On 2/17/24 10:22 AM, Justin Streiner wrote:
Getting back to the recently revised topic of this thread - IPv6 uptake -
what have peoples' experiences been related to crafting sane v6 firewall
rulesets in recent products from the major firewall players (Palo Alto,
Cisco, Fortinet, etc)? On the last major v6 deployment I did, working with
the firewalls was definitely one of the major pain points because the
support / stability was really lacking, or there wasn't full feature parity
between their v4 and v6 capabilities.
Depends on how complex you want to be with firewall rules.
My web server is on Ubuntu 20.04. During the IPv4-only days, I used UFW
(uncomplicated firewall) to implement a mostly-closed firewall, punching
pin-holes for 80 and 443, and disable any interface forwarding. When I
upgraded to IPv4 and IPv6, the process of duplicating the policy in IPv6
was easy.
The UFW package is built on top of IPTABLES and IP6TABLES.
Now, my edge router is going to be a different story. As the number of
rules goes up, UFW becomes tedious and finicky. Manually crafting rules
in NFT is tedious and error-prone. Getting all the rules right the
first time is, um, hard. Automation is absolutely required. So I'm
writing the automation in Python, and driving the rules generator from a
YAML database.
Expect this to be published on Github. When? Depends on when I find
the time. This is not a priority project -- I'm so mad at my upstream
that I find playing Mahjongg is necessary to settle my nerves.
I've said this earlier: by the time the NEED for IPv6 arises, I expect
to be dead.
