Hallo ich versuche seit einiger zeit schon auf meinen Jails ipv6 zu nutzen,
nur leider scheine ich irgendwas nicht zu verstehen, oder fahlsch zu machen...
vielleicht kann mir einer ja helfen, oder ein tip geben...
meine BASE Freebsd 9.1 IPV6 geht in der Base 100%
hier mal meine Configs
RC.conf nur ipv6 einstellungen
PF.CONF
traceroute6 BASE
traceroute6 JAIL WEB1
PING6 JAIL WEB1
WGET TEST JAIL WEB1
BASE
JAIL WEB1
was mach ich nur Falsch, bin schon etwas am verzweifeln....
nur leider scheine ich irgendwas nicht zu verstehen, oder fahlsch zu machen...
vielleicht kann mir einer ja helfen, oder ein tip geben...
meine BASE Freebsd 9.1 IPV6 geht in der Base 100%
hier mal meine Configs
RC.conf nur ipv6 einstellungen
Code:
ipv6_static_routes="ovhgw"
ipv6_route_ovhgw="2001:xxxx:1:57ff:ff:ff:ff:ff -prefixlen 128 -interface em0"
ipv6_defaultrouter="2001:xxxx:1:57ff:ff:ff:ff:ff"
ipv6_activate_all_interfaces="YES"
ipv6_gateway_enable="YES"
ifconfig_em0_ipv6="inet6 2001:xxxx:1:5788::1 prefixlen 56"
ifconfig_em0_alias2="inet6 2001:xxxx:1:5788::2 prefixlen 56"
cloned_interfaces="lo1"
ifconfig_lo1="inet 10.10.10.253 netmask 255.255.255.0"
ifconfig_lo1_ipv6="inet6 fec0:0:0:5::253 prefixlen 64"
ifconfig_lo1_alias0="inet 10.10.10.1 netmask 255.255.255.0"
ifconfig_lo1_alias1="inet6 fec0:0:0:5::1 prefixlen 64"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
PF.CONF
Code:
ext_if = "{ em0 }"
int_if = "{ lo1 }"
loop_if = "{ lo0 }"
pptp_if = "{ lo2 }"
ext_ipv6 = "{ 2001:xxxx:1:5788::1 }"
ext_ipv6_ns1 = "{ 2001:xxxx:1:5788::2 }"
ext_ipv6_web1_master = "{ 2001:xxxx:1:5788::20 }"
jail_web1_ipv4_lo0 = "{ 127.0.0.2 }"
jail_web1_ipv4_lo1 = "{ 10.10.10.1 }"
jail_web1_ipv6_lo1 = "{ fec0:0:0:5::1 }"
##########################
##### TABLES - A structure used to hold lists of IP addresses.
##########################
table <blocked_ip> persist file "/etc/pf.block.ip.conf"
table <allowed_vpnnetz> { 172.16.1.0/24 }
table <allowed_jails> { 10.10.10.0/24 }
### Skip all PF processing on specified interface. This can be useful on loopback interfaces where filtering, normalization, queueing, etc, are not required.
set skip on $loop_if
# Macht Statistiken (pfctl -s info)
set loginterface em0
##########################
##### NORMALIZATION
##########################
scrub in all
##########################
##### TRANSLATION
##########################
### NAT IPv6
nat on $ext_if inet6 proto {tcp udp icmp6 gre} from $jail_web1_ipv6_lo1 to any -> $ext_ipv6_web1_master
##########################
##### RDR
##########################
### [HTTP] Outside to DMZ
rdr on $ext_if inet proto tcp from any to $ext_ip port 80 -> $jail_web1_ipv4_lo1
rdr on $ext_if inet6 proto tcp from any to $ext_ipv6_web1_osupcom port 80 -> $jail_web1_ipv6_lo1
# Generelle Block Regel
block on $ext_if
block return log on $ext_if
block in quick on $ext_if from <blocked_ip> to any
##########################
##### PASS
##########################
### Loopback Device darf alles
pass quick on $loop_if
### Jail web1 ###
pass in quick on $ext_if inet proto tcp from any to $jail_web1_ipv4_lo1 port 80
pass in quick on $ext_if inet6 proto tcp from any to $jail_web1_ipv6_lo1 port 80
# OUT #
pass out quick on $ext_if inet proto tcp from any to any port ssh keep state queue ( ssh_out, ssh_ack_out )
