6wall User Guide

Revision History
Revision 1.0June 2003
Initial document

Table of Contents

About 6wall
Getting started
Configuring 6wall
Controlling 6wall
Further information
Reference

About 6wall

What is 6wall?

6wall is for IPv6 what Shorewall is for IPv4

Never heard of Shorewall? Then I suggest that you first get acquainted with this excellent iptables based firewall for IPv4 at www.shorewall.net. 6wall is heavily based on Shorewall 1.4, in fact most of the work on 6wall has been to convert the functionalities for IPv4 in Shorewall to their IPv6 equivalent.

6wall is a Netfilter (ip6tables) based firewall that can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system.

Although 6wall is Linux distribution independant, currently only a ready to use package for Linux Embedded Appliance Firewalls (LEAF) is available. It is currently distributed as part of the Bering-uClibc branch of LEAF.

Limitations

6wall is based on ip6tables, which currently doesn't support as many features as iptables. Therefore a number of options/features of Shorewall could not be converted to their IPv6 counterpart in 6wall. Below is an overview of the main limitations of 6wall/ip6tables compared to Shorewall/iptables:

  • No support for connection tracking

  • Allowed policies are ACCEPT, DROP, CONTINUE and NONE

  • Allowed actions for rules are ACCEPT, DROP, CONTINUE and LOG

  • Policies and actions REJECT, REDIRECT are not supported

  • Log target ULOG is not supported

  • Network Address Translation (SNAT and DNAT) is not available

More detailed information on the available options/features can be found in the 6wall reference manual.

Feedback

Comments on 6wall and the 6wall user guide should be addressed to its maintainer: Eric de Thouars .

Acknowledgments and Thanks

I would like to thank Tom Eastep for his work on Shorewall. Without his very structured programming style it would never have been possible for me to produce 6wall.

A lot of the 6wall documentation has been taken from Tom's site and adapted to reflect the changes I made from Shorewall to 6wall. In most cases the documentation and examples for Shorewall can directly be applied to 6wall by just replacing the IPv4 addresses with IPv6 addresses. Therefore this user guide will mainly give a global overview of 6wall, refer to Shorewall for most documentation and examples, and focus explicitly on the areas where 6wall and Shorewall differ.

Please don't bother Tom with 6wall questions, only Shorewall related questions should be directed to him !!!

Changelog

Current LEAF/LRP version: 1.0.1 - August 6, 2003

For changes since previous versions check the Changelog.

Getting started

Reading up

The best way to get started with 6wall is to read-up on the Shorewall documentation. Once you are familiar with those, setting up 6wall should be a piece of cake.

Recommended reading:

  • The Shorewall QuickStart Guides

    • Standalone Linux System

    • Two-interface Linux System acting as a firewall/router for a small local network

    • Three-interface Linux System acting as a firewall/router for a small local network and a DMZ

    These documents should give you a good idea what Shorewall and therefore 6wall is all about. For more complicated setups check the Shorewall documentation index.

  • Bering-uClibc user guide

Installing the 6wall.lrp package

Download the 6wall.lrp package an copy it to your LRP diskette. Edit your lrcfg.cfg file to add 6wall to the list of your packages.

Reboot. 6wall should be up and running !

Configuring 6wall

Overview

The 6wall package LRP configuration menu allows you to define the parameter files that together make up 6wall. If you've read the Shorewall documentation the names of these files should be familiar to you.

The most important parameter files that should be edited are:

  • Zone definitions

  • Interface definitions

  • Policy definitions

  • Rule definitions

For a complete description of the components that together make up 6wall check 6wall reference manual.

Zone defintions

The file /etc/6wall/zones6 is used to define the network zones. There is one entry for each zone. Columns in an entry are:

  • ZONE - short name for the zone. The name should be 5 characters or less in length and consist of lower-case letters or numbers. Short names must begin with a letter and the name assigned to the firewall is reserved for use by 6wall itself. Note that the output produced by ip6tables is much easier to read if you select short names that are three characters or less in length. The name "all" may not be used as a zone name nor may the zone name assigned to the firewall itself via the FW variable in /etc/6wall/6wall.conf.

  • DISPLAY - The name of the zone as displayed during 6wall startup.

  • COMMENTS - Any comments that you want to make about the zone. 6wall ignores these comments.

The /etc/6wall/zones6 file released with 6wall is as follows:

#ZONE DISPLAY COMMENTS
#
net	Net	Internet
loc	Local 	Local networks
        

More details on the /etc/6wall/zones6 in the 6wall reference manual.

Interface definitions

The file /etc/6wall/interfaces6 is used to tell the firewall which of your firewall's network interfaces are connected to which zone. Columns in an entry are:

  • ZONE - A zone defined in the /etc/6wall/zones6 file.

  • INTERFACE - the name of the interface (examples: eth0, ppp0, ipsec+). Each interface can be listed on only one record in this file.

