Dual stack IPv4/IPv6 on FreeBSD

Here is a quick note to show how easy it is to enable a dual IP stack on FreeBSD (and actually on most modern system)…

Here is what you need :

1. Native connectivity to IPv4 & IPv6 backbones

Connectivity to IPv4 should be OK. If you don’t have connectivity to IPv6 you may want to use 6in4 tunnel to connect to IPv6 backbone through a tunnel over IPv4 backbone. Several tunnel brokers are available for free, I personally know Hurricane Electric and SixXS.

2. An IPv4 gateway such as 192.168.1.1
3. An IPv4 address in that range such as 192.168.1.10
4. An IPv6 gateway such as 2001:db8:abcd::1
5. An IPv6 address in that range such as 2001:db8:abcd::e
6. Put all together in /etc/rc.conf

Extract from /etc/rc.conf

#IPv4 config
ifconfig_re0="inet 192.168.1.10 netmask 255.255.255.0"
static_routes="default"
route_default="default 192.168.1.1"

#IPv6 config
ipv6_enable="YES"
ipv6_ifconfig_re0="2001:db8:abcd::e/56"
ipv6_static_routes="default"
ipv6_route_default="default 2001:db8:abcd::1"

Then restart the server or the network related script from /etc/rc.d

ipv6#/etc/rc.d/netif start
re0: flags=8843 metric 0 mtu 1500
	options=9b
	ether 9e:65:96:1e:ca:5e
	inet 192.168.1.10 netmask 0xffffff00 broadcast 192.168.1.255
	media: Ethernet autoselect (100baseTX )
	status: active

ipv6#/etc/rc.d/routing start
add net default: gateway 192.168.1.1
Additional routing options:.

ipv6# /etc/rc.d/network_ipv6 start
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
net.inet6.ip6.forwarding: 0 -> 0
re0: flags=8843 metric 0 mtu 1500
	options=9b
	inet6 2001:db8:abcd::e prefixlen 56 tentative
plip0: flags=108810 metric 0 mtu 1500
lo0: flags=8049 metric 0 mtu 16384
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net default: gateway 2001:db8:abcd::1
IPv4 mapped IPv6 address support=NO

You may notice the IPv6 address is marked as tentative, that’s because DAD (Duplicate Address Detection) is still validating the IPv6 address. If you run ifconfig a bit later and if you IPv6 is not a duplicate address, the tentative flag should disappear.

Test connectivity with some awesome tools…

ipv6# ping -c3 www.google.com
PING www.l.google.com (209.85.229.147): 56 data bytes
64 bytes from 209.85.229.147: icmp_seq=0 ttl=55 time=10.624 ms
64 bytes from 209.85.229.147: icmp_seq=1 ttl=55 time=10.675 ms
64 bytes from 209.85.229.147: icmp_seq=2 ttl=55 time=10.815 ms

--- www.l.google.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 10.624/10.705/10.815/0.081 ms

ipv6# ping6 -c3 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:db8:abcd::e --> 2a00:1450:8006::93
16 bytes from 2a00:1450:8006::93, icmp_seq=0 hlim=56 time=15.562 ms
16 bytes from 2a00:1450:8006::93, icmp_seq=1 hlim=56 time=15.529 ms
16 bytes from 2a00:1450:8006::93, icmp_seq=2 hlim=56 time=15.541 ms

--- ipv6.l.google.com ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 15.529/15.544/15.562/0.014 ms

Congratulations, you now have IPv4 and IPv6 connectivity from your FreeBSD box!

IPv6 Firewall with Linux

More and more server hoster have configured IPv6 on their network. And most of their Linux based servers come with a basic IPv6 configuration. Even if IPv6 is not used, it is there and widely open as the netfilter/iptables default policy is ACCEPT.

If you don’t use IPv6 at all, disable it. On Debian, the interfaces configuration is located in /etc/network/interfaces. Remove all the inet6 configuration looking like this :

iface eth0 inet6 static
  address 2001:db8:4:fe34::3ea1
  netmask 64

If you plan to use IPv6, first you have to know ICMPv6 should be filtered carefully. In IPv6, ICMPv6 is widely used. It replaces IPv4′s ARP with neighbour-solicitation and neighbour-advertisement ICMPv6 messages. It is used for router discovery via router-solicitation and router-advertisement ICMPv6 messages. It replaces IPv4′s IGMP with group-membership-query, group-membership-report and group-membership-reduction ICMPv6 messages.

Here is a small script to activate IPv6 filtering with netfilter/ip6tables. The script has been test on Debian but it should work on other Linux flavor.

