From owner-freebsd-questions@freebsd.org Sat Apr 1 17:06:15 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3D6F6D29920 for ; Sat, 1 Apr 2017 17:06:15 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:c4ea:bd49:619b:6cb3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B92462AE for ; Sat, 1 Apr 2017 17:06:14 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from liminal.local (unknown [IPv6:2001:8b0:151:1:1c1d:86a1:a200:b700]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id 0AB51A44E for ; Sat, 1 Apr 2017 17:06:01 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/0AB51A44E; dkim=none; dkim-atps=neutral Subject: Re: Have free IPv6 now, how to configure IPv6 & ipfilter firewall To: freebsd-questions@freebsd.org References: <58DFC321.3030703@gmail.com> From: Matthew Seaman Message-ID: Date: Sat, 1 Apr 2017 18:06:00 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <58DFC321.3030703@gmail.com> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="1pnElgblWk02uGU5TpjCdxIEDHh6TpjJJ" X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,RDNS_NONE, SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Apr 2017 17:06:15 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --1pnElgblWk02uGU5TpjCdxIEDHh6TpjJJ Content-Type: multipart/mixed; boundary="GaeIOt6KHuvcigdjjOSxxFjWjUd5PLut4"; protected-headers="v1" From: Matthew Seaman To: freebsd-questions@freebsd.org Message-ID: Subject: Re: Have free IPv6 now, how to configure IPv6 & ipfilter firewall References: <58DFC321.3030703@gmail.com> In-Reply-To: <58DFC321.3030703@gmail.com> --GaeIOt6KHuvcigdjjOSxxFjWjUd5PLut4 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 01/04/2017 16:11, Ernie Luzar wrote: > Hello List; >=20 > Yesterday 3/31/2017 6pm, Time Warner enabled IPv6 on the cable system > that I am connected to. You ask how do I know that? I use ipfilter > firewall with default "block". There has to be a rule to allow any thin= g > in or out. The ipf.log started to fill up very quickly and rollover > every 15 minutes. Inspection of the ipf.log showed this log record was > the source of the flooding. >=20 > fe80::201:5cff:fe9d:1846 -> ff02::1 PR icmpv6 routeradvert/0 IN multica= st IPv6 addresses beginning feXX or ffXX are special. In particular addresses beginning fe80 are "link local" addresses. These appear on any IPv6 enabled interface, and they are only useful for communicating with other devices on the same subnet -- similar in some ways to a MAC address (and indeed, the last 4 digit groups -- 201:5cff:fe9d:1846 -- are derived from the MAC address of the interface.) The address beginning with ff02 is another special. This is a multicast 'All Nodes Address' -- which every IPv6 enabled machine should accept. See RFC 4291 and https://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-= addresses.xhtml for the gory details. All you're seeing here is a notification that fe80::201:5cff:fe9d:1846 is a router on your local network. It's completely harmless, and a vital part of the autoconfiguration process. > Then I did a ifconfig command on the interface facing the public intern= et >=20 > rl0: flags=3D8843 metric 0 mtu= 1500 > options=3D2008 > ether 00:10:b5:7b:1d:6f > inet 74.141.88.57 netmask 0xfffffc00 broadcast 255.255.255.255 > inet6 fe80::210:b5ff:fe7b:1d6f%rl0 prefixlen 64 scopeid 0x1 > nd6 options=3D21 > media: Ethernet autoselect (100baseTX ) > status: active >=20 > To my surprise I have an IPv6 address for the first time every. I have > been a native IPv4 shop since FreeBSD 3.0. MY rc.conf file has this > ifconfig_rl0=3D"DHCP" statement. You've only got a link local address here, which is not useful for communicating with the IPv6 internet in general. > My first though was to stop the ipf.log file flooding by adding a rule > to block icmpv6. This rule complained about unknown protocol. > block in quick on rl0 proto icmpv6 >=20 > My first question is how do I block the icmpv6 packet in ipfilter firew= all? >=20 > My 2nd question; Does ipfilter firewall need some kind of configuration= > change to make it IPv6 aware? If so what? IMHO -- this is wrong headed. IPv6 is available to you, so embrace the future and start using it. > In my reading about IPv6, no where does it say that IPv4 & IPv6 CAN NOT= > exist together, is that true? Sure, you can run dual stacked. In fact, that's how everyone does it at the moment since IPv6-only configurations still don't have anything like complete coverage of the Internet. > The handbook has this: > 31.10.6. Router Advertisement and Host Auto Configuration >=20 > This section will help you setup rtadvd(8) to advertise the IPv6 > default route. >=20 > To enable rtadvd(8) you will need the following in your /etc/rc.conf: > rtadvd_enable=3D"YES" >=20 > It is important that you specify the interface on which to do IPv6 > router solicitation. > For