Firewalls - Ease of Use and Maintenance?

• Previous message (by thread): Firewalls - Ease of Use and Maintenance?
• Next message (by thread): Firewalls - Ease of Use and Maintenance?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 9-11-2011 11:07, Tom Hill wrote:
> On Wed, 2011-11-09 at 09:13 +0100, Seth Mos wrote:
>> I am biased because I am a pfSense developer.
>>
>> pfSense is a free open source FreeBSD based firewall with the pf
>> packet filter. http://www.pfsense.org
> 
> I'm a very happy user of m0n0wall and I know pfSense is often seen as
> the more 'grown up' variant.
> 
> Still though, I hear bad things of the IPv6 support in pfSense. It's
> "available" but not stock-standard & supported.

That is correct, it is in the 2.1 branch. Our code has diverged a lot
from m0n0wall where it came from so porting it was not easy. Instead I
wrote the code from scratch.

I wrote the IPv6 code in pfSense 2.1 for the last year and I've been
using it in production for quite a while now. Since February this year
to be precise.

It is true that until 2.1 is released somewhere next year the latest
official release is pfSense 2.0.

The people running Commercial support do support 2.1 with IPv6 if you
need it though. There are already a number of customers running it in
production because they needed IPv6 support.

The biggest holdup is lack of commercial VPN client support for
dual-stack. Viscosity, TunnelBlick I am looking at you. We do ship a
working Windows OpenVPN dual stack client solution in the Client
exporter on 2.1.

Working dual stack for your VPN solution is kind of important if you
expect to be able to reach your corporate servers. Much grief/fun to be
had here. If the corporate LAN advertises quad A records then it will
confuse your VPN clients if they have a v4 VPN address but only a v6
internet address.

> How does the pfSense developer attitude towards filtering the entire
> Internet, IPv6 included, currently stand?

I do not quite understand your question. If you are referring to a
default deny policy on incoming traffic, then yes.

The default rule is to deny incoming traffic over IPv6 as it did over
IPv4. You will need to create rules to allow it through. Default LAN
rule is allow both IPv4 and IPv6 out. Ofcourse you can alter the
firewall rules as you see fit.

If I misunderstood your question then please verify.

Kind regards,

Seth

• Previous message (by thread): Firewalls - Ease of Use and Maintenance?
• Next message (by thread): Firewalls - Ease of Use and Maintenance?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]