    Important

    DO NOT INCLUDE THE LOOPBACK INTERFACE (lo) IN THIS FILE!!!

  • OPTIONS - a comma-separated list of options. Possible options include:

    • routeback - This option causes 6wall to set up handling for routing packets that arrive on this interface back out the same interface. If this option is specified, the ZONE column may not contain "-".

    • tcpflags - This option causes 6wall to make sanity checks on the header flags in TCP packets arriving on this interface. Checks include Null flags, SYN+FIN, SYN+RST and FIN+URG+PSH; these flag combinations are typically used for "silent" port scans. Packets failing these checks are logged according to the TCP_FLAGS_LOG_LEVEL option in /etc/6wall/6wall.conf and are disposed of according to the TCP_FLAGS_DISPOSITION option.

    • blacklist - This option causes incoming packets on this interface to be checked against the blacklist.

    • nositelocal - Packets arriving on this interface and that have a site-local source address will be dropped after being optionally logged.

    • maclist - If this option is specified, all connection requests from this interface are subject to MAC Verification. May only be specified for ethernet interfaces.

The /etc/6wall/zones6 file released with 6wall is as follows:

#ZONE    INTERFACE      OPTIONS
#
net      tun6to4        nositelocal
loc      eth1

More details on the /etc/6wall/zones6 in the 6wall reference manual.

Policy definitions

The file /etc/6wall/policy6 is used to describe the firewall policy regarding establishment of connections. Connection establishment is described in terms of clients who initiate connections and servers who receive those connection requests. Policies describe which zones are allowed to establish connections with other zones.

Four policies are defined:

  • ACCEPT - The connection is allowed.

  • DROP - The connection request is ignored.

  • CONTINUE - The connection is neither ACCEPTed nor DROPped. CONTINUE may be used when one or both of the zones named in the entry are sub-zones of or intersect with another zone. Where zones are nested or overlapping, the CONTINUE policy allows hosts that are within multiple zones to be managed under the rules of all of these zones.

  • NONE - 6wall should not set up any infrastructure for handling traffic from the SOURCE zone to the DEST zone. When this policy is specified, the LOG LEVEL and BURST:LIMIT columns must be left blank.

Entries in /etc/6wall/policy6 have four columns as follows:

  • SOURCE - The name of a client zone (a zone defined in the /etc/6wall/zones6, the name of the firewall zone or "all").

  • DEST - The name of a client zone (a zone defined in the /etc/6wall/zones6, the name of the firewall zone or "all"). 6wall automatically allows all traffic from the firewall to itself so the name of the firewall zone cannot appear in both the SOURCE and DEST columns.

  • POLICY - The default policy for connection requests from the SOURCE zone to the DESTINATION zone.

  • LOG LEVEL - Optional. If left empty, no log message is generated when the policy is applied. Otherwise, this column should contain an integer or name indicating a syslog level.

  • LIMIT:BURST - Optional. If left empty, TCP connection requests from the SOURCE zone to the DEST zone will not be rate-limited. Otherwise, this column specifies the maximum rate at which TCP connection requests will be accepted followed by a colon (":") followed by the maximum burst size that will be tolerated. Example: 10/sec:40 specifies that the maximum rate of TCP connection requests allowed will be 10 per second and a burst of 40 connections will be tolerated. Connection requests in excess of these limits will be dropped.

The /etc/6wall/zones6 file released with 6wall is as follows:

#SOURCE	DEST	POLICY	LOG LEVEL	LIMIT:BURST
#
loc	net	ACCEPT	-		-
net	all	DROP	info		-
all	all	DROP	info		-

More details on the /etc/6wall/policy6 in the 6wall reference manual.

Rule definitions

Policies established in /etc/6wall/policy6 can be viewed as default policies. Rules in /etc/6wall/rules6 define exceptions to these policies. Entries in the file have the following columns:

  • ACTION

    • ACCEPT, DROP, CONTINUE. These have the same meaning here as in the policy file above.

    • LOG - Log the packet -- requires a syslog level (see below).

    The ACTION may optionally be followed by ":" and a syslog level (example: DROP:info). This causes the packet to be logged at the specified level prior to being processed according to the specified ACTION. Note: if the ACTION is LOG then you MUST specify a syslog level.

  • SOURCE - Describes the source hosts to which the rule applies. The contents of this field must begin with the name of a zone defined in the /etc/6wall/zones6, the name of the firewall zone or "all".

    If the source is not 'all' then the source may be further restricted by adding a colon (":") followed by a comma-separated list of qualifiers. Qualifiers are may include:

    • An interface name - refers to any connection requests arriving on the specified interface (example loc:eth4). The interface name may optionally be followed by a colon (":") and an IP address or prefix (examples: net:eth0:2002:888::2ef, loc:eth1:fec0::/64).

    • An IP address - refers to a connection request from the host with the specified address (example net:2002:888::2ef).

    • A MAC Address in Shorewall format.

