Routing

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  IPv6 Firewall Filters

    Posted 02-18-2010 12:31

    Hi all

     

    we are preparing for a dual stack deployment of IPv4/IPv6 and are in the process of converting some IPv4 firewall filters into their IPv6 equivilent.

     

    my question is how do I do something like:

     

    term T1{

      match {

         source-address x/x;

         protocol tcp;

         port 22;

      }

      then{

        permit;

      }

    }

     

    The protocol keyword doesnt seem to be available in the IPv6 filter?  Yet as far as I am aware TCP and UDP both run as normal on top of IPv6?

     

    ideas?


    #IPv6
    #firewall
    #filters


  • 2.  RE: IPv6 Firewall Filters
    Best Answer

    Posted 02-18-2010 13:56

    This is because there isn't a protocol identifier in the IP part of IPv6, just a next-header pointer.  Therefore the firewall filter operates on looking for the appropriate next-header:
    term ssh {
        from {
            source-prefix-list {
                inet6-mgmt-hosts;
            }
            next-header tcp;
            port ssh;
        }
        then accept;
    }
    Hope that helps!
    David

     

     

    This is because there isn't a protocol identifier in the IP part of IPv6, just a next-header pointer.  Therefore the firewall filter operates on looking for the appropriate next-header:


    term ssh {

        from {

            source-prefix-list {

                inet6-mgmt-hosts;

            }

            next-header tcp;

            port ssh;

        }

        then accept;

    }


    Hope that helps!
    David



  • 3.  RE: IPv6 Firewall Filters

    Posted 02-19-2010 00:48

    thank you very much

     

    that makes perfect sense.