Differences between revisions 3 and 4
Revision 3 as of 2006-02-09 14:57:16
Size: 9052
Editor: mohacsi
Comment:
Revision 4 as of 2006-11-22 17:15:18
Size: 9455
Editor: mohacsi
Comment:
Deletions are marked like this. Additions are marked like this.
Line 201: Line 201:

= How can I secure IPv6 on FreeBSD ? =
== How can I use pf packet filter on FreeBSD ? ==
 Have a look at BSD pf section of page [:IPv6firewallsandSecurity#BSD_pf:IPv6 Firewalls and Security] . You will find there a tutorial about IPv6 usage of *BSD pf and some configuration examples.
== How can I use ip6fw packet filter on FreeBSD ? ==
== How can I secure a certain application on FreeBSD ? ==

TableOfContents

IPv6 configuration of FreeBSD operating systems

How should I enabled IPv6 in the kernel?

From FreeBSD 4.0 (including FreeBSD 5.x) supports IPv6 in the GENERIC kernel. Your should contain the following line in the kernel configuration: 

 options         INET6                   #IPv6 communications protocols

You should not do anything unless you removed the line above from your kernel configuration.

You cannot load IPv6 support as a module.

How should I enable IPv6 on the system?

The system configuration stored on FreeBSD in the /etc/rc.conf file. You should put ipv6_enable="YES" in this file for IPv6 autoconfiguration.

In case of FreeBSD you can use /stand/sysinstall to enable IPv6. attachment:freebsd_sysinstall.gif

However this is recommended only for one interface configuration (host only). The sysinstall configuration has a side-effect also:

  • wait for Router Advertisment message
  • wait the autoconfiguration take place

  • put the autoconfigured address in /etc/hosts file

How should I configure a specific IPv6 address to a certain interface?

Enter to /etc/rc.conf configuration file ipv6_enable='YES' , then you should specify which interfaces you want to configure with IPv6 ipv6_network_interfaces='if0 if1' (this is not really necessary if you want IPv6 on all interfaces enabled).

Then you should configure prefix for each specified interface (e.g. ipv6_prefix_if0="fec0:0000:0000:000" (prefixlen 64 assumed) ) or you can configure all ifconfig parameters (e.g. ipv6_ifconfig_if0="fec0:0:0:5::1 prefixlen 64").

It is worth configuring default interface (e.g. ipv6_default_interface="if0") if you want to use scoped addressess (link local, or multicast).

How should I configure additional (alias) IPv6 address to a certain interface?

Configure in /etc/rc.conf file on which interface you want alias address like: ipv6_ifconfig_if0_alias0="fec0:0:0:5::2/64" .

How can I activate the configuration changes in /etc/rc.conf?

You should run /etc/netstart command to activate the network related configuration changes in /etc/rc.conf. This script is intented mostly to start networking in single user mode, but can be used to activate network con figuration changes.

But since the network is already running some errors might occur.

How can change the address selection policy?

In FreeBSD 5.2 and later you can define address selection defined RFC 3484. For this purpose you can use ip6addrctl command.

  • Adding policy rule 

 ip6addrctl add <prefix> <precedence> <label>
  • Showing policy rules: 

 ip6addrctl show
  • Clearing policy rule table 

 ip6addrctl flush

How can I prefer IPv4 connection even if I have IPv6 enabled?

You can use ip6addrctl to control your address selection policy. You can run the following script: 

 #!/bin/sh
 #prefer ipv4
 ip6addrctl flush
 ip6addrctl add ::ffff:0:0/96    50      0
 ip6addrctl add ::1/128          40      1
 ip6addrctl add ::/0             30      2
 ip6addrctl add 2002::/16        20      3
 ip6addrctl add ::/96            10      4
 ip6addrctl show

or installing the following config file with <tt>ip6addrctl install</tt>: 

 #Prefix                          Prec Label      Use
 ::1/128                           50     0        0
 ::/0                              40     1        8
 2002::/16                         30     2        0
 ::/96                             20     3        0
 ::ffff:0.0.0.0/96                 100     4        0

or on FreeBSD 6.0 or later you can run : 

 /etc/rc.d/ip6addrctl prefer_ipv4

How can I prefer IPv6 connection if I installed IPv4 prefering address selection rules?

You can run the following script 

 #!/bin/sh
 #prefer ipv6
 ip6addrctl flush >/dev/null 2>&1
 ip6addrctl add ::1/128          50      0
 ip6addrctl add ::/0             40      1
 ip6addrctl add 2002::/16        30      2
 ip6addrctl add ::/96            20      3
 ip6addrctl add ::ffff:0:0/96    10      4
 ip6addrctl show

or simply 

 ip6addrctl flush

since IPv6 prefered by default.

How can I find more information about IPv6 configuration of FreeBSD?