    • A prefix - refers to a connection request from any host in the specified subnet (example loc:fec0:1::/64).

  • DEST - Describes the destination host(s) to which the rule applies. May take most of the forms described above for SOURCE. Restrictions:

    • MAC addresses may not be specified.

    • You may not specify both an IP address and an interface name in the DEST column.

  • PROTO - Protocol. Must be a protocol name from /etc/protocols, a number or "all". Specifies the protocol of the connection request.

  • DEST PORT(S) - Port or port range (<low port>:<high port>) being connected to. May only be specified if the protocol is tcp, udp or icmpv6. For icmpv6, this column's contents are interpreted as an icmpv6 type. If you don't want to specify DEST PORT(S) but need to include information in one of the columns to the right, enter "-" in this column. You may give a list of ports and/or port ranges separated by commas. Port numbers may be either integers or service names from /etc/services.

  • SOURCE PORTS(S) - May be used to restrict the rule to a particular client port or port range (a port range is specified as <low port number>:<high port number>). If you don't want to restrict client ports but want to specify something in the next column, enter "-" in this column. If you wish to specify a list of port number or ranges, separate the list elements with commas (with no embedded white space). Port numbers may be either integers or service names from /etc/services.

The /etc/6wall/rules6 file released with 6wall is as follows:

#ACTION	SOURCE		DEST		PROTO	DEST	SOURCE     
#						PORT	PORT(S)    
#
#       Allow ping6 from the firewall
#
ACCEPT	fw		all		icmpv6	echo-request
#
#
#       Allow ping6 from the local network to the firewall
#
ACCEPT	loc		fw		icmpv6	echo-request

More details on the /etc/6wall/rules6 in the 6wall reference manual.

Finishing up

After you've edited at leas the files above to suite your needs, backup the 6wall package !!

Controlling 6wall

Overview

6wall can be controlled via the command 6wall.

# 6wall
Usage: 6wall [debug] [nolock] [-c <directory>] <command>
where <command> is one of:
   show [<chain>|log|mangle]
   start
   stop
   reset
   restart
   status
   clear
   refresh
   hits
   version
   check
   drop <address> ...
   allow <address> ...
        

Starting and stopping

After the configuration steps in the previous chapter, you can (re)start 6wall with the command 6wall start or 6wall restart

Stopping the firewall with the command 6wall stop results in denying all traffic through your system, except the traffic via the interfaces defined in /etc/6wall/routestopped6. The use and effects of this file are identical to the routestopped file of Shorewall, which is described here.

To disable 6wall completely and to allow all traffic, give the command 6wall clear

Information and status

Using the 6wall show ... and 6wall status commands, you can get information on the current status of the ip6tables configuration and the last 6wall entries in your logfile

6wall hits gives a summary of all 6wall entries in your logfile.

The 6wall configuration can be validated with 6wall check

Dynamic blacklisting

6wall uses two forms of blacklisting: static and dynamic blacklisting. Static blacklisting uses the configuration file /etc/6wall/blacklist. Dynamic blacklisting is controlled via the 6wall drop <ip address> and 6wall allow <ip address> commands.

For more information on blacklisting check the Shorewall documentation

Further information

As stated in the introduction, 6wall was derived from Shorewall. If there are any unclarities about how to configure a specific file or option for 6wall, a good starting point is to check out the documentation of Shorewall for your issue. The Shorewall documentation is very exhaustive and there is a good chance that you'll find what you're looking for.

Remeber, the documentation here mainly focusses on the differences between Shorewall and 6wall. The section Reference goes into the 6wall specifics of the available configuration files.

Reference

Components

6wall consists of the following components:

  • 6wall -- a shell program (requiring a Bourne shell or derivative) used to control and monitor the firewall. This should be placed in /sbin or in /usr/sbin.

  • 6wall.conf -- a parameter file installed in /etc/6wall that is used to set several firewall parameters.

  • blacklist6 -- a parameter file installed in /etc/6wall and used to list blacklisted IP/prefix/MAC addresses.

  • common6.def -- a parameter file installed in /etc/6wall that defines firewall-wide rules that are applied before DROP policy is applied.

  • firewall -- a shell program that reads the configuration files in /etc/6wall and configures your firewall. This file is installed in /usr/share/6wall.

  • functions -- a set of shell functions used by both the firewall and 6wall shell programs. Installed in /usr/share/6wall.

  • hosts6 -- a parameter file installed in /etc/6wall and used to describe individual hosts or prefixes in zones.

  • interfaces6 -- a parameter file installed in /etc/6wall and used to describe the interfaces on the firewall system.

  • maclist6 -- a parameter file installed in /etc/6wall and used to verify the MAC address (and possibly also the IP address(es)) of devices.

  • modules6 -- a parameter file installed in /etc/6wall and that specifies kernel modules and their parameters. 6wall will automatically load the modules specified in this file.

