ipsidixit.net » IPv6

npd6 – Software now available

sgroarke — Thu, 04 Aug 2011 12:50:45 +0000

As per previous posts and discussions, my project to develop npd6 (Neighbor Proxy Daemon 6) is now advancing very rapidly.

If you have a Linux gateway router terminating your ISP feed supporting IPv6, this may be just what you need. To summarise the problem it solves: your ISP has given you an /64 (or some other size) IPv6 prefix, with the last 64 bits (or whatever) entirely for your own use on a private-side of the network. The IPv6 addresses in use by your own devices may well not even be known to you – it’s possible that you use DHCP6 to statically pre-allocate them (yuck!) or more likely you are using radvd on the gateway to advertise the ISP-supplied IPv6 prefix and let the devices themselves choose what they wish to tag on to that. It may be vaguely predictable (based upon the device’s Ethernet MAC address) or totally unpredictable (as per the Windows 7 box I looked at the other day!)

For these devices to be able to reach the outside IPv6 world, there is a good chance that your ISP will use the ICMP6 Neighbor Solicitation mechanism – and your gateway needs to play along. Other articles on this site go into painful details about this mechanism, so let’s sum it up as: in a very vaguely similar way to IPv4 ARPs, a device may receive an IPv6 Neighbor Solicitation for a specific global address and, if it knows how to reach it, respond with a Neighbor Advertisement. So for example, your ISP has given you the global prefix:

AAAA:AAAA:AAAA:AAAA:

and your home devices thus all end up with addresses using this prefix plus a variable suffix, of the form:

AAAA:AAAA:AAAA:AAAA:BBBB:BBBB:BBBB:BBBB

So the Windows workstation which has chosen the 128-bit global address AAAA:AAAA:AAAA:AAAA:BBBB:BBBB:BBBB:BBBB tries to connect to ipv6.google.com. Out goes the connection, and when the response comes back, the ISP’s router says to your gateway: “Neighbor Solicitation: Do you know how to reach AAAA:AAAA:AAAA:AAAA:BBBB:BBBB:BBBB:BBBB?”

And you want to say back “Neighbor Advertisement: Sure, AAAA:AAAA:AAAA:AAAA:BBBB:BBBB:BBBB:BBBB is known to me – send me his traffic.”

And to do this today you need to statically pre-configure that full address into the Linux system. And if it changes, you need to change it. And if a new one appears, you need to ad it. And so on. Oh, and to add insult to injury, you cannot even display a list of which ones you have already configured in the system!!

And thus I offer npd6 as a solution: it runs on the gateway, and requires little configuration. You tell it your prefix and which is the ISP’s interface. There are a few optional knobs and levers. Then it runs and automatically responds to any Neighbor Solicitation received from the ISP for a device with your prefix.

Status

The code today is working well. It is easy to build on any typical Linux system. Soon I will package it and offer .debs, RPMs etc. It is highly efficient and low-impact in terms of CPU an so on. Also, extensive debug options are built in, to assist if any problems occur.

To get it, please visit the GoogleCode hosting site at: http://code.google.com/p/npd6/ and specifically the code at: http://code.google.com/p/npd6/source/checkout (Subversion) or a tarball at https://code.google.com/p/npd6/downloads/list

If you want to try it out, please do download and build it. If you need help, please ask! Feel free to raise issues via: http://code.google.com/p/npd6/issues/list

Good luck!

npd6 – IPv6 neighbor proxy daemon – It lives!

sgroarke — Tue, 05 Jul 2011 21:14:02 +0000

As threatened in article IPv6 neighbor proxy daemon – npd6 and the associated design ramblings here, the npd6 project now lives and breathes.

EDIT: 22 July – The project has really taken shape. Version 0.3 is now useful enough to be considered a working beta version. Building is very simple – do please try it out and let me know of any issues, good or bad.

It’s absolutely early days, but, with plenty of limits and as-of-yet-unknown bugs, it does work…

I’m hosting it on Googlecode. It’s here. For a while yet I’ll not be making any binary or packaged versions available, or even autoconf/configure shenanigans – strictly source + Makefile.

If you want to give it a spin, do feel free. It’s going to change a LOT – we’re probably a month or so away from something I’d call “a usable, early beta“. Today it’s a “works for me pre-alpha“!

IPv6 neighbor proxy daemon – npd6

sgroarke — Wed, 08 Jun 2011 20:30:39 +0000

I admit defeat… You know how it is: you’re searching for a solution to a technical problem, and you KNOW that someone else has had the same problem. In fact thousands of people have had the same problem. And it was fixed years ago. If I can just find that solution…

And find it, eventually (Google, Bing et al – Thank You!) you do.

Except when you don’t. Back in this post I wrote about a specific, but key, problem in implementing an IPv6 firewall/router on a Linux box, when attached to a “normal” ISP.

What was the problem?

In a nutshell, it was as follows. My ISP gives me a full IPv6 service, with a staticically allocated (i.e. fixed) global IPv6 address. They give me a /64, so I in turn have a full /64 to play with in my private net. Enough to network every dust particle in the house. (And this is one dusty house).

As I found, not surprisingly the ISP does not let me advertise address space back to them regarding which devices in my private-but-globally-addressed network actually exist. Given that, I rather naively hoped that they would thus blindly forward anything that was addressed to my (global prefix + private part) network to me regardless, and treat my gateway device as, in effect, a sort of default route for my IPv6 prefix.

Could you give an example?

Sure. Say my ISP has given me the IPv6 prefix of 2a01:e35:8b25:7ea9:… A device inside my network then, by the magic of radvd, gets an address of, say: 2a01:e35:8b25:7ea9:1111:2222:3333:4444.

(If you need a primer on this stuff, read all about it here!)

Then assuming all the other myriad options are set up right, from that inside device I do a test ping6 of ipv6.google.com. And it fails.

As per my earlier article, it’s all down to my ISP, when they get traffic from the remote host (in fact in this case the ICMP6 echo reply from Google) destined for 2a01:e35:8b25:7ea9:1111:2222:3333:4444 rather than just “knowing” that such a global address must, by definition, be behind my connection, they go to the irritating lenghts of instead doing the whole Neighbor Solicitation dance with me.

And I find that unless I have performed the following command on my Linux gateway:

ip -6 neigh add proxy 2a01:e35:8b25:7ea9:1111:2222:3333:4444 dev eth0

the gateway device will not reply to the neighbor solicitation. And hence nothing works.

OK, does it matter much?

Heck yes.

Each inside device must be statically configured on the gateway.
It is currently not possible (I know this seems implausible…) from user-space to list or show what devices you have configured in this way.
The biggie: if you are dynamically allocating addresses in the network, you will not even KNOW what the end-point address is.

Item 3 is in large part a consequence of using radvd. But even if one used (at the cost of a lot more work) an IPv6 DHCP server, you still have to statically pre-configure the end devices addresses on it, and lose the ability to add devices on-the-fly.

So we have a real stumblin block. Sure, for test purposes I can dig out the IPv6 address which my end station has picked, and bang in the neighbor proxy command on the gateway. And it works fine.

But in terms of manageability and scalability it’s a freakin’ disaster.

Must be easy to fix, surely?

Well if it is, no one I’ve spoken to has any idea! It’s a great, glaring black-hole. IPv6 on Linux simply currently appears to have no support for automating the proxying of global/private addresses using the Neighbor Solicitation mechanism. I can only assume that it was never thought this would be a problem, and Neighbor Solicitation would only ever be used to directly connected devices.

The ability to force a neighbor proxy as shown here is pretty obviously an after-thought. The real give away is the inability to list current defined proxies…

So what we gonna do?

I intend to fix it!! I’m going to use the article linked to HERE as a working document to put together a rough and ready design for a user-space daemon to fix this. It’s going to be simple to use – that’s key.

The main elements I can think of as a start are as follows:

Run in user-space (I hope!)
Have a single, simple config file.
To have no prior knowledge of devices inside the networks.
Only prior knowledge, via static config, is the IPv6 prefix.
If a neighbor solicitation is received for our prefix, regardless of the suffix, we respond positively.

Easy? No idea! I’m a useful enough network programmer but not at all familiar with the Linux IPv6 stack from the code perspective. But the functionality is, conceptually, not complex.

The key gotchas I forsee are:

How we hook incoming neighbor solicitations. Period.
Then as per (1), but now with the “I want to run in user-space” goal.
What I do when someone points out (and they will…) that I’m going to violate several dozen RFCs by doing this.

Piece of cake. As per above link, the working design doc will be here. Very soon. All contributions welcome – and I really do mean that!

npd6 Design Document

sgroarke — Wed, 08 Jun 2011 20:29:25 +0000

So what must npd6 do in functional terms?

