FireHOL IPv6 Setup

First, get an IPv4 setup operational. If you are starting from scratch, try with the new user or some other tutorial.

Contents:

Notes on IPv4 and IPv6

IPv4 and IPv6 addresses are different, and in FireHOL v2+ you must specify them explicitly. To ensure the rules are applied evenly, if you specify one you must specify both, or mark the whole rule as IPv4 or IPv6 only.

Not every option for IPv4 exists in IPv6 e.g. NAT and masquerading are not available until Linux 3.7 and may not be enabled on your system. If you do not have support for a rule in IPv6 on your system, you will need to mark it as IPv4 only.

Restricting commands to a particular version

To allow you to apply something to IPv4 or IPv6 only, anything in a configuration can be labelled. For instance to mark something as IPv4 only, write it as:

ipv4 command...

Most commands (e.g. interface, router, client, server, route, group) have been given special names e.g. interface4/interface6/interface46 which are equivalent to labelling them with ipv4 or ipv6 or both.

Enabling Basic IPv6 Networking

Unlike IPv4 which has separate protocols for host resolution, IPv6 makes use of ICMPv6 messages. The IPv4 resolution protocols (ARP) were not filtered by netfilter (and therefore by FireHOL) but the IPv6 ones are.

This means explicit steps must be taken to allow them. Note that the service all does not enable these messages, you must enable them as explained below.

Further, these ICMPv6 messages are sent to multicast addresses which means if you use src or dst values in your interfaces that host resolution and other facilities will not work correctly.

Therefore it is recommended that you set up a special interface before any others:

version 6

# helpers which come before any interface...

ipv6 interface any v6interop proto icmpv6
  policy return

# normal interfaces and routers start here...

interface eth0 home
# ...

interface ppp0 internet
# ...

router home2internet inface eth0 outface ppp0
# ...

Various ICMPv6 messages need to be explicitly allowed for correct operation of IPv6. Firstly, certain ICMPv6 error messages must be enabled.

version 6

# helpers which come before any interface...

ipv6 interface any v6interop proto icmpv6
  server ipv6error accept
  policy return

# normal interfaces and routers start here...

interface eth0 home
# ...

interface ppp0 internet
# ...

router home2internet inface eth0 outface ppp0
  server ipv6error accept
# ...

Incoming and outgoing rules are different and are set up automatically. Do not use client ipv6error accept except in a router where the outface is the "inside" of your firewall. See the ipv6error documentation for more information.

The remaining ICMPv6 messages should generally not be used in FireHOL router definitions, since the information they convey should be kept to the local network.

To allow hosts to communicate with one another over IPv6, network neighbour solicitation/advertisement messages (which do in IPv6 what ARP does in IPv4) must be enabled on interfaces.

ipv6 interface any v6interop proto icmpv6
  server ipv6error accept
  client ipv6neigh accept
  server ipv6neigh accept
  policy return

Multicast Listener Discovery should be enabled on any interfaces taking part on a network which has multicast snooping enabled and is available from FireHOL versions 2.0.4+ and 3.0.1+.

Depending on the snooping, not having this may prevent neighbour and router discovery from working. Not everyone likes MLD though, so you may want to read up on it as many network configurations will work fine without.

ipv6 interface any v6interop proto icmpv6
  server ipv6error accept
  client ipv6neigh accept
  server ipv6neigh accept
  client ipv6mld accept
  policy return

To allow network route auto-discovery, router solicitation/advertisement messages must be enabled on interfaces as a client.

ipv6 interface any v6interop proto icmpv6
  server ipv6error accept
  client ipv6neigh accept
  server ipv6neigh accept
  client ipv6mld accept
  client ipv6router accept
  policy return

You can restrict these messages to particular interfaces if you want to control where your host can see IPv6 routes from.

If your machine will be routing IPv6, it will also need to be able to send router advertisement messages and Multicast Listener Queries (the latter for FireHOL versions 2.0.4+ and 3.0.1+).

ipv6 interface any v6interop proto icmpv6
  server ipv6error accept
  client ipv6neigh accept
  server ipv6neigh accept
  client ipv6router accept
  server ipv6router accept
  server ipv6mld accept
  policy return

Upgrading Existing Interfaces and Routers

We will show you how to adapt this simple config in a few possible ways:

ipv4 dnat to 192.0.2.1 inface ppp+ proto tcp dport 80

interface4 eth0 home
  server ssh accept src 192.0.2.0/24

router4 home2net inface eth0 outface ppp+
  masquerade
  server ssh accept