  • params6 -- a parameter file installed in /etc/6wall that can be used to establish the values of shell variables for use in other files.

  • policy6 -- a parameter file installed in /etc/6wall that establishes overall firewall policy.

  • rules6 -- a parameter file installed in /etc/6wall and used to express firewall rules that are exceptions to the high-level policies established in /etc/6wall/policy6.

  • routestopped6 -- a parameter file in /etc/6wall used to define those hosts that can access the firewall when 6wall is stopped. The use and effects of this file are identical to the routestopped file of Shorewall, which is described here.

  • sitelocal -- a parameter file in /etc/6wall used to define the treatment of packets under the nositelocal interface option.

  • version -- a file created in /usr/share/6wall that describes the version of 6wall installed on your system.

  • zones6 -- a parameter file installed in /etc/6wall that defines a network partitioning into "zones".

/etc/6wall/params6

You may use the file /etc/6wall/params6 file to set shell variables that you can then use in some of the other configuration files.

It is suggested that variable names begin with an upper case letter to distinguish them from variables used internally within the 6wall programs.

Example:

NET_IF=eth0
NET_OPTIONS=blacklist,nositelocal

Example /etc/6wall/interfaces6 record:

net $NET_IF $NET_BCAST $NET_OPTIONS

The result will be the same as if the record had been written

net eth0 blacklist,nositelocal

Variables may be used anywhere in the other configuration files.

/etc/6wall/zones6

This file is used to define the network zones. There is one entry in /etc/6wall/zones6 for each zone. Columns in an entry are:

  • ZONE - short name for the zone. The name should be 5 characters or less in length and consist of lower-case letters or numbers. Short names must begin with a letter and the name assigned to the firewall is reserved for use by 6wall itself. Note that the output produced by ip6tables is much easier to read if you select short names that are three characters or less in length. The name "all" may not be used as a zone name nor may the zone name assigned to the firewall itself via the FW variable in /etc/6wall/6wall.conf.

  • DISPLAY - The name of the zone as displayed during 6wall startup.

  • COMMENTS - Any comments that you want to make about the zone. 6wall ignores these comments.

The /etc/6wall/zones6 file released with 6wall is as follows:

#ZONE	DISPLAY	COMMENTS
net	Net	Internet
loc	Local 	Local networks

You may add, delete and modify entries in the /etc/6wall/zones6 file as desired so long as you have at least one zone defined.

Important

Warning 1: If you rename or delete a zone, you should perform 6wall stop; 6wall start to install the change rather than 6wall restart.

Important

Warning 2: The order of entries in the /etc/6wall/zones6 file is significant in some cases (see Shorewall doc).

/etc/6wall/interfaces6

This file is used to tell the firewall which of your firewall's network interfaces are connected to which zone. There will be one entry in /etc/6wall/interfaces6 for each of your interfaces. Columns in an entry are:

  • ZONE - a zone defined in the /etc/6wall/zones6 file or "-". If you specify "-", you must use the /etc/6wall/hosts6 file to define the zones accessed via this interface.

  • INTERFACE - the name of the interface (examples: eth0, ppp0, ipsec+). Each interface can be listed on only one record in this file.

    Important

    DO NOT INCLUDE THE LOOPBACK INTERFACE (lo) IN THIS FILE!!!

  • OPTIONS - a comma-separated list of options. Possible options include:

    • routeback - This option causes 6wall to set up handling for routing packets that arrive on this interface back out the same interface. If this option is specified, the ZONE column may not contain "-".

    • tcpflags - This option causes 6wall to make sanity checks on the header flags in TCP packets arriving on this interface. Checks include Null flags, SYN+FIN, SYN+RST and FIN+URG+PSH; these flag combinations are typically used for "silent" port scans. Packets failing these checks are logged according to the TCP_FLAGS_LOG_LEVEL option in /etc/6wall/6wall.conf and are disposed of according to the TCP_FLAGS_DISPOSITION option.

    • blacklist - This option causes incoming packets on this interface to be checked against the blacklist.

    • nositelocal - Packets arriving on this interface and that have a site-local source address will be dropped after being optionally logged.

      Addresses blocked by this option are defined in the sitelocal file.

    • maclist - If this option is specified, all connection requests from this interface are subject to MAC Verification. May only be specified for ethernet interfaces.

The /etc/6wall/interfaces6 file released with 6wall is as follows:

#ZONE    INTERFACE      OPTIONS
net      tun6to4        nositelocal
loc      eth1

Some recommendations concerning options:

  • External Interface -- tcpflags,blacklist,nositelocal

  • Wireless Interface -- maclist,tcpflags

/etc/6wall/hosts6

For most applications, specifying zones entirely in terms of network interfaces is sufficient. There may be times though where you need to define a zone to be a more general collection of hosts. This is the purpose of the /etc/6wall/hosts6 file.

