[Gllug] IPv6 and firewalls

Robert McKay robert at mckay.com
Wed Aug 12 00:19:55 UTC 2009 

On Tue, Aug 11, 2009 at 11:08 PM, Joel Bernstein <joel at fysh.org> wrote:

>
> On 11 Aug 2009, at 10:45, Chris Bell wrote:
> >   IPv6 is an available option,
>
> Where? And for what?


6to4 (http://en.wikipedia.org/wiki/6to4) is available to anyone with a
static IPv4 address with just three commands;

First - calculate your 6to4 address by coverting your IPv4 IP into hex:

Suppose your public IPv4 address were 192.168.0.1 (example):

perl -e 'use Socket; print unpack("H*", inet_aton(shift(@ARGV))), "\n"; '
192.168.0.1
c0a80001

(you can also visit 6to4.nro.net and it'll tell you the 6to4 addr of your
current IP)

Then simply;

/sbin/ifconfig sit0 up
/sbin/ifconfig sit0 add 2002:c0a8:0001::1/16
/sbin/ip -6 route add 2000::/3 via ::192.88.99.1 dev sit0

That's it.. ping6'ing ipv6.google.com should now work. It's amazing how easy
it has become to join the v6 internet. No tunnel broker accounts to setup or
anything.

(a more in-depth tutorial on setting up 6to4 on Linux can be found here
http://tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html)

You can also request delegation of your ipv6 reverse dns by going to
http://6to4.nro.net/.

Since you've done that you might as well add a route to your lan:

ip addr add 2002:c0a8:0001::1/64 dev eth0

and start up radvd - now your network is ipv6 enabled and your Macs and
possibly windows 7 machines will leap onto IPv6.

If you are stuck behind NAT, there's Teredo (
http://en.wikipedia.org/wiki/Teredo_tunneling). On Debian getting Teredo
IPv6 going is as simple as typing

apt-get install miredo

Once it's done installing you'll be online with miredo Teredo.

Teredo is also built into Windows Vista and Windows 7 so there'll probably
be a lot of people using it eventually.



>
>
> > and I have been looking at IPv6 firewalling
>
> Why? Do you have IP6 connected boxen? What do they do on IP6?
>
> I realise this is GLLUG, home of the cranks and hobbyist admin-
> pretenders, but seriously, *why*?


There's a few interesting things you can do - free binary usenet feeds!

http://www.kaisersblog.com/2009/01/free-binaries-usenet-servers-using-ipv6/

teredo gives you the abiltiy to run servers from behind a NAT which might be
nice.. ssh directly into machines behind a NAT and you can now fully
participate in a torrent from behind NAT (albeit limited to the torrent's
IPv6 participants).

Rob.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20090812/0dd2bf53/attachment.html>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list