pass out quick on $ext_if inet proto tcp all keep state queue ( std_out, ack_out )
pass out quick on $ext_if inet proto udp all keep state queue std_out
### IPv6 Out ###
pass out log on $ext_if inet6 proto {tcp, udp, icmp6, gre} all
pass in log on $ext_if inet6 proto {tcp, udp, icmp6, gre} all
### ICMP ###
pass in quick proto icmp6 all
#pass in quick proto icmp all
### PING ###
pass in on $ext_if inet proto icmp from $ping_outbound_ips to any icmp-type $icmp_types_in keep state
pass out on $ext_if inet proto icmp from $ping_outbound_ips to any icmp-type $icmp_types_out keep state
pass in on $ext_if inet6 proto icmp6 from $ping6_outbound_ips to any icmp6-type $icmp6_types_in keep state
pass out on $ext_if inet6 proto icmp6 from $ping6_outbound_ips to any icmp6-type $icmp6_types_out keep state
### TRACEROUTE ###
pass in on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
pass in on $ext_if inet6 proto udp from any to any port 33433 >< 33626 keep state
traceroute6 BASE
Code:
traceroute6 to ipv6.l.google.com (2a00:1450:400c:c00::93) from 2001:xxxx:1:5788::1, 64 hops max, 12 byte packets
1 rbx-1-6k.fr.eu 0.846 ms * 0.677 ms
2 rbx-g2-a9.fr.eu 1.057 ms 0.994 ms 0.916 ms
3 gsw-g1-a9.fr.eu 5.092 ms 5.535 ms
gsw-g1-a9.fr.eu 4.789 ms
4 * * *
5 google.as15169.fr.eu 5.570 ms 4.758 ms 4.982 ms
6 2001:4860::1:0:4a3a 4.989 ms
2001:4860::1:0:9f2 5.556 ms
2001:4860::1:0:4a3a 5.418 ms
7 2001:4860::8:0:3df5 5.916 ms
2001:4860::8:0:3df4 6.093 ms
2001:4860::8:0:3df5 5.974 ms
8 2001:4860::8:0:507b 10.714 ms 10.266 ms
2001:4860::8:0:507c 10.323 ms
9 2001:4860::2:0:87b 10.586 ms 10.630 ms
2001:4860::2:0:87d 25.408 ms
traceroute6 JAIL WEB1
Code:
traceroute6 to ipv6.l.google.com (2a00:1450:4007:806::1014) from fec0:0:0:5::1, 64 hops max, 12 byte packets
1 rbx-1-6k.fr.eu 1.562 ms 11.127 ms *
2 rbx-g2-a9.fr.eu 2.627 ms 1.792 ms 2.253 ms
3 gsw-g1-a9.fr.eu 7.324 ms
gsw-g1-a9.fr.eu 4.704 ms 4.684 ms
4 * * *
5 google.as15169.fr.eu 5.937 ms 4.797 ms 5.035 ms
6 2001:4860::1:0:9f2 7.764 ms 4.846 ms 5.124 ms
7 2001:4860:0:1::39f 5.118 ms 5.002 ms 5.208 ms
8 * * *
9 * * *
PING6 JAIL WEB1
Code:
root@web1:/root # ping6 google.com
PING6(56=40+8+8 bytes) fec0:0:0:5::1 --> 2a00:1450:4007:806::1001
16 bytes from 2a00:1450:4007:806::1001, icmp_seq=0 hlim=57 time=4.769 ms
16 bytes from 2a00:1450:4007:806::1001, icmp_seq=1 hlim=57 time=4.775 ms
16 bytes from 2a00:1450:4007:806::1001, icmp_seq=2 hlim=57 time=4.827 ms
WGET TEST JAIL WEB1
Code:
root@web1:/root # wget ipv6.google.com
--2013-08-31 12:19:45-- http://ipv6.google.com/
Resolving ipv6.google.com (ipv6.google.com)... 2a00:1450:4007:806::1014
Connecting to ipv6.google.com (ipv6.google.com)|2a00:1450:4007:806::1014|:80...
BASE
Code:
root@master:/root # nc -6uvw 1 2001:4860:4860::8888 53
Connection to 2001:4860:4860::8888 53 port [udp/domain] succeeded!
root@master:/root # nc -6vw 1 2001:4860:4860::8888 53
Connection to 2001:4860:4860::8888 53 port [tcp/domain] succeeded!
JAIL WEB1
Code:
root@web1:/root # nc -6uvw 1 2001:41d0:a:ddee:1::1 53
Connection to 2001:41d0:a:ddee:1::1 53 port [udp/domain] succeeded!
root@web1:/root # nc -6vw 1 2001:41d0:a:ddee:1::1 53
nc: connect to 2001:41d0:a:ddee:1::1 port 53 (tcp) failed: Operation timed out
was mach ich nur Falsch, bin schon etwas am verzweifeln....
Zuletzt bearbeitet: