Re: ipv6 question
Bill Davidsen david...@tmr.com writes: I have a related question. If I set up a tunnel to forward IPv6 thru IPv4, the existing setups seem to use part of my IPv4 address as part of the IPv6 address. Fair enough, but is there some way to get a permanent IPv6 allocation, such that if my primary ISP goes out for any reason, I can use my secondary instead? I'd like to set up some servers on VMs in my DMZ[1] for testing. In order to avoid the mess crated in IPv4 with lots of hard to route direct assignments, IPv6 addresses are not handed out to end users. They are only handed out to ISP's (in hunks of /32 if I recall correctly), who in tun hand out /48's to end users. That keeps the routing table nice and small, but also means that if you are an end user, you will have to play short-TTL dns games if you want a fail-over for a server. -wolfgang -- Wolfgang S. Rupprecht Android 1.5 (Cupcake) and Fedora-11 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: ipv6 question
Wolfgang S. Rupprecht wrote: Bill Davidsen david...@tmr.com writes: I have a related question. If I set up a tunnel to forward IPv6 thru IPv4, the existing setups seem to use part of my IPv4 address as part of the IPv6 address. Fair enough, but is there some way to get a permanent IPv6 allocation, such that if my primary ISP goes out for any reason, I can use my secondary instead? I'd like to set up some servers on VMs in my DMZ[1] for testing. In order to avoid the mess crated in IPv4 with lots of hard to route direct assignments, IPv6 addresses are not handed out to end users. They are only handed out to ISP's (in hunks of /32 if I recall correctly), who in tun hand out /48's to end users. That keeps the routing table nice and small, but also means that if you are an end user, you will have to play short-TTL dns games if you want a fail-over for a server. My ISP owns my static IPs now, more or less, so I don't need to control them as much as be able to use them from multiple points. Thanks for the info. -- Bill Davidsen david...@tmr.com We have more to fear from the bungling of the incompetent than from the machinations of the wicked. - from Slashdot -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: ipv6 question
off: So, could it be reality, that the next-generation Linux Distro's e.g.: iptables will Default not ACCEPT, rather then this: iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + allow ICMP on INPUT because I heard/read that IPv6 relies more on ICMP it could make a good standard firewall (?FIXME) - if anyone puts any server service, than he must know that he must change the INPUT XYZ sorry for just stating these kind of things :D just thinking.. I only seen a few distros, but they policy were default ACCEPT everywhere :O /off -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: ipv6 question
Michael Casey michaelcase...@gmail.com writes: So, could it be reality, that the next-generation Linux Distro's e.g.: iptables will Default not ACCEPT, rather then this: iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + allow ICMP on INPUT because I heard/read that IPv6 relies more on ICMP it could make a good standard firewall (?FIXME) - if anyone puts any server service, than he must know that he must change the INPUT XYZ This is what f11 does: /etc/sysconfig/ip6tables: # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp6-adm-prohibited -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited COMMIT It looks good to me, including the newer wording in system-config-firewall around icmp and ipv6-icmp which discourages clueless admins from blocking icmp's and gumming up the works. -wolfgang -- Wolfgang S. Rupprecht Android 1.5 (Cupcake) and Fedora-11 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: ipv6 question
Michael Fleming wrote: On Sun, 31 May 2009 23:38:52 +0200 Michael Casey michaelcase...@gmail.com wrote: Hi I just want to ask one big question :) If I would have an IPv6 address [home pc, behind a router - supporting ipv6 e.g.: openwrt, ISP gives ipv6], then I can see an IPv6 address with ifconfig, on the PC e.g.: Z So that's my very unique address. - Z Can that be seen on the internet, the Z address? so anyone can ping me from outside, or do an nmap? Yes, if the IPv6 address has a global prefix (2001:: 2002:: etc) - fe80:: etc are link local addresses and are site specific - they won't be available to the wider Internet. I have a related question. If I set up a tunnel to forward IPv6 thru IPv4, the existing setups seem to use part of my IPv4 address as part of the IPv6 address. Fair enough, but is there some way to get a permanent IPv6 allocation, such that if my primary ISP goes out for any