See Neighbor Solicitations.
EITHER respond to them directly
OR respond via the existing mechanisms.
Log activity.
Report status.

Receive Neighbor Solicitations

The daemon needs to receive incoming neighbor solcitations from a designated port(s). I currently have no idea if this is an easy hook to make from user-space or whether we need to hook much lower. Kernel module? iptables? Main area for investigation this one!

Act upon Neighbor Solicitations

OK, so we receive an NS. What do we do about it?

Validate

First off, we validate it to a small degree. Likely scenario here is that in a conf file we have defined out static IPv6 prefix (in my scenario this will be 64-bits) We check it matches that. Likely in the conf we also want options to either explicitly include only defined addresses (ranges?) as valid (i.e. define valid suffixes) and/or exclude certain addresses/ranges?

Action

Key decision to be made is in what manner we act to a valid NS. The obvious two approaches are to either respond directly ourselves or instead to use the existing kernel mechanism to, in effect, add the address via the “ip -6 neigh proxy add…” command.

Pros and cons? Currently I have no idea how easy it is to spoof out a response. If easy, do I want to bother, when there’s an existing kernel mechanism do do so? So using that existing mechnaism seems attractive. We then, however, face the issue of how to manage the proxied addresses via that mechanism. Have we already added it? Should we check? Or blindly (re)add it? If we are to be stateful about it, how do we handle a restart situation, since I currently do not know how to get the kernel to cough out the current state of proxied addresses…

Needs a little investigation.

Logging and info

Pretty much goes without saying that we want our daemon to log meaningful data. Also optional debug logging.

And if we’re going down the route of using the existing kernel neighbor proxy mechanism, then we would also want a feature to signal the daemon and have it spit out the current state of neighbor proxying.

9 June

So my first steps here will be to dig around the kernel code currently handling NS. Get the feel of what’s going on there and see how it looks. Will update back here with impressions.

Update 1:

Just started having a read of the radvd code. I note that it appears you can open a socket to hook ICMP6 messages, which is highly promising if true! Since NSs are ICMP6 it would make a really neat, easy, user-spacey way to integrate with them. Have to look more closely at the code. Also need to think about whether you could do this in parallel with radvd doing it too. Still, at least it’s a line of investigation to follow.

14 June

Just a brief update: I put together a skeleton npd6 prototype/framework with which to investigate. Did the dull part, setting up an environment for parameters, simple logging, debug, etc. Can now start really looking at the interesting bits.

16 June

So spent a lot of time looking at how netlink and IPv6 biff along together in Linux. Turns out the answer is: not so well! Reading the radvd code had given me false optimism, as it does use netlink to hook router advertisements. However the summary seems to be that netlink and IPv6 are only really fully developed for IPv6 ICMp routing messages, and hence doesn’t seem to let me extend things to e.g. neighbor solicitations as we need.

So out of that blind alley, and back to good ol’ raw sockets. I can now happily hook any and all IPv6 ICMP and read the message. I don’t actually DO anything useful with it yet, but that’s no big deal. That fact that I can reliably (?) receive IPv6 ICMP in my user-space daemon is fine so far.

Next? Extend the processing of those received messages: spot the ones I’m interested in and decode them into debug logs.

23 June

OK, this rocks! The radvd code is an excellent crash course in IPv6 ICMP packet handling. LEarned a lot about how best to play the cmsg, iovec, mshhdr chain-game. Gave myself a headache in the process, but it’s good stuff. So my prototype is almost doing something useful now: it receives all NS sent to the gateway, and can compare their target against the user-defined prefix. If the target and prefix match up to the full prefix length it moves on and replies. The logic is very simple at this early stage: we don’t filter out, white/blacklist, etc. If the target matches the prefix, we’re going to respond. At the moment the bulk of NSs I receive on this device are actually for the interface’s address itself, so the box anyway NAs them in return. So for now, we’ll send an extra (dupe) NA for these. Obviously that would not be the long-term behaviour, but for now no harm -ICMP is stateless, and a dupe response is no big deal. Also, as a fun extra, it lets me benchmark my code by measuring the delay between the kernel-generated NA reply and my daemon reply!!

The NA I send back is almost right. Few fields and bits I need to understand a bit more, but this daemon is almost ready for alpha!

Anyone fancy testing it soon….? (I’ve a colleague lined up to test on his home network, but would love to see it outside of the Free network.)

24 June

A very difficult issue pops up. Code so far can trap any unicast ICMP arriving at the gateway, and respond with a NA. Great! It works. Then remember that the NS coming in to us can be either directed unicast (what I’ve tested with so far) or, actually more likely, multicast. OK, no biggie. But then we see that the multicast is directed in terms of having the bottom 48 bits set to the target address contained within the solicitation. So…. from the socket level we need to pick up these “directed multicasts” (or solicited-node messages) And that’s where things get tricky. To pick up a multicast I need (from socket level) to first join the multicast group. BUT these NSs, remember, don’t come in on a fixed multicast group.. So you cannot join the multicast group. It’s chicken + egg. You only know what multicast group will be used AFTER you’ve joined the right multicast group… I cannot believe this. But that’s how it seems right now. And makes me fear if the existing IPv6 socket layer can let this problem be overcome…. Ow. This is ugly.

The solicited-node address facilitates efficient querying of network nodes during address resolution. IPv6 uses the Neighbor Solicitation message to perform address resolution. In IPv4, the ARP Request frame is sent to the MAC-level broadcast, disturbing all nodes on the network segment regardless of whether a node is running IPv4. For IPv6, instead of disturbing all IPv6 nodes on the local link by using the local-link scope all-nodes address, the solicited-node multicast address is used as the Neighbor Solicitation message destination.

The solicited-node multicast address consists of the prefix FF02::1:FF00:0/104 and the last 24-bits of the IPv6 address that is being resolved.

The following steps show an example of how the solicited-node address is handled for the node with the link-local IPv6 address of FE80::2AA:FF:FE28:9C5A, and the corresponding solicited-node address is FF02::1:FF28:9C5A:

To resolve the FE80::2AA:FF:FE28:9C5A address to its link layer address, a node sends a Neighbor Solicitation message to the solicited-node address of FF02::1:FF28:9C5A.

The node using the address of FE80::2AA:FF:FE28:9C5A is listening for multicast traffic at the solicited-node address FF02::1:FF28:9C5A. For interfaces that correspond to a physical network adapter, it has registered the corresponding multicast address with the network adapter.

As shown in this example, by using the solicited-node multicast address, address resolution that commonly occurs on a link can occur without disturbing all network nodes. In fact, very few nodes are disturbed during address resolution. Because of the relationship between the network interface MAC address, the IPv6 interface ID, and the solicited-node address, in practice, the solicited-node address acts as a pseudo-unicast address for efficient address resolution.

tcpdump tip

Here’s a useful one, to tcpdump only NAs and NSs:

tcpdump -v -i eth0 ip6[40] == 135 or ip6[40] == 136

Ugly, ugly…

So turns out that, to the very best of my ability to discover, IPv6 sockets do not let me pick up any and all ICMP sent to the interface(s). If it’s to a multicast address, I must join the group beforehand. Which I cannot do. I have to say it’s a pretty glaring omission, IMHO. It’s “glaring” not maybe in the general case, but given IPv6 uses “unique multicast” addresses for Neighbor Solicitations, to not provide an IP-socket-level mechanism for receiving them is pretty crap.

So I assume I’m going to have to instead receive on a simple Packet level socket, and build a packet filter on it.

Packet filters

The more I look at it, the more it seems that until the IPv6 socket API expands, I’m going down this path. Easy enough to create a null filter. Done. 2 mins work. Now to get to grips with the BSD packet Filter VM language to actually write the filter. I know that, in general, BSD-PF semantics for IPv6 are problematic… However I should be OK here, as I am just interested in IPv6 ICMP – I think that should be a straightforward enough packet dissect.

Update: 1 July BSD PF VM syntax. Wow. Kinda funky, but now almost makes sense. Hope to have a working ICMP6 packet filter working soon!!

3 July

Yes. Can now reliably capture ALL ICMP neighbor solcitations on my gateway box. Now working on restoring the functionality lost by not having the socket feed us ICMP – since we now get a raw packets we must work a bit harder to find out who sent it, interface, etc. – the pktinfo mechanism is not available to us (well, the mechanism itself is, but the context make the information is supplies not useful) so we must do that manually. So lost of casting away of IPv6 headers and so forth!

Multicast…

During development, so far I’ve almost always had tcpdump running on my WAN interface while testing code. Today was not running it and noted, much to my confusion, that the daemon saw NO multicast neighbor solicitations.Makes sense: tcpdump sets the interface to promiscuous mode. So we see everything. Since many of the NSs are multicast, if we haven’t signed up to the multicast group (as per above ad nauseam, we can’t…) we don’t see them at the packet filter level.

