mikemol / fireholv6 Goto Github PK

Once enough issues are cleaned up for a mostly-seamless upgrade of a firehol to a fireholv6 setup, it would be very good to get distributions currently distributing Firehol to package the new software, and to get distributions which don't currently package Firehol to package fireholv6.

I don't know which distributions are currently packaging firehol beyond Debian and Ubuntu. I know that Gentoo doesn't, but I'd like to remedy that as well.

An automated test suite would be great.

The debug function produces comprehensive output which might be appropriate as a starting point.

Alternatively warn the user not to run the suite on a machine where a firewall is running and check the final results dumped back from iptables.

'helpme' needs a lot of work to function well in the presence of IPv6. Most significantly in coping with ICMPv6, but fixups to things like 'masquerade' and 'protection strong' are also needed.

Uncertain, but by my notes, 'protection strong' may only appropriately function with an 'ipv4' prefix, but I have it commented out completely on any dual-stack interfaces, so it may be breaking IPv6 there. Need to look into that a bit more.

On the tail end of TCP connections, unless both ESTABLISHED and RELATED packets are allowed via the conntrack module, we seem to be chopping off the final FIN packet.

This not only clutters up logs, it can change the way applications behave. For example, I've seen this interfere with early versions of Pandora's HTML5 interface; the song reached its end, but Pandora's server kept sending more data.

http and https helpers, and possibly most TCP helpers, should be configured to not drop that tail-end FIN packet.

It would be very nice to have helper tables to jump to, or, at the very least, macros for inserting recurring sets of rules.

For example, I have five interfaces on one machine which have several rules in common:

• All accept ping
• All accept ssh
• All accept smtp

Two of the interfaces also have these commonalities:

• Accepts DHCP
• Accepts dns
• Accepts ntp
• Accepts smtp
• Accepts IPP
• Accepts connections to a proxy server

Additional groupable rules would include internally-facing ICMPv6 vs externally-facing ICMPv6 behaviors.

Need to update the docs reflect the changes from the debian/ubuntu packaging in commit d0e562c

Also, HTML includes google ads, presumably for the benefit of the original firehol site. These should be removed from the documentation in this source tree.

blacklist don't working for ipv6 because ipv6 don't know "--reject-with icmp-host-unreachable"

ipv4 blacklist directive is OK

vlan dot interfaces recognized incorrectly in ipv6

example:
interface eth0.123 inv6
client all accept
sever all accept

ignored for ipv6

Anywhere I use it, I have it prefixed with 'ipv4'. Perhaps that should be the default.

Some drops/rejects just come down to noise, such as rejecting random dhcp client broadcasts received by a cable modem, or blocking IPP or mdns broadcasts from exiting a router on a wan interface. Once identified as harmless, it would be preferential to simply drop it, without logging!

It would be convenient to have helper targets for dropping and rejecting that don't log.