You can find further information in the following files of the installed FreeBSD system http://www.freebsd.org/cgi/cvsweb.cgi/src/share/doc/IPv6/IMPLEMENTATION /usr/share/doc/IPv6/IMPLEMENTATION  http://www.freebsd.org/cgi/cvsweb.cgi/src/share/examples/IPv6/USAGE /usr/share/examples/IPv6/USAGE

Connecting to IPv6 if you don't have native IPv6 connectivity

You can connect IPv6 service of NIIF/HUNGARNET if you are or your institution is member of HUNGARNET. Otherwise you might connect via tunnels (e.g. with Tunnelbrokers)? And complain to your ISP why they don't provide IPv6 service.

How can I configure tunnel on FreeBSD?

You can configure IPv4/IPv6 tunnel on FreeBSD using gif0, gif1, ... interfaces. First you should create gif0, gif1, etc as a cloned interface with cloned_interfaces="gif0 gif1 gif2 gif3" in  /etc/rc.conf. Second you should configure the tunnel endpoints in <tt>/etc/rc.conf</tt> with e.g. gifconfig_gif0="10.1.1.1 10.1.1.2" where 10.1.1.1 is address of your side and 10.1.1.2 is address of remote side. Then you might want to configure IPv6 address on the tunnel in /etc/rc.conf e.g. ipv6_ifconfig_gif0="2001:db8:1:2::1 prefixlen 64". This is not strictly necessary if you and your applications can rely on ipv6 linklocal address. However you should configure static routes what networks are available towards gif0 like in this interface: 

 ipv6_static_routes="net1"      # An example to set 2001:db8:0000:0006::/64
                                #  route toward gif0 interface.
 ipv6_route_net1="2001:db8:0000:0006:: -prefixlen 64 gif0"

How can I check if tunnel is working correctly?

First try invoking the following command 

 ping6 -n ff02::1%gif0

If you see two packets, one from your local node and another from the remote node, the tunnel is working fine. If you have an IPv4 reachability problem betwe en x.x.x.x and y.y.y.y, you will see only one reply or no reply. Here are items to look at if you are having trouble:

  • Make sure you do not have a NAT box between you and the peer. Tunnelled IPv6 packets cannot go through a NAT box.
  • Make sure you do not have any IPv4 packet filters between you and the peer, that prevents IP tunnel going to/from your local node.

How can I configure 6to4 tunnel of FreeBSD?

You can configure 6to4 tunnel on FreeBSD using stf0 interface. First, you need to configure 6to4 tunnel interface on you node. If you picked x.y.z.u IPv4 address from one of you interfaces as 6to4 gateway interface address then you can use IPv6 subnet prefix, 2002:xxyy:zzuu:0000-FFFF::/64, for use in the tunnel.

To configure this address you should configure stf_interface_ipv4addr="x.y.z.u" in /etc/rc.conf. You should also configure the ipv4 prefixlength valid for 6to4 prefixes with stf_interface_ipv4plen. It is recommended to set this to 32.

With the promulgation of RFC 3068, everyone using 6to4 should now set their default router to 2002:c058:6301:: which is a special magic anycast address for the nearest (in BGP terms, anyhow) Relay Router.

There's also a [http://www.kfu.com/~nsayer/6to4/ list ] of public 6to4 relay routers you can choose from. This one is not recommended anymore.

Note that you cannot use ff02::1 test on stf0 interface, as the interface is not capable of IPv6 multicasting. Since stf0 interface is not enabled by default GENERIC kernel, you may need to r ecompile your kernel (this is due to security reasons - see [http://www.freebsd.org/cgi/man.cgi?query=stf stf(4)] manpage).

You can also use [http://www.freebsd.org/cgi/cvsweb.cgi/ports/net/hf6to4/ net/hf6to4 port] to setup 6to4 tunnel.

How can I enforce Router Solicitation message to sent out on a certain interface?

You can run rtsol if0 to send out Router Solicitation message on if0 interface. You should receive Router Advertisment as a reply from the router to this message if your router is configured to perform router advertisment.

How can I diagnose/control IPv6 neighbor discovery protocol?

You can control and diagnose IPv6 neighbor discovery protocol with [http://www.freebsd.org/cgi/man.cgi?query=ndp&sektion=8 ndp] command.

  • To see MAC and IPv6 address table you can use ndp -a.

  • To see Default interface use ndp -I.

  • To see Default router parameters use ndp -r.

  • To see interface parameter learn from RA use ndp -i if0.

How can I secure IPv6 on FreeBSD ?

How can I use pf packet filter on FreeBSD ?

  • Have a look at BSD pf section of page [:IPv6firewallsandSecurity#BSD_pf:IPv6 Firewalls and Security] . You will find there a tutorial about IPv6 usage of *BSD pf and some configuration examples.

How can I use ip6fw packet filter on FreeBSD ?

How can I secure a certain application on FreeBSD ?

Campus6: IPv6hostsfreebsd (last edited 2009-02-17 16:57:10 by mohacsi)