Firewalls - Ease of Use and Maintenance?

• Previous message (by thread): Firewalls - Ease of Use and Maintenance?
• Next message (by thread): Firewalls - Ease of Use and Maintenance?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2011-11-09 at 12:01 +0100, Seth Mos wrote:
> That is correct, it is in the 2.1 branch. Our code has diverged a lot
> from m0n0wall where it came from so porting it was not easy. Instead I
> wrote the code from scratch.
> 
> I wrote the IPv6 code in pfSense 2.1 for the last year and I've been
> using it in production for quite a while now. Since February this year
> to be precise.
> 
> It is true that until 2.1 is released somewhere next year the latest
> official release is pfSense 2.0.
> 
> The people running Commercial support do support 2.1 with IPv6 if you
> need it though. There are already a number of customers running it in
> production because they needed IPv6 support.

TH: This is good news. I look forward to the general availability of 2.1
in this case. An "official" release supporting v6 properly is long
over-due for pfSense; users have been complaining about the lack of
support for *years*.

> The biggest holdup is lack of commercial VPN client support for
> dual-stack. Viscosity, TunnelBlick I am looking at you. We do ship a
> working Windows OpenVPN dual stack client solution in the Client
> exporter on 2.1.
> 
> Working dual stack for your VPN solution is kind of important if you
> expect to be able to reach your corporate servers. Much grief/fun to be
> had here. If the corporate LAN advertises quad A records then it will
> confuse your VPN clients if they have a v4 VPN address but only a v6
> internet address.

TH: Indeed, but the more you push on it the better it will become
(hopefully). VPN clients/concentrators in the FOSS world is already a
minefield of incompatibilities and other such problems.

> > How does the pfSense developer attitude towards filtering the entire
> > Internet, IPv6 included, currently stand?
> 
> I do not quite understand your question. If you are referring to a
> default deny policy on incoming traffic, then yes.
> 
> The default rule is to deny incoming traffic over IPv6 as it did over
> IPv4. You will need to create rules to allow it through. Default LAN
> rule is allow both IPv4 and IPv6 out. Ofcourse you can alter the
> firewall rules as you see fit.
> 
> If I misunderstood your question then please verify.

TH: In the past, the pfSense developer's attitude to IPv6 support has
been pretty poor. I have mentioned above that customers have been asking
for such support for years (i.e. since m0n0wall had it) and the response
has been 'it's not important yet', which really wasn't true.

But, despite that, it sounds like it's finally getting better. And that
can only be good news.

Tom

• Previous message (by thread): Firewalls - Ease of Use and Maintenance?
• Next message (by thread): Firewalls - Ease of Use and Maintenance?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]