#!/bin/sh -e
#
# Simple example IPv6 Firewall configuration.
#
# Caveats:
# - This configuration applies to all network interfaces
# if you want to restrict this to only a given interface use
# '-i INTERFACE' in the ip6tables calls.
# - Remote access for TCP/UDP services is granted to any host,
# you probably will want to restrict this using '--source'.
#
# description: Activates/Deactivates the firewall at boot time
#
# You should test this script before applying with safe-restart option
#

IP6TABLES=/sbin/ip6tables
#IP6TABLES="/sbin/ip6tables -i eth0"

[ -x "$IP6TABLES" ] || exit 1

# Inbound TCP ports
TCP_INPUT_PORTS="21 22 53 443"

# Inbound UDP ports
UDP_INPUT_PORTS="53"

# Allowed ICMP messages
ALLOWED_ICMP="\
packet-too-big \
destination-unreachable \
time-exceeded parameter-problem \
echo-request \
echo-reply \
router-advertisement \
neighbour-solicitation \
neighbour-advertisement"

fw_start () {
# Allow related and established connection.
$IP6TABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow ICMP as defined in ALLOWED_ICMP
if [ -n "$ALLOWED_ICMP" ] ; then
 for ICMP_TYPE in $ALLOWED_ICMP; do
  $IP6TABLES -A INPUT -p icmpv6 --icmpv6-type ${ICMP_TYPE} -j ACCEPT
 done
fi

# Open allowed TCP ports if any
if [ -n "$TCP_INPUT_PORTS" ] ; then
 for PORT in $TCP_INPUT_PORTS; do
  $IP6TABLES -A INPUT -m state --state NEW -p tcp --dport ${PORT} \
  -j ACCEPT
 done
fi

# Open allowed UDP ports if any
if [ -n "$UDP_INPUT_PORTS" ] ; then
 for PORT in $UDP_INPUT_PORTS; do
  $IP6TABLES -A INPUT -m state --state NEW -p udp --dport ${PORT} \
  -j ACCEPT
 done
fi

# Allow traffic to the loopback (needed by some applications)
$IP6TABLES -A INPUT -i lo -j ACCEPT

# Log and drop all other packets.
$IP6TABLES -A INPUT -j LOG
$IP6TABLES -P INPUT DROP

# Los and drop all packet to be forwarded, we're not a router...
$IP6TABLES -A FORWARD -j LOG
$IP6TABLES -P FORWARD DROP

# We're not going to filter outgoing packets
# but you can if you're paranoid like I am...
$IP6TABLES -P OUTPUT ACCEPT
}

# fw_stop disables completely the firewall and reset all chains to
# the default policy ACCEPT
fw_stop () {
  $IP6TABLES -P INPUT ACCEPT
  $IP6TABLES -P FORWARD ACCEPT
  $IP6TABLES -P OUTPUT ACCEPT
  $IP6TABLES -t mangle -P PREROUTING ACCEPT
  $IP6TABLES -t mangle -P POSTROUTING ACCEPT
  $IP6TABLES -t mangle -P INPUT ACCEPT
  $IP6TABLES -t mangle -P OUTPUT ACCEPT
  $IP6TABLES -t mangle -P FORWARD ACCEPT
  $IP6TABLES -t mangle -F
  $IP6TABLES -t mangle -X
  $IP6TABLES -F
  $IP6TABLES -X
}

# fw_clear remove the rule set from the firewall and keep the
# current default policy
fw_clear () {
  $IP6TABLES -t mangle -F
  $IP6TABLES -t mangle -X
  $IP6TABLES -F
  $IP6TABLES -X
}

case "$1" in
  start|restart)
    echo -n "Starting IPv6 firewall.."
    fw_clear
    fw_start
    echo "done."
    ;;
  stop)
    echo -n "Stopping IPv6 firewall.."
    fw_stop
    echo "done."
    ;;
  clear)
    echo -n "Clearing IPv6 firewall rules.."
    fw_clear
    echo "done."
    ;;
  test|safe-restart)
    echo -n "Safely restarting IPv6 firewall..."
    fw_clear
    fw_start
    test=""; read -t 10 -p "Is it still OK? " test ; \
    [ -z "$test" ] && fw_stop
    echo "done."
    ;;
  *)
    echo "Usage: $0 {start|stop|restart|safe-restart|clear}"
    exit 1
    ;;
esac

exit 0

Now let’s make the ip6firewall to start at boot time :
update-rc.d ip6firewall start 41 S . stop 34 0 6 .

Now the server is only accepting packets on ports we have decided.

By the way, I’ve been certified ipv6 Guru by Hurricane Electric…

That’s all folks!

Thanks for leaving a comment if you found this useful