$Id: index.html,v 1.1 2001/04/17 03:42:20 itojun Exp $
The configuration for Checkpoint Firewall-1 is provided by Mr. Tetsuhiro Nakane. Thanks!
15:49:28.631199 203.178.136.188 > 210.160.95.99: 2010:836b:4179:2:260:8ff:febf:b622 > 3ffe:501:410:0:240:5ff:fea0:8e08: icmp6: echo request (encap) 4500 0064 f5bf 0000 1329 2b3f cbb2 88bc d2a0 5f63 6000 0000 0028 3af6 2010 836b 4179 0002 0260 08ff febf b622 3ffe 0501 0410 0000 0240 05ff fea0 8e08 8000 a7d3 001e a9d7 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 6465 6667 6869All you need to do is to let the packet go through the firewall gateway. The packet has IPv4 protocol number field (ip->ip_p) of 41 (0x29), which is marked with red color on the above packet dump. You may also want to restrict IPv4 source address and destination address, to make sure that no malicious IPv6 tunnels can be established.
A ==== FW-1 ==== B IPv6-over-IPv4 tunnel between A and BTo allow IPv6-over-IPv4 tunnel to go through FW-1, please take the following steps:
rule Src Dst Service Action ---------------------------------------------- 1 A,B B,A IPv6-over-IPv4 Accept 2 A,B B,A Any Reject
rule Src Dst Service Action -------------------------------------- 1 A,B B,A Any Accept
Also, KAME kit includes ports/pkgsrc directory for IPv6-ready fwtk, Coutesy of Mr. Hajime Umemoto. You would like to have tcp relay, this is the answer. But if you implement fwtk, you cannot enjoy direct IPv6 connection from your end node to outside.
Please note that NAT provides no security at all, so there will be no IPv6-to-IPv6 NAT.