IPv6 development

I kindly want to ask about the current development status for IPv6 in ipfire

IPv6 is almost feature-complete in IPFire 3. However IPFire 3 is not feature-complete.

so there will be no IPv6 for ipfire 2x and a release date for ipfire 3 is unknown :frowning:

Any chance of an “Alpha preview” (say within a captive virtual machine so that things do not head production) and a proposed release timeframe?

IPv6 is very much like our Trekker-Picardian-Borg: “Your biological and technological distinctiveness will be added to our own. Resistance is futile.”

Any chance that there will be a sort of IPFire 3 “Lite” lacking of some features?
And these features could be installed later with core updates?
I’m afraid you’re still putting a lot of effort into IPFire 2 but lacking of IPv6 could be some… not efficient effort.

IPFire 3 will probably drop many features. There reason for that is simply that many things are not necessary in 2020 any more.

Yes, but some basic features simply need to work.

Yes, I would like things to be very different indeed. But this is currently what we have to do.

We are basically developing two distributions (IPFire 2 and 3) which share very little code and work is carried out by a small and underfunded development team. I think you can all figure the rest :slight_smile: Please donate :slight_smile:

3 Likes

Only my small opinion…
IPFire 2 will not have that “big future” without IPv6. It’s necessary today, especially in countries where an increasing number of ISP are providing IPv6 connections.
Also, increasing hosting services are providing IPv6, so if as a Project Technical Reference i have to choose a firewall for managing connections of a hosted server, i should consider only IPv6-capable projects/products.
If IPv6 is not portable to IPfire 2 (and i can understand why) and IPFire 3 do not have any Alpha/Beta/ETA, maybe i won’t consider interesting IPFire as a product which can suit project’s needs. And i won’t be interested in caring about that, appliances or donations or whatsoever. So taking too much care of the “today tree” (i think that there are a lot of IPFire 2 installations today) could affect the “tree of tomorrow” growth because there could be not enough space or feed for a prosperous development and adoption.

Maybe IPFire 3 it’s still too green to be published as a beta, but if the community can have a taste of the new fruit, maybe can help you.
It won’t ease the hard work of project the software, create code, debug it (maybe the latter one a bit) but can help you to pinpoint problems, errors, or… simply highlight something that’s humanly wrong. As you said, the team is small. Sometimes track can be lost, even into small groups.

An independent repair lab owner of NY called Louis Rossmann published a video, “Stop waiting for perfection - get your patio door”, talking about getting things done, even if the solution is not the best for the problem. Maybe his experience do not suit this case but… consider to watch it, if you are getting bored of your favourite book.
I hope that donations will raise soon, consider to expand via social networks the visibility of your project.

If you are keen, here the latest image: https://people.ipfire.org/~stevee/IPFire_3.x/VM-Images/20180209/x86_64/ipfire-3.x-x86_64-20180209.img.xz

In case you haven’t noticed, that is what all my development time was spent on in the last couple of months… Hence no progress for IPFire 3.

2 Likes

Would you be able to estimate how much money is needed in donations to push IPFire 3 forward?

Money needed:

  • to Alpha stage?
  • to Beta stage?
  • to stable?

I realize I’ve massively over-simplified things but hopefully knowing this would help donations.

For what it is worth - I really like the IPFire wishlist efforts. That gave donators an idea of the goal and the needed money (similar to a kickstarter campaign). For that matter we could start a kickstarter campaign!

A constant stream would be helpful that we can rely on to buy my time for example. That is very hard to estimate, but right now, our monthly recurring donations are in the range of $60.

About the kickstarter idea: We have tried it and it has failed massively. We never got the money that was roughly needed to implement something and on top of that we spent about 4x to promote the kickstarter which we didn’t even account for. I feel that many other things die the same death on there. Also we are asking for donations for something that will be available in some time, which people do not like to put money to.

So we have to focus on what we have right now and I am sure that IPFire 2 is a great firewall and worth the donations :slight_smile:

1 Like

Is there an image that can be loaded to a flash drive to be installed to a working (not live) machine? I have tried the available images but none work for that purpose using the procedures for writing to USB that I used for the 2.x image. Thanks

Hello Michael,

would you please give an brief outlook on IPv6 in any upcoming blog or announcement? Would be very happy to hear fresh news from this front.

Thank you in advance

Hi,

since Michael is currently on hiatus from the community (mailing list post), I take the liberty to reply on his behalf:

No forthcoming has been made within the past months on IPv6 and IPFire 3.x, since we are unfortunately kept busy by various other security things.

EDIT: Fixed accidentally wrong link above. (Thanks, @jon)

Thanks, and best regards,
Peter MĂĽller

That reads everything not so beautiful. Hope this project survives and especially Michael can recover and does not take the way of some people too personally. Unfortunately, the society is always more brutalized.

I won’t defend who harassed Mr. Tremer. Maybe I can be considered “harassing” too, sometimes my words are not that “pleasant”, “compliant”, “kind”. I can relate with someone tells me “you’re not being as nice as i’d like”, i can try to improve when asked.

But… At December '20 the situation seems quite similar to December '18.

  • Still IP Fire 2
  • No IPv6 or MultiRED
  • No alpha/beta/ETA version of IP Fire 3
    With sugar on top
  • Different and sometimes solvable issues raising when a Core appears.

