[ale] Another IPv6? - How do I know if I'm on that network

David Tomaschik david at systemoverlord.com
Wed Feb 9 18:43:52 EST 2011


On some distros, you can blacklist the ipv6 module to completely disable
IPv6.  I wouldn't though.  I'd be more inclined to set up iptables
correctly, specifically ip6tables, to protect your system(s) adequately.

On Ubuntu, I rather like the UFW tool for host firewalls.  By default,
it blocks all IPv6 traffic.  If you enable IPv6 support in it, it
applies similar rules to both your IP and IP6 interfaces.

I have a firewall at my router as well as a host-based firewall on every
host on my LAN.  Paranoid?  Maybe.  But almost certainly more secure.

David


On 02/09/2011 05:24 PM, Greg Freemyer wrote:
> Thanks MIke
> 
> I do not have a global IPv6 address.  I'm happy about that..
> 
> ===
> # ip -6 addr ls
> 1: lo: <LOOPBACK,UP> mtu 16436
>     inet6 ::1/128 scope host
>        valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qlen 1000
>     inet6 fe80::216:76ff:fea5:a47f/64 scope link
>        valid_lft forever preferred_lft forever
> ===
> 
> Damn, but IPv6 just scares me at this point.  Everytime I have an
> issue, I'm going to wonder if its the IPv6 boogie man somehow getting
> through.  At least with the above I can check my linux machines and
> verify they don't have global IPs.
> 
> (Yes, I know I have to go through at least some of the HE cert
> training so I can get some confidence in what's going on with my
> network.)
> 
> Greg
> 
> On Wed, Feb 9, 2011 at 3:55 PM, Michael H. Warfield <mhw at wittsend.com> wrote:
>> On Wed, 2011-02-09 at 15:31 -0500, Greg Freemyer wrote:
>>> All,
>>>
>>> I was just doing some testing on an old openSUSE 10.1 box.  I had the
>>> firewall setup to block 443 incoming traffic from my external
>>> interface.
>>>
>>> I did some test connections that failed as expected, but just to make
>>> sure nothing was getting through.
>>
>>> I did a netstat -an | grep 443
>>
>>> To my shock I saw a active connection from google  (*.1e100.net).
>>
>>> I have made no attempt to be on the IPv6 network here, but I'm having
>>> trouble coming up with another explanation.
>>
>> You're going to have to most more information there.  Like the complete
>> string with addresses, not just a snipet.  What you posted didn't even
>> make sense to me.
>>
>> [mhw at amethyst ~]$ netstat -an | grep 443
>> tcp  0  0 :::443   :::*    LISTEN
>>
>> Like that's just listening.  I would like to see the peer addresses and
>> the connection state.
>>
>>> So how do I verify the outside world doesn't have some way to bypass
>>> my firewall.
>>
>> First off, find out if you have any global unicast addresses configured.
>>
>> Example (using ip):
>>
>> [mhw at amethyst ~]$ ip -6 addr ls
>> 98: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
>>    inet6 ::1/128 scope host
>>       valid_lft forever preferred_lft forever
>> 94: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
>>    inet6 fe80::204:8ff:fe00:151/64 scope link
>>       valid_lft forever preferred_lft forever
>> 96: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qlen 1000
>>    inet6 2001:4830:3000:2:204:8ff:fe00:1151/64 scope global dynamic
>>       valid_lft 2591953sec preferred_lft 604753sec
>>    inet6 fe80::204:8ff:fe00:1151/64 scope link
>>       valid_lft forever preferred_lft forever
>>
>> See that address saying "global dynamic".  That's what you are looking
>> for.  No "global" (dynamic or otherwise) then no they can't.
>>
>> You can get that from ifconfig as well:
>>
>> [mhw at amethyst ~]$ ifconfig eth1
>> eth1      Link encap:Ethernet  HWaddr 00:04:08:00:11:51
>>          inet6 addr: 2001:4830:3000:2:204:8ff:fe00:1151/64 Scope:Global
>>          inet6 addr: fe80::204:8ff:fe00:1151/64 Scope:Link
>>          UP BROADCAST RUNNING MULTICAST  MTU:1400  Metric:1
>>          RX packets:3729060 errors:0 dropped:0 overruns:0 frame:0
>>          TX packets:1738041 errors:0 dropped:0 overruns:0 carrier:0
>>          collisions:0 txqueuelen:1000
>>          RX bytes:3295706892 (3.0 GiB)  TX bytes:599242483 (571.4 MiB)
>>
>> Again...  "Scope: Global" on an inet6 address is what you are looking
>> for.
>>
>>> Thanks
>>> Greg
>>
>> Regards,
>> Mike
>> --
>> Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
>>   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
>>   NIC whois: MHW9          | An optimist believes we live in the best of all
>>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!



More information about the Ale mailing list