For now (and maybe for ever!) the compromise is that the interface has the ALLMULTI flag set on it. Setting PROMISC permanently would be a touch too ugly, but I think nominally receiving all multicast is acceptable. In these days of switched point-to-point Ethernet, all of this gets fairly academic anyway, as being in effect now a non-shared medium in so many instances the “extra” traffic handled by setting PROMISC is low-to-zero. But anyway, the Linux interface option of ALLMULTI is just fine.

In fact when I found out about the ALLMULTI interface flag, I even wondered if it would let my original design of having an ICMP6 socket open would now work… But no – even in full PROMISC mode the OCMP6-level socket does not receive multicast unless the socket has explicitly joined the specific group first.

RFC time

OK, so we can now kick out a Neighbor Advertisement in response to a Neighbor Solicitation received on the multicast group address. Cool.

Now to pay attention to the nature of it. As per the RFC 2461:

A node sends a Neighbor Advertisement in response to a valid Neighbor
   Solicitation targeting one of the node's assigned addresses.  The
   Target Address of the advertisement is copied from the Target Address
   of the solicitation.  If the solicitation's IP Destination Address is
   not a multicast address, the Target Link-Layer Address option MAY be
   omitted; the neighboring node's cached value must already be current
   in order for the solicitation to have been received.  If the
   solicitation's IP Destination Address is a multicast address, the
   Target Link-Layer option MUST be included in the advertisement.
   Furthermore, if the node is a router, it MUST set the Router flag to
   one; otherwise it MUST set the flag to zero.

Soooooooooo, given all of that, the simplest logic will be to set Destination Link-Layer option for all our NAs.

11 August 2011

Haven’t updated this for a while – as the project has really taken off and is now living in its own right!!! Mt post at http://www.ipsidixit.net/2011/08/04/npd6/ indicates where it’s at and how to obtain it.

Content filtering in a home network

sgroarke — Mon, 07 Feb 2011 11:04:23 +0000

With two young children starting to make increasing use of the Internet, my attention has turned in recent times to the thorny subject of Content Filtering. This posting is actually going to look at a technical approach I settled upon, however one cannot help mentioning, at least in passing, some of the wider issues involved.

As a parent I do not believe in raising children in some sort of bubble, totally devoid of anything that could possibly “harm” them. That applies to the Internet too – my hope is to raise children who are able to understand and deal with things, rather than require protection from them. To that end, Internet access for my children involves their parents first and foremost! They use a laptop, after asking permission, in the kitchen, in view of everyone else. I’m interested in what they are doing on it (genuinely so, not as some excuse to snoop!) and they want me to help and guide them. Email? Sure, make full use of it. But all emails sent to your address also get forwarded to me too guys… Why? So I can see what you’re receiving! Very open. Very honest. Nothing underhand. Those are the rules in this house.

And that approach actually covers probably 90% of what is required. However there’s still a small part that needs attention. As most adults know, there’s some weird stuff in some corners of the Internet. Really weird. Disturbingly weird. Stuff which I do not want my young children to see, even if accidentally. Being a very liberal sort, and totally anti-censorship with regard to what consenting adults view, I do not support any move to remove such stuff from the Internet. Weird, sick, depraved, whatever… Some of it may not be at all nice, but it’s there and it can be found. I just don’t want young children to accidentally find it. So what is a network engineer father to do…?

Content filtering – 4 approaches

Broadly speaking there are four way of approaching content filtering in the home environment:

Workstation filtering
Network filtering
ISP filtering
DNS blocking

The first three are all variations on the same theme. They vary in terms of the “Where do you do it?”

Workstation

There are many software packages out there which will filter content locally on the PC being used to browse the web. In a similar manner to that used by the more familiar virus detection software, one can purchase and run content filtering software which aims to identify and block various categories of content. The difficulty faced with this approach is that it’s not at all easy to identify what to block! Just to take the most obvious candidate category for blocking: pornography. The software can, and will, have lists of the names of the popular, known web-sites with porn. And with some enormous proportion of the Internet being porn, that will already be a long long list! Then we have the challenge of the fact that every day goodness knows how many hundreds of new porn sites will appear, and old ones disappear. The list of sites cannot be fully up to date. So the software will also need to include elements of heuristic detection: identifying porn indirectly and blocking it. So we’re now into looking and scanning all the traffic to and fro for words or patterns which might identify it as porn. And so on. It’s a computationally intensive exercise, and requires frequent updating with new lists of patterns, URLs, IP addresses and so on.

The task is very similar to virus detection, with the frequent updates required, slowing down of communication to an extent, higher CPU usage, and so on.

The software out there is worth consideration for some – I’m not saying it’s a bad approach. But it has unavoidable limitations. Two obvious ones which apply to me are:

Locked to a particular PC – If I install the software on one PC, then I cannot let the kids use another PC as it will be unprotected, unless I pay for and install the software there too.
Linux. A big issue for me is that we only have a single Windows PC in the house (hooray!) All the others (too many… way too many…) including that used by the children, run Linux. And such packages are few and far between for Linux…

Home network

An approach I used for a while, with success, was to filter on the gateway device on my network. A quick summary here: at home my Internet connection terminates on a gateway firewall/router system. This system performs all manner of network-related functions. The key one is to run my Linux-based firewall. A host of other jobs get handled by this box too: VPN termination, media serving, DHCP, IPv6 routing, the list is long. Given that all of our Internet traffic traverses this system it is ideally suited to perform a filtering function.

To that end, for a while I ran Dans Guardian on my firewall. This is a sophisticated bit of software, and not entirely trivial to set up and get working. Apart from quite a lot of configuration itself, it also requires a web-proxy to be running on the firewall. I ran squid to fulfil that requirement. And then there’s the requirement to “hook” users into it. That involves either configuring the workstation to use a designated web proxy (and possible authentication required there – depends upon what exactly you want to achieve) or using IPTables on the firewall to intercept traffic from a given workstation and force it via the proxy. Various approaches, all quite interesting, but only if you find networks interesting… Many would find it simply “complicated”.

Once up and running, however, there are then further challenges to be faced. Firstly there’s the question of overhead. That is, how much load does it place on the gateway device, and hence how much delay or slowness does it introduce to the web browsing. My kids may not need the snappiest, lightening fast response times possible, but nor do they want to wait tens of seconds to see a page, or have some You Tube video constantly stop and start. Let me be clear here (and make sure I’m fair to Dans Guardian): if the device running it is powerful (in terms of CPU, memory, disk and so on) then it’s great. Really good. Trouble is, however, that a lot of boxes used as gateway routers/firewalls are not, by their nature, so highly specified. And that applied to me. My installation was, frankly, not fast enough. Much of the time it would work OK-ish, but often there would be very long delays indeed.

If you have a powerful box you can dedicate to such filtering, then do go ahead and consider it.

On other issue I also had to tackle was that of updates: as described for the Workstation solution, filtering software, wherever it is located, needs to be kept up to date. Dans Guardian does not come with an update mechanism, nor source of updates. There are sources of such updates out there if you search, but again, it’s an extra piece of work to do this and get it all set up correctly, auto updating silently every day. As before, not a criticism of the software that has been made freely available – but something that does need to be taken in to account.

ISP

Many ISPs offer a filtering service to their customers. This is of course attractive, as it entirely removes the need to perform the filtering and blocking locally to the home network. The work is offloaded to the ISP. While there may be a charge associated with this, it may be worth considering. The main, and maybe for many significant, disadvantage to it is the all-or-nothing approach. If you have many PCs (and hence different users) within the home network, you may only want to block certain stuff from certain PCs. I may not want my kids viewing DominatrixFrenchMaids.com, but (purely for research purposes, of course) their father may need to. (God knows, such a site probably exists, but I dare not look…) More realistically, there are other sites which are more genuinely OK for adults, but not for young children. If one has an interest in 20th Century history, a sad reflection on humankind is that there are some horrible things which can be seen… For older children and adults, that’s fine and indeed educational. But not below a certain age. I’d like to maintain the illusion of a nice world for at least a little while longer.

So ISP filtering is attractive in terms of removing the work from the home. But it does come, in general, with a certain amount of inflexibility.

DNS blocking

This last technique is somewhat different from the others. Most people have at least some awareness that the names we use on the Internet (www.ipsidixit.net) actually map on to so-called IP addresses. For example www.ipsidixit.net is mapped via a DNS (Domain Name Service) to the IP address 217.70.191.54 (And to IPv6 2001:4b98:dc0:41:216:3eff:feaa:964a – I’m soooo hip and trendy…)

Yet no one in their right mind (nor even a network engineer) bothers with the numerical version. You just bang in the name and have your computer us DNS to resolve it to an IP address.