And lots of installations and sysadmin are fighting within DNSSEC. As for '19, '20, '21 won’t see IPFire in my top 5 of firewall solution. Sad to say, but without an extensive test and personal howto’s writings, not seems worth for starting a new site/customers: lacks of solutions, growing of problems. And I’m sad about that.

Sometimes, when this kind of considerations and thoughts are expressed, someone can react… in a harsh way. That leads to flames… and “word/sword/fencing”
FWIW i get pissed too much easily. Maybe Michael share with me this “skill”. Or another one: in the nicest meaning possible, poor skill in managing communications.

I hope he gets well soon. And I hope to be wrong soon about my “top 5 list”.

Good evening all,
harassments are in any case useless since nothing will go faster or better, it simply produces the opposite. Won´t compare also not 2018 with 2020, may in some conditions but to leave out the rest would distort the whole picture, in fact a lot of stuff has been done from back then to today and sure, a lot can become more and even better but in that case the piano keys has to be used by everyone which is part of this community and want to see changes, am really happy about that since i have never had that felling --> “they do this stuff and i am not happy with this but i have to use it” so why not participate ? One thing you can do by yourself and share with the community makes not only you happy but a lot of others may too ?!

Listings: From 1-5 is interesting, where can i find this list ? If i look to the pay checks, there must be Cisco around somewhere :grinning: … Don´t understand me wrong, i need also to be harsh in a lot of situations (more then you may think :zipper_mouth_face: ) but the nice thing here is, it is simply freely so the pressure is a different one then in the regular capitalistic oriented work life <-- that´s my humble opinion about that --> on the other hand are trying all this awesome people here the best to deliver free software for everybody for 0 .

Conclusion: Check out what we (all) have done and what else can be done and do it :innocent: .

Just my two cents. All the best to you all,

Erik

P.S. and also OT: sorry community @pike_it thanks again for your translation, have pushed it --> https://patchwork.ipfire.org/patch/3712/ .

4 Likes

Hi all,

since this thread went pretty much off-topic by now, Erik kindly closed it.

For the sake of completeness, I just wanted add some aspects of the circumstances of the IPFire development, so there are no misunderstandings left why we do what we do:

  • As pointed out several times by various people, the IPFire project is chronically underfunded and has been so for a long time. In fact, our monthly donations barely pay for our infrastructure costs, and willingness to donate seems to diminish constantly.
    Suspected and confirmed reasons for this as well as ideas about how to improve the situation go beyond this post and thread; we have tried several things within the past years - to my knowledge, without any sustainable success.
    (For comparison only: We believe about two third of our installations are running in enterprises - some of them are certainly making a pile of money from IPFire or save it by not buying a more expensive firewall “solution”. Besides some rare exceptions, donations come from home users of IPFire - none of the companies ever did so on a regular basis. This is part of the problem, and makes me personally angry.)

  • Second, and this is the more important aspect, IPFire currently has less than 10 developers who are actively and constantly contributing to the project - this is my personal definition, other core developers’ opinion might differ. :wink: None of them works for it full time, which is why support, development and (infrastructure) maintenance have to be done in their spare time - which is, as we all know, limited.
    Developing a firewall requires deep knowledge, and we simply cannot afford to pay anyone who is that skilled - in fact, if we would pay ourselves something like 5€ per hour (which is about half the minimum wage in Germany), the project would be insolvent immediately.

  • Third, the IT security landscape is grim. From my personal point of view, it is much worse than I ever imagined it could be, and it is only going to get even worse.
    Even if you manage not to get depressed by this development, it remains a huge task to keep up with the majority of the threats in the majority of the time - and building and shipping all updates is unfortunately not enough to keep things secure.
    Without making things better (for us), additional layers of complexity have created additional threats, requiring even more time, skill and knowledge to deal with it. The others, on the other hand, do not go away, so the burden is constantly increasing. Sad, but that’s the (IT) world we live in and have to make do with.

IPv6, to get back to topic, is much, much more than IPv4 with longer addresses. Being designed at a time where the internet was a living room full of gentlemen, it comes with some (inherent) features completely risky, hard to audit, or undesirable for other reasons.

I usually recommends this paper to people who are interested in a secure IPv6 configuration. If you skim trough it, you will get an idea what it takes to design and build a secure IPv6 firewall - this is not something done in a few weeks, especially since we cannot even disable some of the risky features such as Neighbor Discovery. Bummer but there you go.

Aside from that, it is not like IPFire is completely unusable when it comes to IPv6: Our public infrastructure is reachable via IPv6, and it’s protected by several IPFire machines. We just do not have a nice GUI for it… New projects such as libloc are of course developed with full IPv6 support - just execute something like location lookup 2001:638:d:c102::140 on your IPFire system.

This being said, I can assure you we will announce IPv6 support broadly, and you will certainly notice as soon as we have it. In the meantime, we look very much forward to your donations and (preferred)/or becoming engaged in development - in case you want to speed up this process, this would be the most sustainable way to do so.

I would have loved to post something more positive here. Unfortunately, there is nothing else to say.

Thanks, and best regards,
Peter MĂĽller

7 Likes