On Fri, Jan 20, 2012 at 6:07 AM, Tanstaafl <tansta...@libertytrek.org> wrote: > On 2012-01-19 5:32 PM, Mick <michaelkintz...@gmail.com> wrote: >> >> On Thursday 19 Jan 2012 15:48:32 Michael Mol wrote: >>> >>> On Thu, Jan 19, 2012 at 10:37 AM, Tanstaafl<tansta...@libertytrek.org> >>> wrote: >>>> >>>> I have a reasonable grasp of how to use IP addresses etc with IPv4, but >>>> every time I start rading about IPv6 I get a headache... >>>> >>>> Does anyone know of a decent tutorial written specifically to those who >>>> have an ok (but not hugely in-depth) understanding of IPv4, and doesn't >>>> get bogged down in too many technical details, but simply explains what >>>> you need to know to be able to transition to it and use it effectively >>>> *and securely* - and/or how *not* to have to expose your entire private >>>> network to the world (what IPv4 NAT protects you from)? > > >>> I've been doing IPv6 presentations at LUGs and tech cons, and I'm >>> getting scheduled for a few IPv6 topics at Penguicon...but I'm pretty >>> sure I'm also not the most knowledgeable on this list wrt IPv6, >>> either. Still, what would you like to know? (I can use your questions >>> as fodder and experience for future presentations. ^^) > > >> Now that IPv6 is enabled by default on Linux, is one meant to duplicate >> all >> the IPv4 iptable rules also for IPv6? I'm using arno ip tables and from >> what >> I saw in the config file it is either 4 or 6 that one can activate. >> Perhaps >> this has improved with later versions. > > > That was the very first question (and headache) I got from looking at this. > > >> The OP would probably have more questions, but if you ever pull together a >> pack of slides I would much appreciate a link to look at them. > > > I really wouldn't know where to start... that is why I was looking for a > decent tutorial that covered the topic in total, so I could hopefully get to > the point that I *could* ask some intelligent questions about it... > > One very general question I have is, how can you - or even *can* you - hide > all of your internal devices from the outside world, similar to how the use > of 'private' IP's behind a NAT'd firewall are hidden from the outside world > (nor directly accessible). I definitely do *not* want all of my internal > devices directly accessible from the internet.
Use a firewall on your router. My home firewall disallows incoming connections, except to ports/hosts I designate. If you want to avoid an external host from knowing your internal hosts' IP addresses, you can use IPv6 privacy extensions. With these, a machine has several temporary IP addresses and one permanent IP address. It will prefer using its temporary IP addresses for outbound connections. If you want to go further, you can use DHCPv6 to prevent hosts from autoconfiguring global-scope addresses. -- :wq