reason, I can use my secondary instead? I'd like to set up some servers on VMs in my DMZ[1] for testing. Or are there private addresses what the router gives to my pc.: eg.: with ipv4 a router could give 192.168.1.10... and that IP couldn't be pinged/nmapped from outside (More Secure???) Because I heard that there will be no NAT with IPv6? There's no NAT in IPv6, at least in the traditional IPv4 way. If you're only getting fe80:: et. al addresses (the link-local addresses as above) you should be fine however. What will happen to e.g.: a windows xp pc using IPv6? The C$, D$ shares will be visible to anyone if they know the password? sorry for the trivial question... :S :) and thank you for any answer If the host isn't firewalled and has globally routed IPv6 allocations then yes they would be available (they'd need to know Administrator passwords for the admin shares above though) [1] DMZ is setup like this: Internet--(firewall)--[DMZ network, public servers]--(firewall)--pvt_net -- Bill Davidsen david...@tmr.com We have more to fear from the bungling of the incompetent than from the machinations of the wicked. - from Slashdot -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: ipv6 question
On Sun, 31 May 2009 23:38:52 +0200 Michael Casey michaelcase...@gmail.com wrote: Hi I just want to ask one big question :) If I would have an IPv6 address [home pc, behind a router - supporting ipv6 e.g.: openwrt, ISP gives ipv6], then I can see an IPv6 address with ifconfig, on the PC e.g.: Z So that's my very unique address. - Z Can that be seen on the internet, the Z address? so anyone can ping me from outside, or do an nmap? Yes, if the IPv6 address has a global prefix (2001:: 2002:: etc) - fe80:: etc are link local addresses and are site specific - they won't be available to the wider Internet. Or are there private addresses what the router gives to my pc.: eg.: with ipv4 a router could give 192.168.1.10... and that IP couldn't be pinged/nmapped from outside (More Secure???) Because I heard that there will be no NAT with IPv6? There's no NAT in IPv6, at least in the traditional IPv4 way. If you're only getting fe80:: et. al addresses (the link-local addresses as above) you should be fine however. What will happen to e.g.: a windows xp pc using IPv6? The C$, D$ shares will be visible to anyone if they know the password? sorry for the trivial question... :S :) and thank you for any answer If the host isn't firewalled and has globally routed IPv6 allocations then yes they would be available (they'd need to know Administrator passwords for the admin shares above though) Michael. -- Michael Fleming mflem...@thatfleminggent.com - (EMail/XMPP/Jabber) WWW: http://www.thatfleminggent.com Fedora / Red Hat Packages: http://www.thatfleminggent.com/rpm-packages Twitter: http://twitter.com/thatfleminggent -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: ipv6 question
Michael Casey michaelcase...@gmail.com writes: If I would have an IPv6 address [home pc, behind a router - supporting ipv6 e.g.: openwrt, ISP gives ipv6], then I can see an IPv6 address with ifconfig, on the PC e.g.: Z So that's my very unique address. - Z Can that be seen on the internet, the Z address? so anyone can ping me from outside, or do an nmap? If your firewall allows such mapping and you have a global ipv6 address then yes, you can be pinged, nmap-ed etc. Here is what a globally mapped IPv6 would look like: eth0 Link encap:Ethernet HWaddr 00:0F:B0:C5:EB:99 inet addr:192.83.197.13 Bcast:192.83.197.127 Mask:255.255.255.128 inet6 addr: 2001:5a8:4:7d0:20f:b0ff:fec5:eb99/64 Scope:Global inet6 addr: fe80::20f:b0ff:fec5:eb99/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:45262 errors:0 dropped:0 overruns:0 frame:0 TX packets:40316 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:43622749 (41.6 MiB) TX bytes:21376741 (20.3 MiB) Interrupt:22 Base address:0x2400 In general, I think you'll want to make sure you run system-config-firewall on all your machines and only allow a minimum of services that you *really* trust on your IPv6 connected clients. My machines tend to only allow incoming ssh and nothing else unless the data stream is opened from the client side. Or are there private addresses what the router gives to my pc.: eg.: with ipv4 a router could give 192.168.1.10... and that IP couldn't be pinged/nmapped from outside (More Secure???) Because I heard that there will be no NAT with IPv6? NAT isn't needed if all you want is firewalling. If you stick to operating systems that supply usable built-in firewalls you'll be ok. -wolfgang -- Wolfgang S. Rupprecht Android 1.5 (Cupcake) and Fedora-11 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
