I've chosen the only available option for a tunnel, which is through SixXS. Albeit a pretty good service, it's a bit annoying in the registration process. It's also a bit annoying, that you only get a /64 after requesting a tunnel, and have to accrue more credit, in order to have enough to ask for a smaller prefix (which I think will be a /56, but I'm not sure, as I'm not there yet).
Anyhow, this time the instruction are not for FreeBSD, but for Gentoo Linux, which is what I'm running since ages on my Laptop. Currently the Laptop is the only PC in the house, so it's acting as server and virtual machine host and pretty much everything else too.
After having received the tunnel from SixXS it was easy as pie to set it up, following the instructions. For the lazy here a short recap:
- make sure you have CONFIG_TUN set to m or y in your .config file in /usr/src/linux (where the kernel should reside). I have it as module (m) Check by using:
- cat /usr/src/linux/.config | grep CONFIG_TUN
- emerge aiccu
- configure aiccu by editing the config file. Just insert the username and the password with which you login to the SixXS webpage on the top, and leave the rest. It will work.
- nano /etc/aiccu.conf
- Start the daemon:
- /etc/init.d/aiccu start
- Add the daemon to the default runlevel
- rc-update add aiccu default
So time to set up the router advertisement server - radvd. Again, quite easy to set up:
- emerge radvd
- Copy the config example into /etc/radvd.conf
- bzcat /usr/share/doc/radvd-1.9.2-r1/radvd.conf.example.bz2 > /etc/radvd.conf
- Edit the config file, and just insert your /64 prefix in the section starting with
- # example of a standard prefix
- No need to edit the Options within the brackets
- Comment everything below that section, taking care of not commenting the last bracket at the bottom
- Save, exit, and start the daemon
- /etc/init.d/radvd start
- Add it to the default runlevel
- rc-update add radvd default
- The daemon will automatically switch on the packet forwarding sysctls, now all machines on the network can go v6
I have no IPv6 firewall. There's a simple reason for that: I control all machines on the network, which are my laptop and one or two virtual machines which either have their own firewall (Windows) or no services running (FreeBSD) or very few services running, for which I'd need to open the firewall ports anyway. So what's the point to have a firewall?
Additionally work has shown me lately, that it's not the unknown ports you should be worried about, but the well known ones, like port 80 or 443 if you have a webserver running, or port 21 for FTP or 22 for SSH. The attacks these days are aimed at those ports, trying to compromise the services behind the ports, rather than looking for unknown services behind non-well-known ports.
Do you need some FW that does DPI or some Application Firewall (like the one that comes with Windows), to get actual security. The rest is just useless.
And these guys agree on that too :-)
