From owner-freebsd-questions@freebsd.org Sat Apr 1 15:11:20 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 97342D29383 for ; Sat, 1 Apr 2017 15:11:20 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-io0-x231.google.com (mail-io0-x231.google.com [IPv6:2607:f8b0:4001:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6081D8A9 for ; Sat, 1 Apr 2017 15:11:20 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-io0-x231.google.com with SMTP id b140so54933837iof.1 for ; Sat, 01 Apr 2017 08:11:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:subject :content-transfer-encoding; bh=Y4e893i3yZSg/9LhdS4Fjs44VLryfa40SFi2t2yJ5hE=; b=gyLeKLOOnVS/q47ThDatU+an+11839Cp0hszTlZGV11VbFfw8PhfDb6q8pSMvYI+3Z 79WHTo13O6dMenB/P093+n79VyeyxJvBgHhODNFkJ/HMSgcHt6sSB0tT+YODBdgkwDLk JqoM1WGjaQQo3cOvhQZYZ7y1MdEZ+6Ldev59Os6s3IAj6muOF8mno1gwW2w7Ro6oTsDb m0S7fAMXYfs75o7urPn9RQ7hpSpfS+cwd/cUnfqA9elOMXR4NGywVV52izXH9bqcp9lL yiiD+1/blnuxpBiFHLgc7FRktPmnicrzGwZSBjypSeBdMWXty1BWGdPqz62wLUTOnBqr FvlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-transfer-encoding; bh=Y4e893i3yZSg/9LhdS4Fjs44VLryfa40SFi2t2yJ5hE=; b=OxyzRDq8bhWXlj/YFgWsjlvlQdFbB7bOi/hOm/oWjfasTdDOk720rArW6ZU1NnNGai /GX/obD62BSHKMF03JLezHmvDJ8nhNqbTO3Zn5cwGv6V+pUXEIHaxHfZxONQ3i7G8A7L RsTl+bcRd0yu4YyQCegKZGFZ5E/a7R1muIK4Zx23vzJNbZeRpCQT1GIKqNGI2zbX2VPz bzMUAaxg/tIPprTeemdIRe5PKrwgWHoOTjpZND3ZAZKz9U36IptlovBLaw+yoAAuZICk oL7SoqxMVSCmbTR95Db46HlpYarPKDkz3MVvrp0BAxd8dL29MPRjBdSaiFIXcMBTXmCp 41jQ== X-Gm-Message-State: AFeK/H2Ng4bgVqYzPQz3TbumRS2mrHgo1KRGsHEH09xShEaXVBqnlmHlaIgpy2FLwDJu1g== X-Received: by 10.107.11.215 with SMTP id 84mr8855831iol.41.1491059479471; Sat, 01 Apr 2017 08:11:19 -0700 (PDT) Received: from [10.0.10.3] (cpe-74-141-88-57.neo.res.rr.com. [74.141.88.57]) by smtp.googlemail.com with ESMTPSA id p77sm4919263iod.4.2017.04.01.08.11.18 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 01 Apr 2017 08:11:19 -0700 (PDT) Message-ID: <58DFC321.3030703@gmail.com> Date: Sat, 01 Apr 2017 11:11:29 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: FreeBSD questions Subject: Have free IPv6 now, how to configure IPv6 & ipfilter firewall Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Apr 2017 15:11:20 -0000 Hello List; Yesterday 3/31/2017 6pm, Time Warner enabled IPv6 on the cable system that I am connected to. You ask how do I know that? I use ipfilter firewall with default "block". There has to be a rule to allow any thing in or out. The ipf.log started to fill up very quickly and rollover every 15 minutes. Inspection of the ipf.log showed this log record was the source of the flooding. fe80::201:5cff:fe9d:1846 -> ff02::1 PR icmpv6 routeradvert/0 IN multicast Then I did a ifconfig command on the interface facing the public internet rl0: flags=8843 metric 0 mtu 1500 options=2008 ether 00:10:b5:7b:1d:6f inet 74.141.88.57 netmask 0xfffffc00 broadcast 255.255.255.255 inet6 fe80::210:b5ff:fe7b:1d6f%rl0 prefixlen 64 scopeid 0x1 nd6 options=21 media: Ethernet autoselect (100baseTX ) status: active To my surprise I have an IPv6 address for the first time every. I have been a native IPv4 shop since FreeBSD 3.0. MY rc.conf file has this ifconfig_rl0="DHCP" statement. My first though was to stop the ipf.log file flooding by adding a rule to block icmpv6. This rule complained about unknown protocol. block in quick on rl0 proto icmpv6 My first question is how do I block the icmpv6 packet in ipfilter firewall? My 2nd question; Does ipfilter firewall need some kind of configuration change to make it IPv6 aware? If so what? In my reading about IPv6, no where does it say that IPv4 & IPv6 CAN NOT exist together, is that true? The handbook has this: 31.10.6. Router Advertisement and Host Auto Configuration This section will help you setup rtadvd(8) to advertise the IPv6 default route. To enable rtadvd(8) you will need the following in your /etc/rc.conf: rtadvd_enable="YES" It is important that you specify the interface on which to do IPv6 router solicitation. For example to tell rtadvd(8) to use fxp0: rtadvd_interfaces="fxp0" Now we must create the configuration file, /etc/rtadvd.conf. Here is an example: fxp0:\ :addrs#1:addr="2001:471:1f11:246::":prefixlen#64:tc=ether: Replace fxp0 with the interface you are going to be using. Next, replace 2001:471:1f11:246:: with the prefix of your allocation. If you are dedicated a /64 subnet you will not need to change anything else. Otherwise, you will need to change the prefixlen# to the correct value. ******** End of Handbook text ************************************* Now since I have free native IPv6, I think I only need to add these two statement to my rc.conf to achieve total IPv6 auto-configuration rtadvd_enable="YES" rtadvd_interfaces="rl0,xl0" rl0 = interface facing the public internet xl0 = interface facing the private lan Am I doing this correctly? About jails, I can create a jail that uses an IPv6 address. Is there a way to auto-configuration that jail's IPv6 address? Thanks for your help.