On Mon, Jul 13, 2015 at 1:17 PM, Michael McConville <mmcconvi...@mykolab.com> wrote: > On Mon, Jul 13, 2015 at 03:12:50PM -0300, Giancarlo Razzolini wrote: >> The client doesn't need inbound UDP ports to be open. The OpenBSD >> firewall do, if you're using DHCPv6 to configure it. If using SLAAC, >> only RS and RA icmp messages are needed. Since stateless configuration >> is done using multicast (ff02) and link-local (fe80) addresses, no >> need to worry. You can even make a rule allowing only your CPE >> link-local, if you want. > > I stand corrected. > > I just disabled all of my IPv6-related pf exceptions and it still works. > I must have inadvertantly fixed something else when I added them. > >> You don't need DHCPv6. I use stateless both for my firewall getting >> it's IPv6 address from the CPE and for it advertising the prefix on >> the internal network. Most modern systems can configure the dns using >> stateless configuration. So only a subset of ICMPv6 messages need to >> be allowed both on the router and clients. > > Also correct. I just checked, and Comcast home routers let you choose > between stateless and stateful IPv6 config in their control panel. > > Sorry for the noise, > Michael
I’d love it if someone would be open to spending the time to do a “PHD” write up on getting OpenBSD base usable as a stateless IPv6 router/firewall with Comcast. While I agree that write ups like these should be unnecessary, and man pages should have all the relevant information needed for someone to do this without hand holding, IPv6 is still “new,” has a lot of moving parts and still isn’t widely used. For one, I didn’t know all of this could be done without DHCPv6 so I’m very interested in doing this at home. Thanks.
