On 2/17/24 10:22 AM, Justin Streiner wrote:
Getting back to the recently revised topic of this thread - IPv6 uptake - what have peoples' experiences been related to crafting sane v6 firewall rulesets in recent products from the major firewall players (Palo Alto, Cisco, Fortinet, etc)? On the last major v6 deployment I did, working with the firewalls was definitely one of the major pain points because the support / stability was really lacking, or there wasn't full feature parity between their v4 and v6 capabilities.
Depends on how complex you want to be with firewall rules. My web server is on Ubuntu 20.04. During the IPv4-only days, I used UFW (uncomplicated firewall) to implement a mostly-closed firewall, punching pin-holes for 80 and 443, and disable any interface forwarding. When I upgraded to IPv4 and IPv6, the process of duplicating the policy in IPv6 was easy. The UFW package is built on top of IPTABLES and IP6TABLES. Now, my edge router is going to be a different story. As the number of rules goes up, UFW becomes tedious and finicky. Manually crafting rules in NFT is tedious and error-prone. Getting all the rules right the first time is, um, hard. Automation is absolutely required. So I'm writing the automation in Python, and driving the rules generator from a YAML database. Expect this to be published on Github. When? Depends on when I find the time. This is not a priority project -- I'm so mad at my upstream that I find playing Mahjongg is necessary to settle my nerves. I've said this earlier: by the time the NEED for IPv6 arises, I expect to be dead.