Wow, thanks for your information!
my server is Centos. I think that commands are different, arent they?
On Tue, Mar 6, 2012 at 6:33 PM, Simon Hobson <li...@thehobsons.co.uk> wrote:
> Nico Pagliaro wrote:
> >But reading this, I need to configure a IPv6 in my firewall.
> >is this necessary if the only thing I want is to allow protocol 41 in and
> out?
>
> If you are only enabling IPv6 on your PC then your don't need IPv6 on
> your firewall - at all. Just allow the right traffic (protocol 41 ?)
> through to your PC as already described.
>
>
>
> However, if you want the "real" Ipv6 experience, it's not hard to
> enable IPv6 on the firewall with an HE tunnel.
> You haven't said what OS you have on your gateway/firewall - this is
> what I have for a Debian host running PPPoE, Shorewall, Shorewall6 :
>
> /etc/network/interfaces :
> >auto eth0
> >iface eth0 inet static
> > address 192.168.x.1
> > netmask 255.255.255.0
> >
> >iface eth0 inet6 static
> > address 2001:470:xxx9:xxxx::1
> > netmask 64
> >
> >auto he-ipv6
> >iface he-ipv6 inet6 static
> > address 2001:470:xxx8:xxxx::2
> > netmask 64
> > gateway 2001:470:xxx8:xxxx::1
> > pre-up ip tunnel add he-ipv6 mode sit remote 216.66.80.26 local
> >xxx.xxx.xxx.xxx ttl 255
> > pre-up ip link set he-ipv6 up
> > post-up echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
> > post-down ip link set he-ipv6 down
> > post-down ip tunnel del he-ipv6 mode sit remote 216.66.80.26 local
> >xxx.xxx.xxx.xxx ttl 255
> >
> >auto isp
> >iface isp inet ppp
> >provider isp
>
> This is sufficient to configure your HE tunnel, and IPv6 internally
> using your routed subnet. Note the slight different in IP address
> between that on the tunnel and that on eth0 - when you log into your
> HE account, you'll see the link address and /64 routed subnets listed
> against your connection.
>
> Now for Shorewall6 config.
> interfaces
> >net ppp0 detect tcpflags,forward=1,optional,dhcp
> >net he-ipv6 detect tcpflags,forward=1,optional
> >loc eth0 detect tcpflags,forward=1
> I think the ppp0 interface is redundant - I have it in because I'm
> also trialling my ISPs native IPv6.
>
> zones
> >fw firewall
> >net ipv6
> >loc ipv6
> Virtally identical to the IPv4 setup
>
> policy
> >loc net ACCEPT
> >net all REJECT
> >all all REJECT
> It's important to drop or reject all inbound traffic. Unlike IPv4
> where most users have NAT which in itself provides a level of
> protection, with IPv6 you are fully routed which can make all your
> local machines suddenly appear on the internet !
>
> Set IP_FORWARDING=Yes in shorewall6.conf, and something I overlooked
> and caused myself some consternation, set DISABLE_IPV6=No in
> /etc/shorewall/shorewall.conf !
>
> And of course, set whatever rules you need. Here is an extract from
> my rules file :
> ># I run mail and DNS servers at home, allow that traffic in
> >SMTP(ACCEPT) net loc:2001:470:xxx9:xxx::xxxx
> >DNS(ACCEPT) net loc:2001:470:xxx9:xxx::xxxx
> >ACCEPT net loc:2001:470:xxx9:xxx::xxxx ipv6-icmp
> >
> >DNS(ACCEPT) $FW net
> >
> ># Give me remote access to the firewall
> >SSH(ACCEPT) loc $FW
> >
> >Ping(ACCEPT) loc $FW
> >
> >ACCEPT $FW loc ipv6-icmp
> >ACCEPT $FW net ipv6-icmp
> >ACCEPT all all ipv6-icmp
>
>
>
> Lastly, to allow your local machines to get public addresses, you
> will probably want to install RAdvD (Router Advertisement Daemon).
> It's config can be as simple as :
> /etc/radvd.conf
> >interface eth0 {
> > AdvSendAdvert on;
> > AdvOtherConfigFlag off ;
> > prefix ::/64
> > {
> > AdvOnLink on;
> > AdvAutonomous on;
> > };
> >};
>
> between them, these settings should allow you to have native IPv6
> running on you LAN - and most IPv6 enabled devices should "just work".
>
>
>
> And really finally (if you've read this far) ...
> Good on you for giving IPv6 a go. It might seem terribly complicated
> (it did (and still does) to me), but it does start getting easier
> when you get the hang of it :-) Not all the tools are there yet, but
> things are getting better.
>
> I have IPv6 via tunnels at home and work (both using the setup I've
> described above) and to be honest I just don't notice it any more.
> --
> Simon Hobson, HE IPv6 Sage
>
> Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
> author Gladys Hobson. Novels - poetry - short stories - ideal as
> Christmas stocking fillers. Some available as e-books.
>
>
> ------------------------------------------------------------------------------
> Keep Your Developer Skills Current with LearnDevNow!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-d2d
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