Most PCs will use one or more DNS devices specified and operated by their ISP. Used “normally, for example, my ISP (free.fr) provides two DNS systems for workstations to use.

However one does not need to use their suggestions. One can, in general, use other DNSs operated by third-parties.

The point is, then, that if one used a DNS service which had a constantly updated blacklist of sites which are “undesirable”, one could block access to them by simply declining to resolve them to their correct address. This then offers the benefits of ISP Blocking in so far as the load of shifted outside of the home network, but with the added flexibility that only workstations that require protection need use the “filtering” DNS. Other workstations can use the normal DNS.

I found that OpenDNS provide such a service, and have stated to make use of it. It’s free (they have some paid options too – but the free one seems fine for me) I have no association with OpenDNS, and am only “promoting” them as what they offer seems neat and useful. If others have knowledge of other similar services, please do post them in a comment – I’m not trying to make this exclusive to OpenDNS! In fact I’d like to compare OpenDNS to some others.

The service they offer is to provide DNS addresses which can have a selectable level of filtering applied. The spectrum is covered, from porn, violence, drug use, etc. through to shopping sites, social networking sites, etc. You get to choose which categories to block and which to allow.

And it does seem to work really rather well indeed. Below I am going to detail how I set it up within my network, integrating it within the DNS caching system already used.

The main weakness of the system is that with some knowledge and effort it can be circumvented (as, of course, can most systems) One could take the trouble to manually find the Name <–> IP mapping for a domain and enter that directly into a browser, thereby bypassing the DNS. However such a bypass would be very cumbersome to use, since even if you use an IP to land on a page, probably any link off that page will in turn require DNS, and would then need to be manually decoded, etc. Workable, but hard work. By the time my kids are knowledgeable enough to work all that out, they will probably be old enough to look after themselves!

Integrating OpenDNS into a Linux firewall, already running DNSMasq

My home network has DNSMasq running on a central gateway/server/firewall box. DNSMasq is responsible for DHCP (i.e. allocating IP addresses on my home network) and also DNS caching. To that end, it announces, via DHCP, that it is the DHCP server to be used by devices. Then it, in turn, resolves addresses via the ISP-supplied DNSs. It caches then DNS lookups locally.

In the DHCP configuration it has a pool of addresses available for any device to use, but most of the devices on the network have pre-allocated addressees reserved for them within the DNSMasq configuration. These are allocated based upon the Ethernet MAC address of a device. This is a very common technique to use with DHCP.

Given that, where now a device will be handed an IP address and the address of a DNS server to use (where that DNS server will actually be the same as the DNSMasq device itself) we want to change the config so that for certain devices (the childrens’ PC) when an IP address is handed out it will instead be given with the DNS addresses of the OpenDNS filtering systems. Then all DNS requests from that PC will no longer be locally forwarded to the gateway device, but will instead be routed out externally to OpenDNS, where they can be answered or blocked as appropriate.

The DNSMasq config to achieve this is slightly fiddly, so I am providing it here more or less in its entirety (a few names omitted and some light obfuscation of MACs etc.), but only highlighting the parts that particularly pertain to the OpenDNS filtering setup.

# Configuration file for dnsmasq.
domain-needed
resolv-file=/etc/resolv.conf
no-resolv
no-poll

# Add other name servers here, with domain specs if they are for
# non-public domains.
server=/localnet/192.168.0.22

This part is not related to OpenDNS in any way: I don't use my ISP's DNS for normal use - I instead use Google's Public DNS.
# Google Public DNS servers
server=8.8.8.8
server=8.8.4.4

# Add local-only domains here, queries in these domains are answered
# from /etc/hosts or DHCP only.
local=/localnet/

interface=eth1
expand-hosts
domain=localnet

# For general purpose use, use this range.
dhcp-range=192.168.0.128,192.168.0.160,12h

This is for OpenDNS. We use the dhcp-mac config to tag these special devices for filtering:
# MAC list for openDNS filtering
dhcp-mac=opendns,00:c0:9f:12:34:56	# Laptop on-board
dhcp-mac=opendns,00:90:4b:12:34:56	# Laptop wifi

Here we're back for normal dhcp-host preallocation for known unfiltered devices:
# Most ip addresses are pre-allocated here
dhcp-host=00:50:ba:12:34:56,aname,192.168.0.2,720m
dhcp-host=00:18:8B:12:34:56,anothername,192.168.0.3,5m
dhcp-host=00:90:4b:12:34:56,laptop_wifi,192.168.0.4,720m
dhcp-host=00:26:37:12:34:56,galaxy,192.168.0.5,60m
dhcp-host=00:18:41:12:34:56,magic,192.168.0.6,60m
dhcp-host=00:26:82:12:34:56,eva9150,192.168.0.7,720m
dhcp-host=00:c0:9f:12:34:56,laptop_eth,192.168.0.8,720m
dhcp-host=00:14:29:12:34:56,camera,192.168.0.10,120m
dhcp-host=00:21:5A:12:34:56,printer,192.168.0.11,720m
dhcp-host=00:40:63:12:34:56,aservername,192.168.0.22,infinitem

The devices tagged "opendns" above here get special DHCP options pointing them to the OpenDNS filtering-servers.
# OpenDNS content filtering servers
# Specify the two OpenDNS first, then ourselves third for local stuff
dhcp-option=opendns,6,208.67.222.222,208.67.220.220,192.168.0.22

Note also the "192.169.0.22" on the end - this is optional, if you still want the filtered devices to be able to resolve local names.

dhcp-authoritative
cache-size=150
clear-on-reload

Anyone who has an existing DNSMasq configuration should find the above more than enough to change it to point arbitrary devices at the OpenDNS systems.

Summary

Nothing, but nothing, replaces a conscientious adult supervising, guiding and helping get to grips with the Internet. However even with that it’s still all too easy for some stuff to pop up which is better left hidden! This article highlight some of the general technical approaches one can take, and in particular that of DNS filtering with a service such as OpenDNS, optionally using a Linux device to semi-automatically allocate filtering to some device but not others.

OpenVPN over IPv6

sgroarke — Mon, 21 Jun 2010 12:38:09 +0000

Previous articles have detailed various aspects of getting IPv6 running on a home-gateway router. The aim is to migrate as much as possible towards an IPv6-only situation.

Here I cover the steps required to implement a simple point-to-point OpenVPN (SSL) VPN tunnel using PSK over IPv6 infrastructure.

One key element for me is to migrate my VPN connection to a remote host I own off IPv4 and entirely onto IPv6. This was not entirely straightforward! In fact it took hours and hours of research and experimentation to get this working. The eventual config required is not so mind-boggling. But getting there was tricky. As I’ve found out so many times before with regard to IPv6, the building bricks are lying around, but there are very few sources of information to help you stack them up. Once the steps are laid out, as you’ll see below, it’s actually pretty easy.

Migrating from what to OpenVPN IPv6?

We’re going to migrate an IPv4 OpenVPN point-to-point PSK VPN tunnel on Linux to an equivalent on native IPv6 infrastructure. We’re not trying to have an IPv4 tunnel over IPv6, nor an IPv6 tunnel over IPv4 (both of which are possible and useful in different situations). Here I aim to have an IPv6 OpenVPN SSL tunnel over pure IPv6 infrastructure.

My current VPN set up is:

Home gateway running Ubuntu 10.04 (Lucid)
Remote host running the same
Fixed public IPv4 and IPv6 (global) addresses on each.
OpenVPN point-to-point tunnel between them.
Simple PSK authentication.
Shorewall config as appropriate to OpenVPN.

To put some detail on it, there is a standard build of OpenVPN installed, with a config file such as /etc/openvpn/otherhost.conf:


remote 
dev tun
ifconfig 192.168.2.22 192.168.2.1
secret topsecret.psk
comp-lzo
keepalive 60 180
ping-timer-rem
persist-tun
persist-key
user nobody
group nogroup
daemon

At the other host we’ve a similar config, without the “remote

” part, and with the VPN addresses specified by the ifconfig flipped around.

This all works a treat. It’s about as plain an OpenVPN config as you could really get – a simple point to point tunnel using private IPv4 addressing.

OpenVPN and IPv6

This is really where things go all over the place. My starting point was over at the OpenVPN site, looking for details on IPv6. I found that:

Is IPv6 support planned/in the works?

Currently, there’s limited support for IPv6.

Point-to-point IPv6 tunnels are supported on OSes which have IPv6 TUN driver support (this includes Linux and the BSDs). IPv6 over TAP is always supported as is any other protocol which can run over Ethernet.

When OpenVPN 2.0 is run in server mode, IPv6 is currently only supported in TAP mode, not TUN mode (Server mode IPv6 TUN support will likely be added post-2.0).

