[ale] Another IPv6? - How do I know if I'm on that network

Greg Freemyer greg.freemyer at gmail.com
Wed Feb 9 17:24:51 EST 2011


Thanks MIke

I do not have a global IPv6 address.  I'm happy about that..

===
# ip -6 addr ls
1: lo: <LOOPBACK,UP> mtu 16436
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qlen 1000
    inet6 fe80::216:76ff:fea5:a47f/64 scope link
       valid_lft forever preferred_lft forever
===

Damn, but IPv6 just scares me at this point.  Everytime I have an
issue, I'm going to wonder if its the IPv6 boogie man somehow getting
through.  At least with the above I can check my linux machines and
verify they don't have global IPs.

(Yes, I know I have to go through at least some of the HE cert
training so I can get some confidence in what's going on with my
network.)

Greg

On Wed, Feb 9, 2011 at 3:55 PM, Michael H. Warfield <mhw at wittsend.com> wrote:
> On Wed, 2011-02-09 at 15:31 -0500, Greg Freemyer wrote:
>> All,
>>
>> I was just doing some testing on an old openSUSE 10.1 box.  I had the
>> firewall setup to block 443 incoming traffic from my external
>> interface.
>>
>> I did some test connections that failed as expected, but just to make
>> sure nothing was getting through.
>
>> I did a netstat -an | grep 443
>
>> To my shock I saw a active connection from google  (*.1e100.net).
>
>> I have made no attempt to be on the IPv6 network here, but I'm having
>> trouble coming up with another explanation.
>
> You're going to have to most more information there.  Like the complete
> string with addresses, not just a snipet.  What you posted didn't even
> make sense to me.
>
> [mhw at amethyst ~]$ netstat -an | grep 443
> tcp  0  0 :::443   :::*    LISTEN
>
> Like that's just listening.  I would like to see the peer addresses and
> the connection state.
>
>> So how do I verify the outside world doesn't have some way to bypass
>> my firewall.
>
> First off, find out if you have any global unicast addresses configured.
>
> Example (using ip):
>
> [mhw at amethyst ~]$ ip -6 addr ls
> 98: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
>    inet6 ::1/128 scope host
>       valid_lft forever preferred_lft forever
> 94: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
>    inet6 fe80::204:8ff:fe00:151/64 scope link
>       valid_lft forever preferred_lft forever
> 96: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qlen 1000
>    inet6 2001:4830:3000:2:204:8ff:fe00:1151/64 scope global dynamic
>       valid_lft 2591953sec preferred_lft 604753sec
>    inet6 fe80::204:8ff:fe00:1151/64 scope link
>       valid_lft forever preferred_lft forever
>
> See that address saying "global dynamic".  That's what you are looking
> for.  No "global" (dynamic or otherwise) then no they can't.
>
> You can get that from ifconfig as well:
>
> [mhw at amethyst ~]$ ifconfig eth1
> eth1      Link encap:Ethernet  HWaddr 00:04:08:00:11:51
>          inet6 addr: 2001:4830:3000:2:204:8ff:fe00:1151/64 Scope:Global
>          inet6 addr: fe80::204:8ff:fe00:1151/64 Scope:Link
>          UP BROADCAST RUNNING MULTICAST  MTU:1400  Metric:1
>          RX packets:3729060 errors:0 dropped:0 overruns:0 frame:0
>          TX packets:1738041 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:0 txqueuelen:1000
>          RX bytes:3295706892 (3.0 GiB)  TX bytes:599242483 (571.4 MiB)
>
> Again...  "Scope: Global" on an inet6 address is what you are looking
> for.
>
>> Thanks
>> Greg
>
> Regards,
> Mike
> --
> Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
>   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
>   NIC whois: MHW9          | An optimist believes we live in the best of all
>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>



-- 
Greg Freemyer
Head of EDD Tape Extraction and Processing team
Litigation Triage Solutions Specialist
http://www.linkedin.com/in/gregfreemyer
CNN/TruTV Aired Forensic Imaging Demo -
   http://insession.blogs.cnn.com/2010/03/23/how-computer-evidence-gets-retrieved/

The Norcross Group
The Intersection of Evidence & Technology
http://www.norcrossgroup.com


More information about the Ale mailing list