
"IPv4 only rule set" - Only addressable objects with IPv4 addresses will be used in the rules. If an object with an IPv6 address appears in rules, it is ignored. IPv6-only services such as ICMPv6 are also ignored. TCP and UDP services are used since they apply for both IPv4 and IPv6 rules.
"IPv6 only rule set" Only objects with IPv6 addresses are used and those with Ipv4 addresses are ignored. IPv6-only services such as ICMPv6 are used but IPv4-only services such as ICMP are ignored. TCP and UDP services are used since they apply for both IPv4 and IPv6 rules.
"Mixed IPv4 and IPv6 only rule set" The compiler makes two passes over the same rules, first to produce IPv4 configuration and then to produce IPv6 configuration. On each pass it uses only address objects with addresses matching address family of the pass. This is the best configuration for transitional configurations when IPv6 rules are gradually added to existing IPv4 configuration. Note that if you add IPv6 address to an interface of a firewall or a host object used in the rules, the compiler will use IPv4 addresses of the interface on IPv4 pass and new IPv6 address of the same interface on the IPv6 pass. This principle also applies to the mixed groups of addresses and services.
Compilers treat the "top rule set" parameter differently, depending on the firewall platform:
iptables: rules defined in such rule set will go into built-in chains INPUT,OUTPUT,FORWARD etc. Rules defined in rule sets where this checkbox is not checked go into user-defined chain with the name the same as the name of the rule set.
PF: rules defined in the rule set with "top rule set" checkbox turned off go into an anchor with the name of the rule set.
Cisco IOS access lists: if the top rule set checkbox is turned off, the rules go into access list with the name prefixed with the name of the rule set; this access list will not be assigned to interfaces via "ip access-group" command. Rule sets with checkbox "top rule set" checked generate ACLs with names consisting of the shortened name of interface and direction abbreviation ("in" or "out"). Only these lists are assigned to interfaces.
To add new policy, right-click the firewall object in the tree to open the context menu and use the menu item .
Assign a unique name to the new policy object, make it IPv6, and check the top ruleset checkbox, then click .
Now click the new policy object in the tree ("Policy_ipv6") and add some rules as usual. Here we have added a rule to permit all on loopback, a rule to permit incoming HTTP and ICMPv6 to the firewall and a rule to permit outgoing sessions from the internal network (object "local ipv6 net") and the firewall itself.
Now compile the policy. Note that in the progress output the compiler shows that it first processes IPv4 policy rule set, then compiles IPv6 policy rule set. I still have bunch of rules in the IPv4 policy from the previous examples in this section but the IPv6 policy is small and only has a few rules as shown on the screenshot above.
$ fwb_ipt -v -f policy_rules.fwb fw
*** Loading data ... done
Compiling rules for 'nat' table
processing 1 rules
rule 0 (NAT)
Compiling ruleset Policy for 'mangle' table
processing 1 rules
rule 0 (eth2)
Compiling ruleset Policy for 'filter' table
processing 17 rules
rule 1 (global)
rule 2 (global)
rule 3 (global)
rule 4 (global)
rule 5 (global)
rule 6 (global)
rule 7 (global)
rule 8 (global)
rule 9 (global)
rule 10 (global)
rule 11 (eth2)
rule 12 (lo)
rule 13 (global)
rule 14 (global)
rule 15 (global)
rule 16 (global)
rule 17 (global)
Compiling ruleset Policy_ipv6 for 'mangle' table, IPv6
Compiling ruleset Policy_ipv6 for 'filter' table, IPv6
processing 4 rules
rule Policy_ipv6 1 (global)
rule Policy_ipv6 2 (global)
rule Policy_ipv6 3 (global)
Compiled successfully
Here is a fragment of the generated script. The script uses the ip6tables routine to load rules into the kernel. The option "Assume firewall is part of any" was turned off in this firewall object so the rule #1 generated only iptables commands in the INPUT chain.