The VPN carrier connection must currently use IPv4 endpoints, however there’s a patch which can be found in the openvpn-devel archives which adds IPv6 support. This patch will probably be merged into the mainline post-2.0.

So just what do we conclude from that? It says that point-to-point works with the TUN driver. But I couldn’t find any useful information about how to set it up.

Researching further, I find that the version of OpenVPN we’re using with Ubuntu (which is the latest) has very limited IPv6 support indeed. Indeed somewhat less than the OpenVPN web-site led me to believe! Now it may well be that the problem is my inability to understand the nuances of what the OpenVPN folks are saying. But I sure couldn’t get it working with the installed, standard version.

So I then find a lot more information here, which strongly suggests that I need to use a special IPv6 payload patch to achieve what I want to achieve. Specifically it says:

in point-to-point TUN mode, OpenVPN can transport IPv6 packets with the –tun-ipv6 option. No support for configuring the IPv6 endpoints and routes from within OpenVPN either, you need to run external “up” scripts.

That implies that I could use the unpatched OpenVPN and then manual scripts. As we’ll see below, in fact I had to use the patched version and external scripts! Again, likely due to a lack of knowledge on my part. But as a network engineer, I figure if I can’t work it all out then others will be in the same predicament.

VPN addressing

With IPv6, as discussed previously, the whole notion of private and public is done away with. Or at least, the meaning is seriously changed. Since we no longer have NAT in IPv6 (due to the address space being so very large) we do not have private address ranges for use inside a NATted network. So when choosing IPv6 addresses to use on our VPN it would seem that we can use any values. Well, yes and no. Back in IPv4 we could also have used any values too, while running the risk of accidentally using addresses which do really exist in the public Internet. So it is with IPv6, where we might collide with real addresses. It’s unlikely in these early days of IPv6, but we want to avoid it.

Another point to note, as with IPv4, is security. If VPN traffic inadvertently ”leaks” out of a public interface (and this is easier to achieve than you might think, particularly when you are setting things up!) then it would be good to use addresses which any compliant adjacent router will simply drop as unroutable, rather than propagate them in to the wider world. Indeed this desire to avoid “leaks” is also a reason to not simply use a chunk of IPv6 addresses out of your allocated pool. It’s not as if they are scarce – but mixing VPN addresses and public addresses so intimately is just asking for trouble. In a perfect world, then fine. But I do not live in that world. So an arbitrary addressing barrier betwen my VPN and the Internet is no bad thing.

So for this IPv6 VPN, we shall use so-called Unique Local Addresses, (Over here I touched upon Link Local addresses which are, as the name suggests, valid only within a single network.) as per RFC 4193. The history of all this is damn messy, but the bottom line is you should choose addresses in the range fd00::/8. So I will, merrily ignoring all the rest of RFC 4193, with its try-and-make-it-random stuff, use the following:

fd22::22 – the gateway device
fd22::1 – the remote host

What does good look like

What’s our definition of a working IPv6 VPN? How will I know when “it’s working”? My criteria include:

if I do an ifconfig I see a discrete VPN interface.
I can ping6 from one host to another.
during a ping6 I can tcpdump the tunnel interface and see clear traffic.
during a ping6 I can tcpdump the real WAN interface and see encrypted traffic.

Install a patched OpenVPN

As mentioned in the introduction, I ended up using a patched OpenVPN. I still believe that, based upon what the OpenVPN website says that this should not be required! But I ended up doing it. If you trust the use of a pre-built binary (I did) then it’s actually pretty easy to install. Bearing in mind that the system being used are running Ubuntu Lucid, follow these steps and you should be good to go:

Go to this page and have a bit of a read.
Towards the bottom, you should find a link that takes you to this page.
At the time of writing, this page only has builds for Intrepid and Karmic. And we’re Lucid. But fear not, and assume Karmic is correct…
As per the instructions, add the repository and signing key as per karmic.
Then perform the usual apt-get update followed either by a apt-get install openvpn or just a apt-get upgrade if openvpn was already installed.

And you should be all set with the required version.

Ancillary config

I’m just going to cover the IPv6-specific OpenVPN config file. I’m not going to go in to every last detail required “around the edges”. Just a few reminders:

You will point to your new IPv6 OpenVPN config from /etc/default/openvpn
You need to add the required config, just as for IPv4, to your shorewall6 config.

Core config

Here we get to the details. The configs used will actually be very similar to the IPv4 versions, with obvious changes for IPv6.

I’ll say again: I simply do not understand why the config has to be this way. Based upon the documents and info above, I should be able to put this all neatly within the OpenVPN config. But I could not, and hence the configs below reference simple ‘helper’ script to bring the tunnel up correctly.
Here is the config for the home gateway device:

local local6address_as_per_hosts_file remote remote6address_as_per_hosts_file

# Local and remote unique-local addresses ifconfig-ipv6 fd22::22 fd22::1 # Allow external script to be run script-security 2 # Script to do the rest of the work... up /etc/openvpn/helper.up

proto udp6 dev tun tun-ipv6 secret topsecret.psk comp-lzo keepalive 60 180 ping-timer-rem persist-tun persist-key user root group root daemon

And here is the referenced helper script helper.up:

#!/bin/bash ip -6 link set tun0 up ip -6 addr add fd22::22 dev tun0 ip -6 route add fd22::1 dev tun0

(And remember to make the script executable)

And here’s one for the remote server:

# Local and remote addresses ifconfig-ipv6 fd22::1 fd22::22

# Allow external script to be run script-security 2 # Script to do the rest of the work... up /etc/openvpn/helper.up proto udp6 dev tun tun-ipv6 secret supersecret.psk comp-lzo keepalive 60 180 ping-timer-rem persist-tun persist-key user nobody group nogroup daemon

And the helper.up for that one is:

#!/bin/bash ip -6 link set tun0 up ip -6 addr add fd22::1 dev tun0 ip -6 route add fd22::22 dev tun0

Again, make sure it’s executable.

Note that each makes use of names, where posible, rather than IPv6 addresses, which have been added to /etc/hosts to make everything easier to read and less prone to typos!

Static addressing

Yes, the addressing scheme is kinda static, I know. I wanted to keep this as simple as possible (which already isn’t so very simple…) and have everything point-to-point, with all routing being host-specific routing, rather than ranges. The obvious way to slightly adapt this is to allocate two IPv6 subnets within the unique-local adresses being used, and then of course adapt the helper scripts to add the route for the subnets rather than the specific hosts. I’m sure anyone who has got this far can make that change.

Success!

That’s about all that’s required. With the above config in place and the firewall set up correctly an ifconfig on the home router returns:

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

inet6 addr: fd22::22/128 Scope:Global

UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

RX packets:44 errors:0 dropped:0 overruns:0 frame:0

TX packets:44 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:100

RX bytes:4576 (4.5 KB)  TX bytes:4576 (4.5 KB)

and the routing table shows two new entries:


fd22::1 dev tun0  metric 1024  mtu 1500 advmss 1440 hoplimit 0
fd22::22 dev tun0  proto kernel  metric 256  mtu 1500 advmss 1440 hoplimit 0

And if I ping6 the other VPN address I get a response! Checking with tcpdump directly on the virtual tun0 interface I see meaningful ping-like traffic. While a similar scoping of the bearer interface, eth0, shows me the expected random-looking traffic (i.e. my highly sophisticated test for “Yes, it’s encrypted”!)

IPv6 and DNS

sgroarke — Fri, 02 Apr 2010 08:33:37 +0000

IPv6 DNS – It works for me….. but it shouldn’t.

When in my IPv6 environment I perform a test ping to, say, Google, it seems to work great:

ping6 ipv6.google.com

PING ipv6.google.com(2a00:1450:8006::6a) 56 data bytes

64 bytes from 2a00:1450:8006::6a: icmp_seq=1 ttl=55 time=49.3 ms

64 bytes from 2a00:1450:8006::6a: icmp_seq=2 ttl=55 time=44.6 ms

Which is lovely. But I then ask myself how the ping6 command actually gets to know that name ipv6.google.com lives at IPv6 global address 2a00:1450:8006::6a. How is the domain name being resolved? And I find that I actually don’t know. I’m perfectly familiar with IPv4 DNS. So what’s going on here?

I’m cheating

I discover, upon investigation, that in fact I’m “cheating”. By that I mean that my attempt to set up a “pure” IPv6 environment (albeit in parallel with IPv4) that does not rely upon or touch IPv4 in any way has not been achieved – It turns out that my DNS is currently entirely dependent upon the existing IPv4 infrastructure! And before going ahead and trying to rectify that, it’s actually rather educational to understand how it is actually working at all.