Important

WARNING: The only times that you need entries in /etc/6wall/hosts6 are:

  • You have more than one zone connecting through a single interface; or

  • You have a zone that has multiple subnetworks that connect through a single interface and you want the 6wall box to route traffic between those subnetworks.

IF YOU DON'T HAVE EITHER OF THOSE SITUATIONS THEN DON'T TOUCH THIS FILE!!

Columns in this file are:

  • ZONE - a zone defined in the /etc/6wall/zones6 file.

  • HOST(S) - The name of a network interface followed by a colon (":") followed by either:

    • an IP address (example - eth1:2001:888::2f4)

    • a prefix (example - eth2:fec0:1::/64)

    The interface name much match an entry in /etc/6wall/interfaces6.

  • OPTIONS - A comma-separated list of options:

    • routeback - This option causes 6wall to set up handling for routing packets sent by this host group back to the same group.

    • maclist - If specified, connection requests from the hosts specified in this entry are subject to MAC Verification. This option is only valid for ethernet interfaces.

If you don't define any hosts for a zone, the hosts in the zone default to i0:::/0 , i1:::/0, ... where i0, i1, ... are the interfaces to the zone.

Note

Note: You probably DON'T want to specify any hosts for your internet zone since the hosts that you specify will be the only ones that you will be able to access without adding additional rules.

Check the Shorewall doc for examples on how to use this file. Especially the section on Nested and Overlapping Zones.

The /etc/6wall/hosts6 file released with 6wall is empty.

/etc/6wall/policy6

This file is used to describe the firewall policy regarding establishment of connections. Connection establishment is described in terms of clients who initiate connections and servers who receive those connection requests. Policies defined in /etc/6wall/policy6 describe which zones are allowed to establish connections with other zones.

Policies established in /etc/6wall/policy6 can be viewed as default policies. If no rule in /etc/6wall/rules6 applies to a particular connection request then the policy from /etc/6wall/policy6 is applied.

Four policies are defined:

  • ACCEPT - The connection is allowed.

  • DROP - The connection request is ignored.

  • CONTINUE - The connection is neither ACCEPTed nor DROPped. CONTINUE may be used when one or both of the zones named in the entry are sub-zones of or intersect with another zone. Where zones are nested or overlapping, the CONTINUE policy allows hosts that are within multiple zones to be managed under the rules of all of these zones. For more information, see Shorewall doc.

  • NONE - 6wall should not set up any infrastructure for handling traffic from the SOURCE zone to the DEST zone. When this policy is specified, the LOG LEVEL and BURST:LIMIT columns must be left blank.

For each policy specified in /etc/6wall/policy6, you can indicate that you want a message sent to your system log each time that the policy is applied.

Entries in /etc/6wall/policy6 have four columns as follows:

  • SOURCE - The name of a client zone (a zone defined in the /etc/6wall/zones6 file, the name of the firewall zone or "all").

  • DEST - The name of a client zone (a zone defined in the /etc/6wall/zones6 file, the name of the firewall zone or "all"). Shorewall automatically allows all traffic from the firewall to itself so the name of the firewall zone cannot appear in both the SOURCE and DEST columns.

  • POLICY - The default policy for connection requests from the SOURCE zone to the DESTINATION zone.

  • LOG LEVEL - Optional. If left empty, no log message is generated when the policy is applied. Otherwise, this column should contain an integer or name indicating a syslog level.

  • LIMIT:BURST - Optional. If left empty, TCP connection requests from the SOURCE zone to the DEST zone will not be rate-limited. Otherwise, this column specifies the maximum rate at which TCP connection requests will be accepted followed by a colon (":") followed by the maximum burst size that will be tolerated.

    Example: 10/sec:40 specifies that the maximum rate of TCP connection requests allowed will be 10 per second and a burst of 40 connections will be tolerated. Connection requests in excess of these limits will be dropped.

In the SOURCE and DEST columns, you can enter "all" to indicate all zones.

The policy file installed by default is as follows:

#SOURCE	DEST	POLICY	LOG LEVEL	LIMIT:BURST
#
loc	net	ACCEPT	-		-
net	all	DROP	info		-
all	all	DROP	info		-

This table may be interpreted as follows:

  • All connection requests from the local network to hosts on the internet are accepted.

  • All connection requests originating from the internet are dropped and logged at level KERNEL.INFO.

  • All other connection requests are dropped and logged.

WARNING -- The firewall script processes the /etc/6wall/policy6 file from top to bottom and uses the first applicable policy that it finds. For example, in the following policy file, the policy for (loc, loc) connections would be ACCEPT as specified in the first entry even though the third entry in the file specifies DROP.