# ================ Table 'filter', rule set Policy_ipv6
# Policy compiler errors and warnings:
#
# Rule Policy_ipv6 0 (lo)
#
$IP6TABLES -A INPUT -i lo -m state --state NEW -j ACCEPT
$IP6TABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT
#
# Rule Policy_ipv6 1 (global)
#
echo "Rule Policy_ipv6 1 (global)"
#
$IP6TABLES -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
$IP6TABLES -A INPUT -p ipv6-icmp -m state --state NEW -j ACCEPT
#
# Rule Policy_ipv6 2 (global)
#
echo "Rule Policy_ipv6 2 (global)"
#
$IP6TABLES -A OUTPUT -m state --state NEW -j ACCEPT
$IP6TABLES -A FORWARD -s 2001:db8:ffff:ffff::/64 -m state --state NEW -j ACCEPT
#
# Rule Policy_ipv6 3 (global)
#
echo "Rule Policy_ipv6 3 (global)"
#
$IP6TABLES -N Policy_ipv6_3
$IP6TABLES -A FORWARD -j Policy_ipv6_3
$IP6TABLES -A Policy_ipv6_3 -j LOG --log-level info --log-prefix "RULE 3 -- DENY "
$IP6TABLES -A Policy_ipv6_3 -j DROP
Let's try to compile the policy rule set configured as mixed IPv4+IPv6. To illustrate, I am using two simple rules.
Rule #0 permits everything on the loopback. The loopback interface of the firewall has two addresses: 127.0.0.1/8 and ::1/128. Rule #1 permits HTTP and any ICMPv6 to the firewall. Here is the generated iptables script for these two rules:
# ================ IPv4
# ================ Table 'filter', rule set Policy_mix
# Policy compiler errors and warnings:
#
# Rule Policy_mix 0 (lo)
#
$IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT
#
# Rule Policy_mix 1 (global)
#
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
# ================ IPv6
# ================ Table 'filter', rule set Policy_mix
# Policy compiler errors and warnings:
#
# Rule Policy_mix 0 (lo)
#
$IP6TABLES -A INPUT -i lo -m state --state NEW -j ACCEPT
$IP6TABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT
#
# Rule Policy_mix 1 (global)
#
$IP6TABLES -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
$IP6TABLES -A INPUT -p ipv6-icmp -m state --state NEW -j ACCEPT
The script has two parts, one for IPv4 and another for IPv6, generated from the same rule set "Policy_mix". The IPv4 part has only IPv4 addresses and services. The rule that permits ICMPv6 to the firewall is missing in this part of the script because ICMPv6 does not match the address family. The rule that permits HTTP to the firewall is there, though. The second (IPv6) part of the script both permits HTTP and ICMPv6 to the firewall.
Note: the rule that matches on an interface (column "Interface" is not "any") will compile for IPv6 only if this interface has IPv6 address.
If the loopback interface of the firewall did not have an address ::1/128, then the IPv6 part of the generated script would not have rules permitting anything on loopback (those with "-i lo" and "-o lo"). This may not be very obvious and may be confusing at first, but this behavior is very useful during transition from purely IPv4 network to a mix of IPv4 and IPv6 when you enable IPv6 only on some interfaces but not others.
Finally, let's look at the generated PF configuration for the same rules in the same mixed policy rule set:
table <tbl.r9999.d> { 192.0.2.1 , 192.168.1.1 }
table <tbl.r1.dx> { 2001:db8:1:1::1 , 2001:db8:ffff:ffff::1 }
# Rule Policy_mix 0 (lo)
#
pass quick on lo inet from any to any keep state
#
# Rule Policy_mix 1 (global)
#
pass in quick inet proto tcp from any to <tbl.r9999.d> port 80 keep state
# Rule Policy_mix 0 (lo)
#
pass quick on lo inet6 from any to any keep state
#
# Rule Policy_mix 1 (global)
#
pass in quick inet6 proto tcp from any to <tbl.r1.dx> port 80 keep state
pass in quick inet6 proto icmp6 from any to <tbl.r1.dx> keep state
Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
Using free CSS Templates.