So I run tcpdump on the IPv6 interface and take a look at what’s going on when I kick off the ping6:

13:28:36.671682 IP (tos 0×0, ttl 64, id 45341, offset 0, flags [DF], proto UDP (17), length 61)

11.11.11.11.48231 > 212.XXX.XXX.XXX: [udp sum ok] 8831+ AAAA? ipv6.google.com. (33)

13:28:36.765503 IP (tos 0×0, ttl 60, id 0, offset 0, flags [DF], proto UDP (17), length 250)

212.XXX.XXX.XXX > 11.11.11.11.48231: 8831 q: AAAA? ipv6.google.com. 7/0/0 ipv6.google.com. [1h49m54s] CNAME[|domain]

13:28:36.767123 IP (tos 0×0, ttl 64, id 45365, offset 0, flags [DF], proto UDP (17), length 118)

11.11.11.11.56346 > 212.XXX.XXX.XXX: 37833+[|domain]

13:28:37.042646 IP (tos 0×0, ttl 60, id 0, offset 0, flags [DF], proto UDP (17), length 178)

212.XXX.XXX.XXX > 11.11.11.11.56346: 37833 NXDomain q:[|domain]

So what’s all that about then?

We appear to have a perfectly standard IPv4 exchange taking place, but with a few odd bits mixed in! Taking it a step at a time…..

A DNS query (UDP – port 53 – IPv4 – standard stuff) goes out for ipv6.google.com. The odd looking bit is the DNS query type: “AAAA”. What’s that? That actually signifies that this is an IPv6 query. Special.
And sure enough we get a response from the IPv4 DNS. It does not decode it here, but in the CNAME response data is the full IPv6 address required.
In fact it returns, as DNS queries often do, more than one address. It returns a selection of 6 of them, of which one gets selected for use.
And we then get a rather odd repeating pattern of subsequent PTR resolution attempts, which is a bit confusing. We’ll ignore that bit for now.

So: in fact our IPv6 DNS is running (with great success!) but…………. over an entirely IPv4 infrastructure.

It’s fabulous that it all works so easily and seamlessly. However, for the purposes of my voyage in to IPv6, I’d actually rather not use the IPv4 side of things at all. What if IPv4 wasn’t available to me? So what to do?

Pure IPv6 Name Resolution – IPv6 DNS

So we want to shift the DNS function off IPv4 and to make use of the IPv6 infrastructure. Where to being? Well, since setting up all the IPv6 I had noticed some new bit ‘n bobs appearing in my logs, as you do with new things. And I’d mostly ignored them for now. Again, as you do. But this one was appearing rather regularly, and now seemed rather interesting…

Mar 30 09:45:30 xxxxx radvd[2351]: RDNSS address 2a01:e00::1 received on eth0 from fe80::207:cbff:fea5:XXX is not advertised by us

What’s that all about? Looking at the elements:

eth0 is my external (Internet-facing) interface
the fe80: address is the IPv6 link address of my adjacent router (i.e. the ISP’s IPv6 router)
2a01:e00::1 is a normalish looking IPv6 global address. And sometimes I see the same log with 2a01:e00::2 in it instead.
The RDNSS rather gives it away! “DNS.” Is this to do with DNS perhaps…?
“…is not advertised by us” – What’s that all about?

Grabbing the incoming packet that seems to generate these logs I see more when fully decoded. The packet concerned is an expected Router Advertisement (RA) but it has some options on it:

Prefix Information: this we expect. It tells me the 64-bit prefix that is “mine” to use for global IPv6 addresses.
Recursive DNS Server: woah! That acronymises as RDNSS. And it hands me two “Recursive DNS Servers”: 2a01:e00::1 and ::2. So that’s where they come from.
MTU: an MTU of 1480 is specified in there too. I see that in fact my interface MTU is 1500. Should I worry? perhaps yes. But I’ll leave that for now and come back to it.
Source link-layer address: we can ignore that.

Manual test of IPv6 DNS

Before jumping in to new software subsystems, let’s try a manual test and see what happens. Just as one can use nslookup on the command line to check name resolution for IPv4, so one can use it for IPv6 too. Specify the name to be resolved and the server to us (or else we will default as per /etc/resolv.conf) and see what happens, checking with tcpdump:

 nslookup ipv6.google.com 2a01:e00::1

And I see the following packet sequence result:

10:23:43.522926 IP6 (hlim 64, next-header UDP (17) payload length: 41) 2a01:XXX:8b25:7ea0:240:63ff:fef5:f93c.52838 > dns2.proxad.net.domain: [udp sum ok] 9362+ A? ipv6.google.com. (33)

10:23:43.577684 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::207:cbff:fea5:XXX > ff02::1:fff5:XXX: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a01:XXX:8b25:7ea0:240:63ff:fef5:f93c

source link-address option (1), length 8 (1): 00:07:cb:a5:1a:68

0×0000: 0007 cba5 1a68

10:23:43.577937 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) 2a01:XXX:8b25:7ea0:240:63ff:fef5:f93c > fe80::207:cbff:fea5:XXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is 2a01:XXX:8b25:7ea0:240:63ff:fef5:f93c, Flags [router, solicited, override]

destination link-address option (2), length 8 (1): 00:40:63:f5:f9:3c

0×0000: 0040 63f5 f93c

10:23:43.578294 IP6 (hlim 60, next-header UDP (17) payload length: 112) dns2.proxad.net.domain > 2a01:XXX:8b25:7ea0:240:63ff:fef5:f93c.52838: [udp sum ok] 9362 q: A? ipv6.google.com. 1/1/0 ipv6.google.com. [2h44m2s] CNAME ipv6.l.google.com. ns: l.google.com. [10m] SOA ns4.google.com. dns-admin.google.com. 1411041 900 900 1800 60 (104)

Key here are the first and fourth packets: DNS request out, and DNS response back. All in IPv6. No IPv4 there at all. That’s good. We can see our IPv6 DNS server and, in principle, they work.

A secret – ndisc6

Time to let you in on a little secret to make life much easier… While tcpdumps and so on are instructive up to a point, and force one to think a little about what is being seen, they are also pretty tedious. A lot of what we need to achieve here can be done using much more accessible tools! Do yourself a big favour and install the ndisc6 package on your linux system. The creator’s web page gives you a little more information, but just as an example, look at this command + output:

rdisc6 eth0

Soliciting ff02::2 (ff02::2) on eth0…

Hop limit : 64 ( 0×40)

Stateful address conf. : No

Stateful other conf. : No

Router preference : medium

Router lifetime : 1800 (0×00000708) seconds

Reachable time : unspecified (0×00000000)

Retransmit time : unspecified (0×00000000)

Source link-layer address: 00:40:63:F5:F9:3C

from fe80::240:63ff:fef5:f93c

Hop limit : 64 ( 0×40)

Stateful address conf. : No

Stateful other conf. : No

Router preference : medium

Router lifetime : 1800 (0×00000708) seconds

Reachable time : unspecified (0×00000000)

Retransmit time : unspecified (0×00000000)

Prefix : 2a01:XXX:8b25:7ea0::/64

Valid time : 86400 (0×00015180) seconds

Pref. time : 86400 (0×00015180) seconds

Recursive DNS server : 2a01:e00::2

Recursive DNS server : 2a01:e00::1

DNS servers lifetime : 600 (0×00000258) seconds

MTU : 1480 bytes (valid)

Source link-layer address: 00:07:CB:A5:1A:68

from fe80::207:cbff:fea5:1a68

Wow. Look at all that! Useful.

Now to move on to integrating this into the system so all IPv6 names get resolved this was.

rdnssd – Recursive DNS Server daemon

I think I should start out with a warning here: this next step is the entirely logical and sensible thing to do. But in fact read through to the end: it’s not going to work – the Linux IPv6 userspace tools are simply not quite here they should be yet… But it’s instructive to look at this, if only for the learning it provides.

Let’s set up the required sub-system to handle IPv6 DNS requests from this system and the users who will later traverse it. The first step is simply to install the required package:

apt-get install rdnssd

This package may have other dependencies, which should get automatically fulfilled, e.g. resolvconf)

Just what is rdnssd? The best summary of it I can see is the first paragraph of the associated man page:

rdnssd is a daemon program providing client-side support for DNS configuration using the Recursive

DNS Server (RDNSS) option, as described in RFC 5006. Its purpose is to supply IPv6 DNS resolvers

through stateless autoconfiguration, carried by Router Advertisements.

That pretty much sums it up. It’s just what we need here!

The second paragraph is also quite illuminating:

rdnssd parses RDNSS options and keeps track of resolvers to write nameservers entries to a

resolv.conf(5) configuration file. By default, it writes its own separate file, and may call an

external hook to merge it with the main /etc/resolv.conf. This is aimed at easing coexistence with

concurrent daemons, especially IPv4 ones, updating /etc/resolv.conf too.