#SOURCE	DEST	POLICY	LOG LEVEL	LIMIT:BURST
#
loc	all	ACCEPT	-		-
net	all	DROP	info		-
loc	loc	DROP	info		-

IntraZone Traffic

6wall allows a zone to be associated with more than one interface or with multiple networks that interface through a single interface. 6wall will ACCEPT all traffic from a zone to itself provided that there is no explicit policy governing traffic from that zone to itself (an explicit policy does not specify "all" in either the SOURCE or DEST column) and that there are no rules concerning connections from that zone to itself. If there is an explicit policy or if there are one or more rules, then traffic within the zone is handled just like traffic between zones is.

Any time that you have multiple interfaces associated with a single zone, you should ask yourself if you really want traffic routed between those interfaces. Cases where you might not want that behavior are:

  • Multiple "net" interfaces to different ISPs. You don't want to route traffic from one ISP to the other through your firewall.

  • Multiple VPN clients. You don't necessarily want them to all be able to communicate between themselves using your gateway/router.

/etc/6wall/rules6

The /etc/6wall/rules6 file defines exceptions to the policies established in the /etc/6wall/policy6 file. There is one entry in /etc/6wall/rules6 for each of these rules.

Shorewall automatically enables firewall->firewall traffic over the loopback interface (lo) -- that traffic cannot be regulated using rules and any rule that tries to regulate such traffic will generate a warning and will be ignored.

Entries in the file have the following columns:

  • ACTION

    • ACCEPT, DROP, CONTINUE. These have the same meaning here as in the policy file above.

    • LOG - Log the packet -- requires a syslog level (see below).

    The ACTION may optionally be followed by ":" and a syslog level (example: DROP:info). This causes the packet to be logged at the specified level prior to being processed according to the specified ACTION. Note: if the ACTION is LOG then you MUST specify a syslog level.

  • SOURCE - Describes the source hosts to which the rule applies. The contents of this field must begin with the name of a zone defined in the /etc/6wall/zones6, the name of the firewall zone or "all".

    If the source is not "all" then the source may be further restricted by adding a colon (":") followed by a comma-separated list of qualifiers. Qualifiers are may include:

    • An interface name - refers to any connection requests arriving on the specified interface (example loc:eth4). The interface name may optionally be followed by a colon (":") and an IP address or prefix (examples: net:eth0:2002:888::2ef, loc:eth1:fec0::/64).

    • An IP address - refers to a connection request from the host with the specified address (example net:2002:888::2ef).

    • A MAC Address in Shorewall format.

    • A prefix - refers to a connection request from any host in the specified subnet (example loc:fec0:1::/64).

  • DEST - Describes the destination host(s) to which the rule applies. May take most of the forms described above for SOURCE. Restrictions:

    • MAC addresses may not be specified.

    • You may not specify both an IP address and an interface name in the DEST column.

  • PROTO - Protocol. Must be a protocol name from /etc/protocols, a number or "all". Specifies the protocol of the connection request.

  • DEST PORT(S) - Port or port range (<low port>:<high port>) being connected to. May only be specified if the protocol is tcp, udp or icmpv6. For icmpv6, this column's contents are interpreted as an icmpv6 type. If you don't want to specify DEST PORT(S) but need to include information in one of the columns to the right, enter "-" in this column. You may give a list of ports and/or port ranges separated by commas. Port numbers may be either integers or service names from /etc/services.

  • SOURCE PORTS(S) - May be used to restrict the rule to a particular client port or port range (a port range is specified as <low port number>:<high port number>). If you don't want to restrict client ports but want to specify something in the next column, enter "-" in this column. If you wish to specify a list of port number or ranges, separate the list elements with commas (with no embedded white space). Port numbers may be either integers or service names from /etc/services.

The /etc/6wall/rules6 file released with 6wall is as follows:

#ACTION	SOURCE		DEST		PROTO	DEST	SOURCE     
#						PORT	PORT(S)    
#
#       Allow ping6 from the firewall
#
ACCEPT	fw		all		icmpv6	echo-request
#
#
#       Allow ping6 from the local network to the firewall
#
ACCEPT	loc		fw		icmpv6	echo-request

For examples on how to define rule, check the Shorewall doc.

/etc/6wall/common6.def

6wall allows definition of rules that apply between all zones. By default, these rules are defined in the file /etc/6wall/common6.def but may be modified to suit individual requirements. Rather than modify /etc/6wall/common6.def, you should copy that file to /etc/6wall/common6 and modify that file.

The /etc/6wall/common6 file is expected to contain iptables commands; rather than running iptables directly, you should run it indirectly using the 6wall function "run_iptables". That way, if iptables encounters an error, the firewall will be safely stopped.

