Hi all,
since this thread went pretty much off-topic by now, Erik kindly closed it.
For the sake of completeness, I just wanted add some aspects of the circumstances of the IPFire development, so there are no misunderstandings left why we do what we do:
-
As pointed out several times by various people, the IPFire project is chronically underfunded and has been so for a long time. In fact, our monthly donations barely pay for our infrastructure costs, and willingness to donate seems to diminish constantly.
Suspected and confirmed reasons for this as well as ideas about how to improve the situation go beyond this post and thread; we have tried several things within the past years - to my knowledge, without any sustainable success.
(For comparison only: We believe about two third of our installations are running in enterprises - some of them are certainly making a pile of money from IPFire or save it by not buying a more expensive firewall “solution”. Besides some rare exceptions, donations come from home users of IPFire - none of the companies ever did so on a regular basis. This is part of the problem, and makes me personally angry.) -
Second, and this is the more important aspect, IPFire currently has less than 10 developers who are actively and constantly contributing to the project - this is my personal definition, other core developers’ opinion might differ.
None of them works for it full time, which is why support, development and (infrastructure) maintenance have to be done in their spare time - which is, as we all know, limited.
Developing a firewall requires deep knowledge, and we simply cannot afford to pay anyone who is that skilled - in fact, if we would pay ourselves something like 5€ per hour (which is about half the minimum wage in Germany), the project would be insolvent immediately. -
Third, the IT security landscape is grim. From my personal point of view, it is much worse than I ever imagined it could be, and it is only going to get even worse.
Even if you manage not to get depressed by this development, it remains a huge task to keep up with the majority of the threats in the majority of the time - and building and shipping all updates is unfortunately not enough to keep things secure.
Without making things better (for us), additional layers of complexity have created additional threats, requiring even more time, skill and knowledge to deal with it. The others, on the other hand, do not go away, so the burden is constantly increasing. Sad, but that’s the (IT) world we live in and have to make do with.
IPv6, to get back to topic, is much, much more than IPv4 with longer addresses. Being designed at a time where the internet was a living room full of gentlemen, it comes with some (inherent) features completely risky, hard to audit, or undesirable for other reasons.
I usually recommends this paper to people who are interested in a secure IPv6 configuration. If you skim trough it, you will get an idea what it takes to design and build a secure IPv6 firewall - this is not something done in a few weeks, especially since we cannot even disable some of the risky features such as Neighbor Discovery. Bummer but there you go.
Aside from that, it is not like IPFire is completely unusable when it comes to IPv6: Our public infrastructure is reachable via IPv6, and it’s protected by several IPFire machines. We just do not have a nice GUI for it… New projects such as libloc are of course developed with full IPv6 support - just execute something like location lookup 2001:638:d:c102::140 on your IPFire system.
This being said, I can assure you we will announce IPv6 support broadly, and you will certainly notice as soon as we have it. In the meantime, we look very much forward to your donations and (preferred)/or becoming engaged in development - in case you want to speed up this process, this would be the most sustainable way to do so.
I would have loved to post something more positive here. Unfortunately, there is nothing else to say.
Thanks, and best regards,
Peter Müller