On 9-11-2011 11:07, Tom Hill wrote:
On Wed, 2011-11-09 at 09:13 +0100, Seth Mos wrote:
I am biased because I am a pfSense developer.
pfSense is a free open source FreeBSD based firewall with the pf packet filter. http://www.pfsense.org
I'm a very happy user of m0n0wall and I know pfSense is often seen as the more 'grown up' variant.
Still though, I hear bad things of the IPv6 support in pfSense. It's "available" but not stock-standard & supported.
That is correct, it is in the 2.1 branch. Our code has diverged a lot from m0n0wall where it came from so porting it was not easy. Instead I wrote the code from scratch. I wrote the IPv6 code in pfSense 2.1 for the last year and I've been using it in production for quite a while now. Since February this year to be precise. It is true that until 2.1 is released somewhere next year the latest official release is pfSense 2.0. The people running Commercial support do support 2.1 with IPv6 if you need it though. There are already a number of customers running it in production because they needed IPv6 support. The biggest holdup is lack of commercial VPN client support for dual-stack. Viscosity, TunnelBlick I am looking at you. We do ship a working Windows OpenVPN dual stack client solution in the Client exporter on 2.1. Working dual stack for your VPN solution is kind of important if you expect to be able to reach your corporate servers. Much grief/fun to be had here. If the corporate LAN advertises quad A records then it will confuse your VPN clients if they have a v4 VPN address but only a v6 internet address.
How does the pfSense developer attitude towards filtering the entire Internet, IPv6 included, currently stand?
I do not quite understand your question. If you are referring to a default deny policy on incoming traffic, then yes. The default rule is to deny incoming traffic over IPv6 as it did over IPv4. You will need to create rules to allow it through. Default LAN rule is allow both IPv4 and IPv6 out. Ofcourse you can alter the firewall rules as you see fit. If I misunderstood your question then please verify. Kind regards, Seth