IPv6 Firewall Filters

SapphireNET · ‎03-27-2008

Hi all

we are preparing for a dual stack deployment of IPv4/IPv6 and are in the process of converting some IPv4 firewall filters into their IPv6 equivilent.

my question is how do I do something like:

term T1{

match {

source-address x/x;

protocol tcp;

port 22;

}

then{

permit;

}

The protocol keyword doesnt seem to be available in the IPv6 filter? Yet as far as I am aware TCP and UDP both run as normal on top of IPv6?

ideas?

JNCIS-M, JNCIS-SEC

dsinn · ‎10-16-2008

This is because there isn't a protocol identifier in the IP part of IPv6, just a next-header pointer. Therefore the firewall filter operates on looking for the appropriate next-header:

term ssh {

from {

source-prefix-list {

inet6-mgmt-hosts;

}

next-header tcp;

port ssh;

}

then accept;

}

Hope that helps!

David