The /etc/6wall/common6.def file released with 6wall is as follows:

############################################################################
# Allow ping and traceroute return traffic as long as connection tracking
# is not available
#
run_ip6tables -A common -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
run_ip6tables -A common -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
############################################################################
# NETBIOS chatter
#
run_ip6tables -A common -p udp --dport 135         -j reject
run_ip6tables -A common -p udp --dport 137:139     -j reject
run_ip6tables -A common -p udp --dport 445         -j reject
run_ip6tables -A common -p tcp --dport 139         -j reject
run_ip6tables -A common -p tcp --dport 445         -j reject
run_ip6tables -A common -p tcp --dport 135        -j reject
############################################################################
# UPnP
#
run_ip6tables -A common -p udp --dport 1900       -j DROP
############################################################################
# AUTH -- Silently reject it so that connections don't get delayed.
#
run_ip6tables -A common -p tcp --dport 113 -j reject
############################################################################
# Allow Neighbour and Router Advertisement messages
#
run_ip6tables -A common -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
run_ip6tables -A common -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
run_ip6tables -A common -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
run_ip6tables -A common -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
############################################################################

/etc/6wall/6wall.conf

This file is used to set the following firewall parameters:

  • TCP_FLAGS_DISPOSITION - Determines the disposition of TCP packets that fail the checks enabled by the tcpflags interface option and must have a value of ACCEPT (accept the packet) or DROP (ignore the packet). If not set or if set to the empty value (e.g., TCP_FLAGS_DISPOSITION= ) then TCP_FLAGS_DISPOSITION=DROP is assumed.

  • TCP_FLAGS_LOG_LEVEL - Determines the syslog level for logging packets that fail the checks enabled by the tcpflags interface option. The value must be a valid syslogd log level. If you don't want to log these packets, set to the empty value (e.g., TCP_FLAGS_LOG_LEVEL= ).

  • MACLIST_DISPOSITION - Determines the disposition of connection requests that fail MAC Verification and must have the value ACCEPT (accept the connection request anyway) or DROP (ignore the connection request). If not set or if set to the empty value (e.g., MACLIST_DISPOSITION= ) then MACLIST_DISPOSITION=DROP is assumed.

  • MACLIST_LOG_LEVEL - Determines the syslog level for logging connection requests that fail MAC Verification. The value must be a valid syslogd log level. If you don't want to log these connection requests, set to the empty value (e.g., MACLIST_LOG_LEVEL= ).

  • BLACKLIST_DISPOSITION - This parameter determines the disposition of packets from blacklisted hosts. It may only have the value DROP if the packets are to be dropped.

  • BLACKLIST_LOGLEVEL - This parameter determines if packets from blacklisted hosts are logged and it determines the syslog level that they are to be logged at. Its value is a syslog level. If you do not assign a value or if you assign an empty value then packets from blacklisted hosts are not logged.

  • SITELOCAL_LOG_LEVEL - This parameter determines the level at which packets logged under the "nositelocal" mechanism are logged. The value must be a valid syslog level and if no level is given, then info is assumed.

  • LOGRATE and LOGBURST - These parameters set the match rate and initial burst size for logged packets. Please see the ip6tables man page for a description of the behavior of these parameters (the ip6tables option --limit is set by LOGRATE and --limit-burst is set by LOGBURST). If both parameters are set empty, no rate-limiting will occur.

  • LOGFORMAT - The value of this variable generate the --log-prefix setting for 6wall logging rules. It contains a 'printf' formatting template which accepts three arguments (the chain name, logging rule number (optional) and the disposition). To use LOGFORMAT with fireparse.

    LOGFORMAT="fp=%s:%d a=%s "

    If the LOGFORMAT value contains the substring '%d' then the logging rule number is calculated and formatted in that position; if that substring is not included then the rule number is not included. If not supplied or supplied as empty (LOGFORMAT="") then "6wall:%s:%s:" is assumed.

    Important

    /sbin/6wall uses the leading part of the LOGFORMAT string (up to but not including the first '%') to find log messages in the 'show log', 'status' and 'hits' commands. This part should not be omitted (the LOGFORMAT should not begin with "%") and the leading part should be sufficiently unique for /sbin/6wall to identify 6wall messages.

  • LOGFILE - This parameter tells the /sbin/6wall program where to look for 6wall messages when processing the show log, monitor, status and hits commands. If not assigned or if assigned an empty value, /var/log/messages is assumed.

  • IP_FORWARDING - This parameter determines whether 6wall enables or disables IPv6 Packet Forwarding (/proc/sys/net/ipv6/conf/all/forwarding). Possible values are:

    • On or on - packet forwarding will be enabled.

    • Off or off - packet forwarding will be disabled.

    • Keep or keep - 6wall will neither enable nor disable packet forwarding.

    If this variable is not set or is given an empty value (IP_FORWARD= ) then IP_FORWARD=On is assumed.

  • MULTIPORT - If set to "Yes" or "yes", 6wall will use the Netfilter multiport facility. In order to use this facility, your kernel must have multiport support (CONFIG_IP_NF_MATCH_MULTIPORT). When this support is used, 6wall will generate a single rule from each record in the /etc/6wall/rules6 file that meets these criteria:

    • No port range(s) specified

    • Specifies 15 or fewer ports

    Rules not meeting those criteria will continue to generate an individual rule for each listed port or port range.

