First, get an IPv4 setup operational. If you are starting from scratch, try with the new user or some other tutorial.
Contents:
IPv4 and IPv6 addresses are different, and in FireHOL v2+ you must specify them explicitly. To ensure the rules are applied evenly, if you specify one you must specify both, or mark the whole rule as IPv4 or IPv6 only.
Not every option for IPv4 exists in IPv6 e.g. NAT and masquerading are not available until Linux 3.7 and may not be enabled on your system. If you do not have support for a rule in IPv6 on your system, you will need to mark it as IPv4 only.
To allow you to apply something to IPv4 or IPv6 only, anything in a configuration can be labelled. For instance to mark something as IPv4 only, write it as:
ipv4 command...Most commands (e.g. interface, router, client, server, route, group) have been given special names e.g. interface4/interface6/interface46 which are equivalent to labelling them with ipv4 or ipv6 or both.
Unlike IPv4 which has separate protocols for host resolution, IPv6 makes use of ICMPv6 messages. The IPv4 resolution protocols (ARP) were not filtered by netfilter (and therefore by FireHOL) but the IPv6 ones are.
This means explicit steps must be taken to allow them. Note that the service all does not enable these messages, you must enable them as explained below.
Further, these ICMPv6 messages are sent to multicast addresses which means if you use src or dst values in your interfaces that host resolution and other facilities will not work correctly.
Therefore it is recommended that you set up a special interface before any others:
version 6
# helpers which come before any interface...
ipv6 interface any v6interop proto icmpv6
policy return
# normal interfaces and routers start here...
interface eth0 home
# ...
interface ppp0 internet
# ...
router home2internet inface eth0 outface ppp0
# ...Add a server ipv6error accept at the top of the v6interop interface and again at the top of each router. Read the service documentation associated with the version you installed.
FireHOL versions 3+ do not require the ipv6error service and it will be removed from FireHOL 4.
The remaining ICMPv6 messages should generally not be used in FireHOL router definitions, since the information they convey should be kept to the local network.
To allow hosts to communicate with one another over IPv6, network neighbour solicitation/advertisement messages (which do in IPv6 what ARP does in IPv4) must be enabled on interfaces.
ipv6 interface any v6interop proto icmpv6
client ipv6neigh accept
server ipv6neigh accept
policy returnMulticast Listener Discovery should be enabled on any interfaces taking part on a network which has multicast snooping enabled and is available from FireHOL versions 2.0.4+ and 3.0.1+.
Depending on the snooping, not having this may prevent neighbour and router discovery from working. Not everyone likes MLD though, so you may want to read up on it as many network configurations will work fine without.
ipv6 interface any v6interop proto icmpv6
client ipv6neigh accept
server ipv6neigh accept
client ipv6mld accept
policy returnTo allow network route auto-discovery, router solicitation/advertisement messages must be enabled on interfaces as a client.
ipv6 interface any v6interop proto icmpv6
client ipv6neigh accept
server ipv6neigh accept
client ipv6mld accept
client ipv6router accept
policy returnYou can restrict these messages to particular interfaces if you want to control where your host can see IPv6 routes from.
If your machine will be routing IPv6, it will also need to be able to send router advertisement messages and Multicast Listener Queries (the latter for FireHOL versions 2.0.4+ and 3.0.1+).
ipv6 interface any v6interop proto icmpv6
client ipv6neigh accept
server ipv6neigh accept
client ipv6router accept
server ipv6router accept
server ipv6mld accept
policy returnWe will show you how to adapt this simple config in a few possible ways:
ipv4 dnat to 192.0.2.1 inface ppp+ proto tcp dport 80
interface4 eth0 home
server ssh accept src 192.0.2.0/24
router4 home2net inface eth0 outface ppp+
masquerade
server ssh acceptAny interface4 or router4 which should apply to both IPv4 and IPv6 with no existing src or dst should be updated to use the keywords without a suffix.
Other rules which do not have a src or dst and apply equally to IPv4 and IPv6 are left unchanged. They will inherit the behaviour of the generalised inerrface or router.
Rules which apply to IPv4 only or which you only want to apply to IPv4 addresses should be explicitly marked if they were not already.
ipv4 dnat to 192.0.2.1 inface ppp+ proto tcp dport 80
interface eth0 home
server4 ssh accept src 192.0.2.0/24
router home2net inface eth0 outface ppp+
ipv4 masquerade
server ssh acceptIt is also possible to add new rules which only apply to IPv6.
If you do have want to specify an IPv6 address for a particular rule, to match an existing IPv4 address, generalise the client or server keyword and specify the addresses explicitly with src4/src6 and dst4/dst6 e.g.:
ipv4 dnat to 192.0.2.1 inface ppp+ proto tcp dport 80
interface eth0 home
server ssh accept src4 192.0.2.0/24 src6 2001:DB8::1:0/24
router home2net inface eth0 outface ppp+
ipv4 masquerade
server ssh acceptThe FireHOL variables such as $UNROUTABLE_IPS will work automatically in both contexts, so you can still write:
router fromppp inface ppp+ src not "$UNROUTABLE_IPS"If you want to combine this with your own IPs or ranges, you will need to be explicit, like this:
router fromppp inface ppp+ src4 not "$UNROUTABLE_IPV4 198.51.100.0/24" src6 not "$UNROUTABLE_IPV6 2001:DB8::2:0/24"
server ssh acceptsince only the special FireHOL variables automatically switch for IPv4/6.
Some services only make sense as IPv4 or IPv6 and are automatically switched to that mode. They cannot be included in blocks of rules specified to the opposite mode.
IPv4 only: dhcp and timestamp.
IPv6 only: dhcpv6, ipv6neigh, ipv6mld, and ipv6router.