[TriLUG] IPv6 workshop

Igor Partola igor at igorpartola.com
Tue Apr 19 19:56:31 EDT 2011 

I am currently running Teredo (via miredo), since my router is too
underpowered to run in a dual-stack mode. Here are the rules I ended
up using:

# ip6tables -A INPUT -i lo -j ACCEPT
# ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
# ip6tables -A INPUT -p icmpv6 -j ACCEPT
# ip6tables -A INPUT -j DROP

I think this covers most cases, basically allowing IPv6 ping, ssh and
any established connections through, but dropping everything else.
Does anyone have any suggestions for anything else I should have for
an average home workstation?

Igor

On Tue, Apr 19, 2011 at 7:42 PM, Michael Hrivnak <mhrivnak at hrivnak.org> wrote:
> I second this.  For those who really like the "island" idea of NAT as
> Greg puts it, use ULA and reasonable firewall rules.  Your firewall
> rules probably boil down to something like this at the moment:
>
> NAT everything outbound
> block new connections inbound unless there is a specific exception
>
> With v6, you can eliminate the "NAT everything outbound" part and just
> keep the second part.
>
> Michael
>
> On Mon, Apr 18, 2011 at 11:54 PM, Jonathan Woodbury <jpwoodbu at mybox.org> wrote:
>>>> If you're looking for private addresses, take a look at the "Unique
>>>> Local Address" space in fc00::/7.
>>>> These addresses are for exactly what you're looking for... private
>>>> addresses that are NAT'ed behind a router.
>>>
>>> Already found the addresses.  What I'm looking for is the cross-router
>>> NAT/masquerade piece so (v4 and v6) internal can speak v4 external.  v6
>>> external is of zero interest now, but transitioning to (v4 or v6)-to-6
>>> public-to-private later by dual homing might be.
>>
>> That's a very difficult paragraph to comprehend. ;)  Can you elaborate?
>>
>> You can achieve your goal of having persistent addressing for you
>> hosts using ULA (or IPv4 for that matter).
>> Those hosts can have v6 Internet access by giving them dynamically
>> configured global addresses as well as UL addresses.  There's no need
>> to NAT.  If a simple firewall configuration can protect those devices
>> the same as any NAT-ing firewall could.
>>
>> What's the bad to this solution?
>> --
>> This message was sent to: Michael Hrivnak <mhrivnak at hrivnak.org>
>> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>> Unsubscribe or edit options on the web  : http://www.trilug.org/mailman/options/trilug/mhrivnak%40hrivnak.org
>> TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions
>>
> --
> This message was sent to: Igor Partola <igor at igorpartola.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  : http://www.trilug.org/mailman/options/trilug/igor%40igorpartola.com
> TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions
>

More information about the TriLUG mailing list