IPv4 and IPv6 addresses are different, and in FireHOL v2+ you must specify them explicitly. To ensure the rules are applied evenly, if you specify one you must specify both, or mark the whole rule as IPv4 or IPv6 only.
Not every option for IPv4 exists in IPv6 e.g. NAT and masquerading are not available until Linux 3.7 and may not be enabled on your system. If you do not have support for a rule in IPv6 on your system, you will need to mark it as IPv4 only.
To allow you to apply something to IPv4 or IPv6 only, anything in a configuration can be labelled. For instance to mark something as IPv4 only, write it as:
Most commands (e.g.
group) have been given special names e.g.
interface46 which are equivalent to labelling them with
Unlike IPv4 which has separate protocols for host resolution, IPv6 makes use of ICMPv6 messages. The IPv4 resolution protocols (ARP) were not filtered by netfilter (and therefore by FireHOL) but the IPv6 ones are.
This means explicit steps must be taken to allow them. Note that the service all does not enable these messages, you must enable them as explained below.
Further, these ICMPv6 messages are sent to multicast addresses which means if you use
dst values in your interfaces that host resolution and other facilities will not work correctly.
Therefore it is recommended that you set up a special
interface before any others:
version 6 # helpers which come before any interface... ipv6 interface any v6interop proto icmpv6 policy return # normal interfaces and routers start here... interface eth0 home # ... interface ppp0 internet # ... router home2internet inface eth0 outface ppp0 # ...
Various ICMPv6 messages need to be explicitly allowed for correct operation of IPv6. Firstly, certain ICMPv6 error messages must be enabled.
version 6 # helpers which come before any interface... ipv6 interface any v6interop proto icmpv6 server ipv6error accept policy return # normal interfaces and routers start here... interface eth0 home # ... interface ppp0 internet # ... router home2internet inface eth0 outface ppp0 server ipv6error accept # ...
Incoming and outgoing rules are different and are set up automatically. Do not use
client ipv6error accept except in a router where the outface is the "inside" of your firewall. See the ipv6error documentation for more information.
The remaining ICMPv6 messages should generally not be used in FireHOL router definitions, since the information they convey should be kept to the local network.
To allow hosts to communicate with one another over IPv6, network neighbour solicitation/advertisement messages (which do in IPv6 what ARP does in IPv4) must be enabled on interfaces.
ipv6 interface any v6interop proto icmpv6 server ipv6error accept client ipv6neigh accept server ipv6neigh accept policy return
Multicast Listener Discovery should be enabled on any interfaces taking part on a network which has multicast snooping enabled and is available from FireHOL versions 2.0.4+ and 3.0.1+.
Depending on the snooping, not having this may prevent neighbour and router discovery from working. Not everyone likes MLD though, so you may want to read up on it as many network configurations will work fine without.
ipv6 interface any v6interop proto icmpv6 server ipv6error accept client ipv6neigh accept server ipv6neigh accept client ipv6mld accept policy return
To allow network route auto-discovery, router solicitation/advertisement messages must be enabled on interfaces as a client.
ipv6 interface any v6interop proto icmpv6 server ipv6error accept client ipv6neigh accept server ipv6neigh accept client ipv6mld accept client ipv6router accept policy return
You can restrict these messages to particular interfaces if you want to control where your host can see IPv6 routes from.
If your machine will be routing IPv6, it will also need to be able to send router advertisement messages and Multicast Listener Queries (the latter for FireHOL versions 2.0.4+ and 3.0.1+).
ipv6 interface any v6interop proto icmpv6 server ipv6error accept client ipv6neigh accept server ipv6neigh accept client ipv6router accept server ipv6router accept server ipv6mld accept policy return
We will show you how to adapt this simple config in a few possible ways:
ipv4 dnat to 192.0.2.1 inface ppp+ proto tcp dport 80 interface4 eth0 home server ssh accept src 192.0.2.0/24 router4 home2net inface eth0 outface ppp+ masquerade server ssh accept
router4 which should apply to both IPv4 and IPv6 with no existing
dst should be updated to use the keywords without a suffix.
Other rules which do not have a
dst and apply equally to IPv4 and IPv6 are left unchanged. They will inherit the behaviour of the generalised
Rules which apply to IPv4 only or which you only want to apply to IPv4 addresses should be explicitly marked if they were not already.
ipv4 dnat to 192.0.2.1 inface ppp+ proto tcp dport 80 interface eth0 home server4 ssh accept src 192.0.2.0/24 router home2net inface eth0 outface ppp+ ipv4 masquerade server ssh accept
It is also possible to add new rules which only apply to IPv6.
If you do have want to specify an IPv6 address for a particular rule, to match an existing IPv4 address, generalise the
server keyword and specify the addresses explicitly with
ipv4 dnat to 192.0.2.1 inface ppp+ proto tcp dport 80 interface eth0 home server ssh accept src4 192.0.2.0/24 src6 2001:DB8::1:0/24 router home2net inface eth0 outface ppp+ ipv4 masquerade server ssh accept
The FireHOL variables such as $UNROUTABLE_IPS will work automatically in both contexts, so you can still write:
If you want to combine this with your own IPs or ranges, you will need to be explicit, like this:
router fromppp inface ppp+ src4 not "$UNROUTABLE_IPV4 198.51.100.0/24" src6 not "$UNROUTABLE_IPV6 2001:DB8::2:0/24" server ssh accept
since only the special FireHOL variables automatically switch for IPv4/6.
Some services only make sense as IPv4 or IPv6 and are automatically switched to that mode. They cannot be included in blocks of rules specified to the opposite mode.