Date: Sat, 01 Apr 2017 11:11:29 -0400 From: Ernie Luzar <luzar722@gmail.com> To: FreeBSD questions <freebsd-questions@FreeBSD.org> Subject: Have free IPv6 now, how to configure IPv6 & ipfilter firewall Message-ID: <58DFC321.3030703@gmail.com>
next in thread | raw e-mail | index | archive | help
Hello List; Yesterday 3/31/2017 6pm, Time Warner enabled IPv6 on the cable system that I am connected to. You ask how do I know that? I use ipfilter firewall with default "block". There has to be a rule to allow any thing in or out. The ipf.log started to fill up very quickly and rollover every 15 minutes. Inspection of the ipf.log showed this log record was the source of the flooding. fe80::201:5cff:fe9d:1846 -> ff02::1 PR icmpv6 routeradvert/0 IN multicast Then I did a ifconfig command on the interface facing the public internet rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=2008<VLAN_MTU,WOL_MAGIC> ether 00:10:b5:7b:1d:6f inet 74.141.88.57 netmask 0xfffffc00 broadcast 255.255.255.255 inet6 fe80::210:b5ff:fe7b:1d6f%rl0 prefixlen 64 scopeid 0x1 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (100baseTX <full-duplex>) status: active To my surprise I have an IPv6 address for the first time every. I have been a native IPv4 shop since FreeBSD 3.0. MY rc.conf file has this ifconfig_rl0="DHCP" statement. My first though was to stop the ipf.log file flooding by adding a rule to block icmpv6. This rule complained about unknown protocol. block in quick on rl0 proto icmpv6 My first question is how do I block the icmpv6 packet in ipfilter firewall? My 2nd question; Does ipfilter firewall need some kind of configuration change to make it IPv6 aware? If so what? In my reading about IPv6, no where does it say that IPv4 & IPv6 CAN NOT exist together, is that true? The handbook has this: 31.10.6. Router Advertisement and Host Auto Configuration This section will help you setup rtadvd(8) to advertise the IPv6 default route. To enable rtadvd(8) you will need the following in your /etc/rc.conf: rtadvd_enable="YES" It is important that you specify the interface on which to do IPv6 router solicitation. For example to tell rtadvd(8) to use fxp0: rtadvd_interfaces="fxp0" Now we must create the configuration file, /etc/rtadvd.conf. Here is an example: fxp0:\ :addrs#1:addr="2001:471:1f11:246::":prefixlen#64:tc=ether: Replace fxp0 with the interface you are going to be using. Next, replace 2001:471:1f11:246:: with the prefix of your allocation. If you are dedicated a /64 subnet you will not need to change anything else. Otherwise, you will need to change the prefixlen# to the correct value. ******** End of Handbook text ************************************* Now since I have free native IPv6, I think I only need to add these two statement to my rc.conf to achieve total IPv6 auto-configuration rtadvd_enable="YES" rtadvd_interfaces="rl0,xl0" rl0 = interface facing the public internet xl0 = interface facing the private lan Am I doing this correctly? About jails, I can create a jail that uses an IPv6 address. Is there a way to auto-configuration that jail's IPv6 address? Thanks for your help.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?58DFC321.3030703>