So, we’ve installed it. What’s it doing? Straight after installing the package a ps -ef shows me that the process is running. I rerun my ping6 and nslookup (without specifying th IPv6 DNS this time) and tcpdump shows me no change: the DNS is still taking place over IPv4.

As mentioned at the start of thus sub-section, we have a problem here. A big, fat problem. We want this daemon to pick up our DNS server from the RA and use them. Which is fine. But check out the last para of the rdnssd man page:

When rdnssd uses a raw socket instead of the netlink kernel interface, it does not validate received

Neighbor Discovery traffic in any way. For example, it will always consider Router Advertisement

packets, whereas it should not if the host is configured as a router. When the netlink interface is

used, such validation is done by the kernel.

What that boils down to is that if we’re running as a router (and we are, since in /etc/sysctl.conf we have net.ipv6.conf.all.forwarding=1) the kernel will simply not pass the RA up to user-space at all. So rdnssd never gets the chance to see it, and thus never acts upon it. Which is a bummer.

Just to experiment, you can dynamically drop down to /proc/sys/net/ipv6/conf/all/forwarding and set it to ’0′. (radvd will bitch and moan, but ignore that.) Force a RA refresh if required, using rdisc eth0, and you will see rdnssd do its stuff and change the /etc/resolv.conf to point at the IPv6 servers. But we can’t leave it that way, alas. We’ve hit a bit of a blocker here – picking up the IPv6 DNS servers automatically from the ISP seems to not be achievable at the moment using rdnssd – the kernel’s policies for what is allowed and when prevent it.

So what do we do?

We now understand what we’re trying to do. We also understand how it should be doable. But currently there’s a blocker. What to do?

As always in such matters, there’s an easy, pragmatic way forward and a tricky, hacky way forward! The sensible path to take is very simple indeed. We know the IPv6 addresses of our DNS servers (and if we forget we can just do a rdisc eth0 to find them out again) The obvious thing to do it to statically configure them in to the existing /etc/resolv.conf and then, when we later use IPv6 from a device on the internal network, configure them there too.

That’s what I would recommend. That’s what you should do. You can specify a mixture of IPv6 and IPv4 name-server in the /etc/resolv.conf file. If you specify the IPv6 servers first, then all DNS on the system will (if available) use the IPv6 name servers. I suppose this does slightly violate still our desire to keep IPv4 and IPv6 separate (since IPv4 name resolution will now also use IPv6) but since it tilts the bias in favour if IPv6, with a seamless fallback to IPv4, I think I can live with that.

OK – but what about more wacky solutions?

[Remember, stop here unless you're wanting to have some fun and you are comfortable with building your own software.]

One approach that would give us a partial solution would be to admit we were wrong originally, and instead of using radvd to propagate simple prefix information into our internal networks we should instead use a fully-fledged IPv6 DHCP server that can propagate addressing and DNS information. This would solve the problem of devices inside the network needing to have the IPv6 DNSs statically configured on them. However even this would not solve the root issue here: our inability to automatically pick up the IPv6 DNS information from received RAs when we’re configured to operate as a router.

The problem there is not, directly, rdnssd itself. The problem is the kernel. An architectural decision has been taken to stop the kernel sending RA DNS data up to userspace if the system is functioning as a router. Good or bad decision? Bad in my view. I can understand why it is sensible default behaviour, yes. But I do not understand why it’s been made unchangeable. But that’s how it is, for now anyway.

The solution I’m going to go for is to actually bypass the policing mechanism itself. The kernel only manages to stop the DNS being sent to userspace when userspace uses the Netlink mechanism to talk down. So why not just bypass that and get the raw data we want? This should bre easy enough to do, as rdnssd itself used to work this way, before the kernel started using Netlink to talk to userspace. So we might be able to build rdnssd to behave as it used to and get the data, right?

Hack and build rdnssd

The existing rndssd code makes provision for kernels with the netlink capability which causes us problems and for older kernels without that capability. So all the code we need is already in place. All we really need to do is change the default behaviour of rdnssd to the old way and we’ll be all set. One could of course do this properly and completely using command line options. Here’s what you might do in terms of changes to the rdnssd code-base:

Edit rdnssd.c

In usage(), ad a line such as:

” -n –no-netlink use old method to pick up kernel notificationsn”

In main() drop in appropriate parameter parsing:

static const struct option opts[] =

{

{ “foreground”, no_argument, NULL, ‘f’ },

{ “no-netlink”, no_argument, NULL, ‘n’},

.

.

.

and an appropriate global:

bool nonetlink = false;

and then in the main parsing switch add:

case ‘n’:

nonetlink = true;

break;

Then finally up in worker() we act upon it.

Before we had:

static int worker (int pipe, const char *resolvpath, const char *username)

{

sigset_t emptyset;

int rval = 0, sock = -1;

const rdnss_src_t *src;

#ifdef __linux__

src = &rdnss_netlink;

sock = src->setup ();

#endif

if (sock == -1)

{

src = &rdnss_icmp;

sock = src->setup ();

}

.

.

.

Change it to something like:

static int worker (int pipe, const char *resolvpath, const char *username)

{

sigset_t emptyset;

int rval = 0, sock = -1;

const rdnss_src_t *src;

#ifdef __linux__

if (!nonetlink) {

src = &rdnss_netlink;

sock = src->setup ();

}

#endif

if (sock == -1)

{

src = &rdnss_icmp;

sock = src->setup ();

}

.

.

.

and we’re good. Build, install and use as before, but using the new cli parameter “-n” as required to force the old behaviour.

Attached is a version of rdnssd.c based off version 0.9.9 for reference.

For finishing touches, set up an rdnssd hook-file which puts the IPv6 nameservers first in /etc/resolv.conf, and then have the original IPv4 servers appended after them.

IPv6 – Proxy the neighbors (or come back ARP – we loved you really)

sgroarke — Wed, 24 Mar 2010 09:11:32 +0000

After three articles, where am I with my venture in to IPv6? What have we really achieved so far? Well, in functional terms, not so very much yet!!

To recap:

Here I covered a lot of ground, getting basic IPv6 running on a Linux gateway box connected to an ISP providing native IPv6, while remembering stuff like the need to set up a firewall.
Here I looked at the issue of IPv6 firewall logging
And here I looked at the need to set up a default route out of the gateway device pointing back towards the internet.

And what can I now actually do? Well……. from the gateway box I can ping out successfully to any IPv6 device on the Internet. In other words, logged in to the device in green on this diagram, I can ping out of eth0 over the Internet. And from an IPv6 device on the Internet I can successfully ping towards my green box, using the address of eth0. So I can ping from the Internet to (these are of course made-up addresses!) 123::456.

However if from my remote Internet location I ping instead the IPv6 address of eth1 (here 123::789) does it work? I might expect it to: after all, eth1 has a global IPv6 address on it, not a private address. So surely I can ping it?

Needless to say, as it stands I cannot. Here we look at why not – in the process covering an important element of turning our gateway device in to an IPv6 router (which, grand though it sounds, is exactly what we are doing here!) which receives very little coverage elsewhere on the Internet. In fact when researching this I came to a conclusion that the vast majority of folks who have dabbled with IPv6 in the domestic environment have terminated their ISP IPv6 connection on their workstation, and very few have gone the step further and used a device as a gateway to a home network!!

How to get through the gateway – or Come back ARP, all is forgiven

So when I ping 123::789 what stops it working? The first thought is: firewall. We’re blocking it, right? A quick trip to the shorewall6 log (glad we set that up, eh?) shows us: nothing. Nowt. Zilch. Nada. Surprisingly, we’re not dropping the ping. (In fact the firewall config we set up in the first of these articles contains enough already to allow, from a firewall perspective, for this ping to succeed.)

So we now run tcpdump on eth0 to see just what is going on. Here’s an example:

From the remote host

From my remote IPv6 host I do and see:

ping6 2a01:XXX:8b25:7ea0::22

PING 2a01:XXX:8b25:7ea0::22(2a01:XXX:8b25:7ea0::22) 56 data bytes

From 2a01:XXX:8b25:7ea0::1 icmp_seq=1 Destination unreachable: Address unreachable

From 2a01:XXX:8b25:7ea0::1 icmp_seq=2 Destination unreachable: Address unreachable

From 2a01:XXX:8b25:7ea0::1 icmp_seq=3 Destination unreachable: Address unreachable

.

.

.

Which doesn’t tell me a lot.

