mikemol / fireholv6 Goto Github PK
View Code? Open in Web Editor NEWFirehol firewall with patches for IPv6 support
Home Page: http://sourceforge.net/mailarchive/message.php?msg_id=27014139
License: GNU General Public License v2.0
Firehol firewall with patches for IPv6 support
Home Page: http://sourceforge.net/mailarchive/message.php?msg_id=27014139
License: GNU General Public License v2.0
Once enough issues are cleaned up for a mostly-seamless upgrade of a firehol to a fireholv6 setup, it would be very good to get distributions currently distributing Firehol to package the new software, and to get distributions which don't currently package Firehol to package fireholv6.
I don't know which distributions are currently packaging firehol beyond Debian and Ubuntu. I know that Gentoo doesn't, but I'd like to remedy that as well.
An automated test suite would be great.
The debug function produces comprehensive output which might be appropriate as a starting point.
Alternatively warn the user not to run the suite on a machine where a firewall is running and check the final results dumped back from iptables.
'helpme' needs a lot of work to function well in the presence of IPv6. Most significantly in coping with ICMPv6, but fixups to things like 'masquerade' and 'protection strong' are also needed.
Uncertain, but by my notes, 'protection strong' may only appropriately function with an 'ipv4' prefix, but I have it commented out completely on any dual-stack interfaces, so it may be breaking IPv6 there. Need to look into that a bit more.
On the tail end of TCP connections, unless both ESTABLISHED and RELATED packets are allowed via the conntrack module, we seem to be chopping off the final FIN packet.
This not only clutters up logs, it can change the way applications behave. For example, I've seen this interfere with early versions of Pandora's HTML5 interface; the song reached its end, but Pandora's server kept sending more data.
http and https helpers, and possibly most TCP helpers, should be configured to not drop that tail-end FIN packet.
It would be very nice to have helper tables to jump to, or, at the very least, macros for inserting recurring sets of rules.
For example, I have five interfaces on one machine which have several rules in common:
Two of the interfaces also have these commonalities:
Additional groupable rules would include internally-facing ICMPv6 vs externally-facing ICMPv6 behaviors.
Need to update the docs reflect the changes from the debian/ubuntu packaging in commit d0e562c
Also, HTML includes google ads, presumably for the benefit of the original firehol site. These should be removed from the documentation in this source tree.
blacklist don't working for ipv6 because ipv6 don't know "--reject-with icmp-host-unreachable"
ipv4 blacklist directive is OK
vlan dot interfaces recognized incorrectly in ipv6
example:
interface eth0.123 inv6
client all accept
sever all accept
ignored for ipv6
Anywhere I use it, I have it prefixed with 'ipv4'. Perhaps that should be the default.
Some drops/rejects just come down to noise, such as rejecting random dhcp client broadcasts received by a cable modem, or blocking IPP or mdns broadcasts from exiting a router on a wan interface. Once identified as harmless, it would be preferential to simply drop it, without logging!
It would be convenient to have helper targets for dropping and rejecting that don't log.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.