Space battles since 2000
https://www.freeallegiance.org/forums/
Ok there will be HEAPS of Aussie players as well as NZ and others where 3FL was our hope that never was reality, we just NEED to try this and be done with the whole LAG issues that we get with GPZ and to some extent Planet through IPV4.voobscout wrote:QUOTE (voobscout @ Apr 28 2009, 12:18 AM) There're quite a few ipv6 tunnel brokers, wikipedia provides a summary here:
http://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers
The best option is to find out which POP is the closest to you, IP-wise, since geographical distances rarely account for ISP peering agreements ;-)
For our AU users, there's
http://broker.aarnet.net.au/ - 202.158.196.131
http://ipv6.internode.on.net/ - 150.101.0.201
this depends on which OS you're running, if it's a mustdie, then you never actually had control of your firewalling to begin with... you have a poor implementation of some immature port filter..... however, even this crap supports ipv6.sgt_baker wrote:QUOTE (sgt_baker @ Apr 28 2009, 12:47 PM) I've given this a go with tunnelbroker. My initial assessment isn't quite rosy. It would appear that I'm required to give the IPv6 tunnel carte blanche where my firewall is concerned, or get my hands dirty recompiling my firewall's kernel to support IPv6. Neither of which are things I really want to do.
/me will investigate other options.
B
voobscout wrote:QUOTE (voobscout @ Apr 28 2009, 03:31 PM) this depends on which OS you're running, if it's a mustdie, then you never actually had control of your firewalling to begin with... you have a poor implementation of some immature port filter..... however, even this crap supports ipv6.
The convenience is that you can use netsh from command line, instead of mucking around in some GUI....
ie. c:\>netsh firewall show config
so, you can set anything that relates to ipv6 from within.... the only question would be, what exactly DO you need to set ? do you have a list of IPs you want to block ? very unlikely, since you haven't been using ipv6 up till now... If it is open ports you're worried about, whatever applies to your ipv4, also applies to your ipv6, since you're basically just changing the underlying IP protocol from version 4 to 6, you're not touching anything above, all the TCP/UDP stuff stays exactly the same...
I can refer you to OSI model, where IP (any version) is a networking layer (or layer 3 on OSI model), that is only responsible for path determination and addressing. a good explanation can be found here: http://www.webopedia.com/quick_ref/OSI_Layers.asp
Now, if you're talking about something like solaris/linux/osX/IOS, then you have total firewalling control over everything, including ipv6, including NAT PT, excellent pf and all the perks of running a real operating system, instead of some GUI dos shell ;-)
if it's your local router you're concerned with, you can always run openwrt equivalent on it and have the full ipv6 support built in.
In short - you're definitely not giving your ipv6 anything beyond what you already had with ipv4, you don't even need to reconfigure your firewall on mustdie to support ipv6, it does it straight away....
Aha ! Good sir Baker has not specified the nature of his concerns, thus i missunderstood what he ment.sgt_baker wrote:QUOTE (sgt_baker @ Apr 28 2009, 04:41 PM) I had IPv6 running this morning as per configuration mentioned here and on the tunnelbroker site. It was 50% working that that I had IPv6 address, DNS etc, but no dice as far as connecting to anything was concerned. A bit of quick research pointed to my linux firewall messing things up. I could give this a whilst connected directly to teh internets just to make sure. Which I will do now, in fact
As suspected, neither of my firewalls (Sygate Personal Firewall on this box and Smoothwall Express 3.0) will have anything to do with the tunnel. Both fail silently. Obviously I was able to connect first time when I was plumbed directly into the internet from this machine, but as soon as I enabled Sygate, everything just went quiet. And that's despite my adding specific rules to Sygate to allow the Ipv6 driver unrestricted access. Nothing. Nada. Just sits there doing bugger all.voobscout wrote:QUOTE (voobscout @ Apr 28 2009, 04:11 PM) Aha ! Good sir Baker has not specified the nature of his concerns, thus i missunderstood what he ment.
What was being said is that when you start tunneling traffic directly from a box located inside some network, you become vulnerable to all kinds of crap... that applies to any kind of tunnels, vpn, gre etc... It is more of a general security concern rather then something specific to ipv6.
The obvious solution would be to have your border router / firewall create the tunnel and not the box inside your network. That will allow you to continue to manage your security policy from a single place.
Depending on your setup (ie, linux net tools or iproute2) you'd have to take nessesary steps to insure continuos security, however, generally speaking whatever applies to your ipv4 setup still applies to ipv6, the only thing you have to remember is to not bind firewall rules to a specific interface and incase you have to, just duplicate your ruleset over to sit0...
In a perfect setup, you'd be using ipv4->ipv6 NAT on your border device.