Nico Pagliaro wrote:
>But reading this, I need to configure a IPv6 in my firewall.
>is this necessary if the only thing I want is to allow protocol 41 in and out?
If you are only enabling IPv6 on your PC then your don't need IPv6 on
your firewall - at all. Just allow the right traffic (protocol 41 ?)
through to your PC as already described.
However, if you want the "real" Ipv6 experience, it's not hard to
enable IPv6 on the firewall with an HE tunnel.
You haven't said what OS you have on your gateway/firewall - this is
what I have for a Debian host running PPPoE, Shorewall, Shorewall6 :
/etc/network/interfaces :
>auto eth0
>iface eth0 inet static
> address 192.168.x.1
> netmask 255.255.255.0
>
>iface eth0 inet6 static
> address 2001:470:xxx9:xxxx::1
> netmask 64
>
>auto he-ipv6
>iface he-ipv6 inet6 static
> address 2001:470:xxx8:xxxx::2
> netmask 64
> gateway 2001:470:xxx8:xxxx::1
> pre-up ip tunnel add he-ipv6 mode sit remote 216.66.80.26 local
>xxx.xxx.xxx.xxx ttl 255
> pre-up ip link set he-ipv6 up
> post-up echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
> post-down ip link set he-ipv6 down
> post-down ip tunnel del he-ipv6 mode sit remote 216.66.80.26 local
>xxx.xxx.xxx.xxx ttl 255
>
>auto isp
>iface isp inet ppp
>provider isp
This is sufficient to configure your HE tunnel, and IPv6 internally
using your routed subnet. Note the slight different in IP address
between that on the tunnel and that on eth0 - when you log into your
HE account, you'll see the link address and /64 routed subnets listed
against your connection.
Now for Shorewall6 config.
interfaces
>net ppp0 detect tcpflags,forward=1,optional,dhcp
>net he-ipv6 detect tcpflags,forward=1,optional
>loc eth0 detect tcpflags,forward=1
I think the ppp0 interface is redundant - I have it in because I'm
also trialling my ISPs native IPv6.
zones
>fw firewall
>net ipv6
>loc ipv6
Virtally identical to the IPv4 setup
policy
>loc net ACCEPT
>net all REJECT
>all all REJECT
It's important to drop or reject all inbound traffic. Unlike IPv4
where most users have NAT which in itself provides a level of
protection, with IPv6 you are fully routed which can make all your
local machines suddenly appear on the internet !
Set IP_FORWARDING=Yes in shorewall6.conf, and something I overlooked
and caused myself some consternation, set DISABLE_IPV6=No in
/etc/shorewall/shorewall.conf !
And of course, set whatever rules you need. Here is an extract from
my rules file :
># I run mail and DNS servers at home, allow that traffic in
>SMTP(ACCEPT) net loc:2001:470:xxx9:xxx::xxxx
>DNS(ACCEPT) net loc:2001:470:xxx9:xxx::xxxx
>ACCEPT net loc:2001:470:xxx9:xxx::xxxx ipv6-icmp
>
>DNS(ACCEPT) $FW net
>
># Give me remote access to the firewall
>SSH(ACCEPT) loc $FW
>
>Ping(ACCEPT) loc $FW
>
>ACCEPT $FW loc ipv6-icmp
>ACCEPT $FW net ipv6-icmp
>ACCEPT all all ipv6-icmp
Lastly, to allow your local machines to get public addresses, you
will probably want to install RAdvD (Router Advertisement Daemon).
It's config can be as simple as :
/etc/radvd.conf
>interface eth0 {
> AdvSendAdvert on;
> AdvOtherConfigFlag off ;
> prefix ::/64
> {
> AdvOnLink on;
> AdvAutonomous on;
> };
>};
between them, these settings should allow you to have native IPv6
running on you LAN - and most IPv6 enabled devices should "just work".
And really finally (if you've read this far) ...
Good on you for giving IPv6 a go. It might seem terribly complicated
(it did (and still does) to me), but it does start getting easier
when you get the hang of it :-) Not all the tools are there yet, but
things are getting better.
I have IPv6 via tunnels at home and work (both using the setup I've
described above) and to be honest I just don't notice it any more.
--
Simon Hobson, HE IPv6 Sage
Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