  • SUBSYSLOCK - This parameter should be set to the name of a file that the firewall should create if it starts successfully and remove when it stops. Creating and removing this file allows 6wall to work with your distribution's initscripts. For LEAF it is /var/run/shorwall.

  • STATEDIR - This parameter specifies the name of a directory where 6wall stores state information. If the directory doesn't exist when 6wall starts, it will create the directory.

    NOTE: If you change the STATEDIR variable while the firewall is running, create the new directory if necessary then copy the contents of the old directory to the new directory.

  • MODULESDIR - This parameter specifies the directory where your kernel netfilter modules may be found. If you leave the variable empty, 6wall will supply the value /lib/modules/`uname -r`/kernel/net/ipv6/netfilter.

  • FW - Name of the firewall zone -- if not set or if set to an empty string, "fw" is assumed.

  • MUTEX_TIMEOUT - The value of this variable determines the number of seconds that programs will wait for exclusive access to the 6wall lock file. After the number of seconds corresponding to the value of this variable, programs will assume that the last program to hold the lock died without releasing the lock. If not set or set to the empty value, a value of 60 (60 seconds) is assumed. An appropriate value for this parameter would be twice the length of time that it takes your firewall system to process a "6wall restart" command.

  • SHOW_IP6TABLES_COMMANDS - When the value of this variable is set to "yes" all ip6tables commands generated by 6wall are also echoed to the terminal. This can be used for debugging. Default value is "no".

The /etc/6wall/6wall.conf file released with 6wall is as follows:

#  L O G G I N G

LOGFILE=/var/log/messages
LOGMARKER='6wall:'
LOGRATE=
LOGBURST=
BLACKLIST_LOGLEVEL=info
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
SITELOCAL_LOG_LEVEL=info

#  L O C A T I O N   O F   F I L E S   A N D   D I R E C T O R I E S

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SUBSYSLOCK=/var/run/6wall
STATEDIR=/tmp/6wall
MODULESDIR=/lib/modules

#  F I R E W A L L   O P T I O N S

FW=fw
IP_FORWARDING=On
MULTIPORT=No
MUTEX_TIMEOUT=60
SHOW_IP6TABLES_COMMANDS=no

#  P A C K E T   D I S P O S I T I O N

BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP

/etc/6wall/modules6

The file /etc/6wall/modules6 contains commands for loading the kernel modules required by 6wall-defined firewall rules. 6wall will source this file during start/restart provided that it exists and that the directory specified by the MODULESDIR parameter exists (see /etc/6wall/6wall.conf above).

The file that is released with 6wall calls the 6wall function "loadmodule" for the set of modules that are loaded.

The loadmodule function is called as follows:

loadmodule <modulename> [ <module parameters> ]

where

<modulename>

is the name of the modules without the trailing ".o".

<module parameters>

Optional parameters to the insmod utility.

The function determines if the module named by <modulename> is already loaded and if not then the function determines if the ".o" file corresponding to the module exists in the moduledirectory; if so, then the following command is executed:

insmod moduledirectory/<modulename>.o <module parameters>

If the file doesn't exist, the function determines of the ".o.gz" file corresponding to the module exists in the moduledirectory. If it does, the function assumes that the running configuration supports compressed modules and execute the following command:

insmod moduledirectory/<modulename>.o <module parameters>

/etc/6wall/blacklist6

Each 1ine in /etc/6wall/blacklist6 contains an IP address, a MAC address in Shorewall Format or prefix. Example:

2001:86a:9631::e3:1234
fec0:1::/64

Packets from hosts listed in the blacklist file will be disposed of according to the value assigned to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in /etc/6wall/6wall.conf. Only packets arriving on interfaces that have the "blacklist" option in /etc/6wall/interfaces6 are checked against the blacklist. The blacklist is designed to prevent listed hosts/prefixes from accessing services on your network.

The blacklist file has three columns:

  • ADDRESS/PREFIX - As described above.

  • PROTOCOL - Optional. If specified, only packets specifying this protocol will be blocked.

  • PORTS - Optional; may only be given if PROTOCOL is tcp, udp or icmp. Expressed as a comma-separated list of port numbers or service names (from /etc/services). If present, only packets destined for the specified protocol and one of the listed ports are blocked. When the PROTOCOL is icmp, the PORTS column contains a comma-separated list of ICMP type numbers or names (see "ip6tables -h icmpv6").

6wall also has a dynamic blacklist capability.

The /etc/6wall/blacklist6 file released with 6wall is empty.

/etc/6wall/sitelocal

This file lists the prefixes affected by the nositelocal interface option. Columns in the file are:

  • PREFIX - The prefix (e.g., fec0::/12).

  • TARGET - What to do with packets to/from the PREFIX:

    • RETURN - Process the packet normally thru the rules and policies.

    • DROP - Silently drop the packet.

    • logdrop - Log then drop the packet -- see the SITELOCAL_LOG_LEVEL parameter above.