example to tell rtadvd(8) to use fxp0: > rtadvd_interfaces=3D"fxp0" >=20 > Now we must create the configuration file, /etc/rtadvd.conf. Here is a= n > example: >=20 > fxp0:\ > :addrs#1:addr=3D"2001:471:1f11:246::":prefixlen#64:tc=3Dether: >=20 > Replace fxp0 with the interface you are going to be using. >=20 > Next, replace 2001:471:1f11:246:: with the prefix of your allocation. >=20 > If you are dedicated a /64 subnet you will not need to change anything= > else. > Otherwise, you will need to change the prefixlen# to the correct value= =2E >=20 > ******** End of Handbook text ************************************* >=20 > Now since I have free native IPv6, I think I only need to add these two= > statement to my rc.conf to achieve total IPv6 auto-configuration >=20 > rtadvd_enable=3D"YES" > rtadvd_interfaces=3D"rl0,xl0" >=20 > rl0 =3D interface facing the public internet > xl0 =3D interface facing the private lan >=20 > Am I doing this correctly? Hmmm.... not entirely, and "it depends." Running rtadvd on rl0 makes no sense -- you don't want to hand out addresses to your service provider upstream, but rather receive addresses from them. That's most easily done by adding: ifconfig_rl0_ipv6=3D"-no_radr accept_rtadv" or the equivalent: ipv6_cpe_wanif=3D"rl0" Obviously, you'll need to adjust your firewall rules to allow the necessary packets through. Now, configuring IPv6 for your private lan depends on how your service provider has set things up. The big difference is that unlike IPv4, NAT is not necessary to conserve limited IP space resources. Every IPv6 enabled device gets its own directly routable address or, indeed as many IPv6 addresses as it cares to use. This means that either your service provider has to allocate a routable IPv6 network block to you, or your router will need to act as a bridge for IPv6 traffic, so your private LAN devices can talk to your providers' systems. You need to check with your provider about how they intend for people to configure IPv6 things. Certainly if you get a network allocated to you, and possibly even if you don't then, yes, you should run rtadvd on the internal interface of your router: rtadvd_enable=3D"YES" rtadvd_interfaces=3D"xl0" You may need to specify the IPv6 prefix for the interface, if your rtadvd doesn't get one automatically: ipv6_prefix_xl0=3D"2001:db8::" # This is just an example. Substitute # the network address from your provider. That's generally all you need to do to get started: rtadvd has pretty good defaults and you can frequently run it successfully without needing to create a rtadvd.conf file. If you don't get your own routed network, then one way rtadvd on your router could work is to relay the config it picks up from your provider to the hosts on your private LAN. I don't actually know if this works in practice, never having tried it, but I think it might based on what I'm reading in the manuals. > About jails, I can create a jail that uses an IPv6 address. Is there a > way to auto-configuration that jail's IPv6 address? Yeah -- this is a bit tricky. All of the autoconfig methods tend to be keyed on the interface MAC address, hence you only get one address per interface from them, which isn't helpful for adding aliases dedicated to jails. However, if your service provider will route an IPv6 network for you, you would get at least a /64 network and you can assign any IPv6 addresses from within that block for use in your private LAN. This gives you about 2^62 possible addresses to use, which is way bigger than the entire IPv4 Internet... Otherwise, if they are just handing out individual addresses, then you can pretty much pick an address at random from their range and be almost certain that no-one else is using it. I've a script here that will help doing that: http://www.infracaninophile.co.uk/articles/hotchpotch/#rand-aaaa.pl Cheers, Matthew --GaeIOt6KHuvcigdjjOSxxFjWjUd5PLut4-- --1pnElgblWk02uGU5TpjCdxIEDHh6TpjJJ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJY3934XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATblMP/0l+7FzIQVD0WeVzb72/jTVd yWO8NJ6fyaXLqmnEwyHXBc4rSfmVm+0hmLxwjt/V96p+FauDKRqgDofxoZBhKnHC GvcEIYVQi9e6LVRR6VmpwHrKMK/J3K4Qqpau4J/t4+N4IDvfSoiaCCciqQbpQV7j m+EFuqZchiG6hDj4ZHJqWPbh0F7utDndSqFePgs0AXpmv82EK0AjYzoUdJRt7F2J gG0rEawFzbdJ9esMTJKDAXcd0gf2Oyd0KlotpRjUKA7rhrzyb6DN5yyIx8Dt+HcA hPIqgifWxNsDqVYmbgb5h5xlMtpPRIRltmsV8vENSuINovu9TkvDtsEhTKsfj8wT QYxMsbFw+GWjHrkJ2k2mZxdtD/cMMsKrORNaJWevRlu8xGe6+vz9Nd35/KgoNFox mmBIXp5evbi9MHEl5nA2Js6EZSKFWSCzat7Cn3lXtLQPhMmvLKTBtY3icpV26aNv QROZkd75/qa0QdHr7Iy7idXwXfTnUlZ5asC1SU3mgoJ1nqjaWUUutBwO4MUi9KGN jjkdFFNQBBp1uNp5rrwScdT6LlpxnY0P9ZMi9PB1L91bj6G5Dp5cf33uQfa+0b2s zY8/N32lnsQhN8DovjfnO5VFp8BbBM9Omz+/21Y39zDKE8s7ea0ekXYvUQ++f5nw 5Oq/mi5poj1Cy1xnrDij =PdTA -----END PGP SIGNATURE----- --1pnElgblWk02uGU5TpjCdxIEDHh6TpjJJ--