On the gateway

On my gateway, from tcpdump, I see:

tcpdump -i eth0 -v ip6

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

08:51:35.315038 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::207:cbff:fea5:XXX > ff02::1:ff00:22: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a01:XXX:8b25:7ea0::22

source link-address option (1), length 8 (1): 00:07:cb:a5:1a:68

08:51:36.315002 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::207:cbff:fea5:XXX > ff02::1:ff00:22: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a01:XXX:8b25:7ea0::22

source link-address option (1), length 8 (1): 00:07:cb:a5:1a:68

08:51:37.315001 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::207:cbff:fea5:XXX > ff02::1:ff00:22: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a01:XXX:8b25:7ea0::22

source link-address option (1), length 8 (1): 00:07:cb:a5:1a:68

What does this tell me?

So the ping is reaching the gateway device alright. Sort of. Well, not really. But there’s something going on there! What we see in that tcpdump trace is the ISP’s router to which I’m connected is sending me a Neighbor Solicitation for the ::22 address (i.e. the global IPv6 address of my eth1 interface on the “far side” of my gateway which I’m trying to ping) While I’m not keen to draw too many parallels and comparisons with IPv4, it is useful to do so here: A Neighbor Solicitation is, at least as we see it here, pretty much analogous to a good ol’ ARP Request. The ISP is saying to us “I think this address is somewhere over with you – Please confirm and let me know how to reach it”. Which is great, except for the glaring fact that we appear to ignore this NS (Neighbor Solicitation) and hence the ping fails.

So you can guess we need to set something up on the gateway that tells it to reply to such a NS. (Kinda vaguely analogous to a Proxy ARP, if you’re familiar with that)

IPv6 Proxy

A couple of steps here. Firstly the system needs to be told globally to perform the required IPv6 proxying, and we then need to enable it for specific addresses.

proxy_ndp

In the /etc/sysctl.conf file add a line:

net.ipv6.conf.all.proxy_ndp = 1

To set this dynamically (without a reboot) you can also do:

sysctl -w net.ipv6.conf.all.proxy_ndp=1

Neighbor proxy

Then perform:

ip -6 neigh add proxy 2a01:XXX:8b25:7ea0::22 dev eth0

Note that here the IPv6 address is the address of the interface on the private side of the gateway (eth1 for me). The end part “…dev eth0″ is to say “Proxy that address from this interface”.

You also, of course, will need to make such configuration permanent. Numerous approaches to that: I settled upon adding this from the interface-up scripts in /etc/network/if-up.d/ but there are so many other methods too. Pick yours.

(Interestingly, I have yet to discover any way at all to display the list of proxied neighbors added in this manner! I’ve looked pretty hard, but there appears to be no way I can find to have them listed. There must be a way, but I can’t find it.)

Success!

And the ping now works, with a tcpdump like this now showing to us:

09:18:18.644817 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::207:cbff:fea5:XXX > ff02::1:ff00:22: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2a01:XXX:8b25:7ea0::22

source link-address option (1), length 8 (1): 00:07:cb:a5:1a:68

09:18:18.868550 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::240:63ff:fef5:XXX > fe80::207:cbff:fea5:XXX: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is 2a01:XXX:8b25:7ea0::22, Flags [solicited]

destination link-address option (2), length 8 (1): 00:40:63:f5:f9:3c

09:18:18.868958 IP6 (hlim 56, next-header ICMPv6 (58) payload length: 64) ipsi6 > 2a01:XXX:8b25:7ea0::22: ICMP6, echo request, length 64, seq 5

09:18:18.869107 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) 2a01:XXX:8b25:7ea0::22 > ipsi6: ICMP6, echo reply, length 64, seq 5

Which has 4 elements:

The same sort of Neighbor Solicitation we had previously.
This time we send back a Neighbor Advertisement for the ::22 address
With that done, the ping itself can come to us (the ICMP6 echo request)
And we of course respond to the ping with ICMP6 echo reply.

Conclusions and summary

In the world of IPv6, with no ARP or NAT, life is different. Devices which in IPv4 are thought of as private (both in terms of addressing and functionality) are now, at least from the perspective of addressing, public. We need to make sure that if we want “The World” to be able to reach them, we must in turn tell the world about them. Hence the need for IPv6 neighbor proxying. And, thinking ahead a little, the need to take our firewalling ever more seriously. If I make the addresses of a “private” workstation globally reachable I’d better make sure that it’s protected…

The last point to make is about scalability: do we really need to add an “ip -6 neigh add proxy” for each private device we wish to be able to reach from the Internet? If there are only a few devices (as in the typical home network) then it may well be easiest to do this. However in situations where the private side of the network has many IPv6 addresses which need to be globally reachable, other solutions may be more appropriate and manageable, but will not be covered here. Here we’re trying to get a small home network IPv6 enabled, not migrate a corporation to IPv6. If you really want to get in to the area of automating these functions you need to read up on implementations of Neighbor Discovery Protocol, look at “zeroconfig” networking, Apple’s Bonjour service, and so on..

There will come a time when such automation will be required at the domestic level, with the eventual proliferation of networked devices. But for now we keep it simple and statically configure the required addresses.

EDIT 5 Aug 2011: npd6 – See project here http://www.ipsidixit.net/2011/08/04/npd6/

IPv6 and default routes

sgroarke — Fri, 05 Mar 2010 15:02:13 +0000

Following on from my first tutorial, we have a box set up which has basic IPv6 connectivity. There’s a firewall in place with a simple but sufficient configuration. And we can ping6 from this box to remote IPv6 destinations.

All of this has, so far, made use only of one network interface (in my case eth0) to set things up. However looking ahead to the next step I am aware that I will want devices inside my network (i.e. my workstations, etc.) to have IPv6 connectivity through this device I am setting up. In other words, this device must, as it does today for IPv4, act as a router.

With IPv4 this is, at a basic level (so forgetting about firewalling and so on) very easy: enable IPv4 forwarding and away you go.

For IPv6? A little more complicated…

sysctl.conf

My first step was to jump in to /etc/sysctl.conf and, just as I have IPv4 forwarding enabled here, do the same for IPv6. There’s even a (likely commented out) entry already there to help you. So I change it to show:

net.ipv6.conf.all.forwarding = 1

Reboot (or if you prefer manually involve the same change via sysctl or simply dropping the value in via /proc/sys/) and it takes effect.

Why has it all stopped working?

After doing this, the first thing I noticed was that suddenly I could no longer ping6 to my test destination. I find that the default route has disappeared from the route table (ip -6 route show)

It turns out that once the device is defined to be a router (i.e. that IPv6 forwarding is enabled) it stops acting on received Router Advertisements from the ISP, arriving on my WAN link eth0.

I was pretty miffed at first, but of course on reflection this is entirely sensible behaviour – I do not actually know who is sending me a given router advertisement. I have no knowledge of how the ISP has built its IPv6 infrastructure, and while I would hope that only the ISP can send an IPv6 Router Advertisement towards me, maybe not? What if someone else manages to do it too?

That’s why an IPv6 router, even in this context, as a home gateway, needs to treat a Router Advertisement with care!

What to do?

With IPv6 forwarding enabled it is possible to allow the RA to be accepted. In sysctl.conf set:

net.ipv6.conf.all.accept_ra = 1

However this then permits the interface(s) to autoconfig so far as addressing is concerned, but still does not pick up a default route. There is also a sysctl of net.ipv6.conf.all.accept_ra_defrtr which could be useful (if you trust your RA in the first place, that is) but anyway I could not make it work as I’d expect.

So really it comes down to making sure that, once IPv6 forwarding is enabled, that a default route is manually defined. Something along the lines of:

ip -6 route add default via fe80::207:cbff:aaaa:bbbb dev eth0

seems to do the trick
Of course the difficulty here is how you obtain the address of the required gateway. My ISP had not told me what it was. I obtained it by looking at what the default route had been prior to enabling IPv6 forwarding. Of course I could also have simply run tcpdump -i eth0 ip6 and waited for a to show up.To make this permanent, a suitable line can be added to /etc/network.interfaces, so mine now looks similar to:

iface eth0 inet6 static
address 2a01:e35:8b25:aaaa::1
netmask 128
gateway fe80::207:cbff:aaaa:bbbb

[EDIT: 2 Aug 2011: "netmask 128" previously read "netmask 64" It *could* be 64, but more likely 128!!]

So with IPv6 forwarding enabled and a default route successfully restored, we can now proceed.

IPv6 – logging and shorewall6

sgroarke — Thu, 25 Feb 2010 11:42:32 +0000

Following on from my early success at get IPv6 running, I soon hit a significant issue: firewall logging.

Now this need not be a “blocker” for everyone, but I take my firewall logging duties quite seriously…!

shorewall IPv4 logging

Currently I have IPv4 shorewall configured to log not using the standard syslog mechanism, but instead to use ulogd. This allows me to easily log firewall activity to an entirely separate set of log files very easily. It is absolutely not mandatory, but it’s neat and tidy. I then have fwlogwatch to nightly analyse the logs and automatically email the interesting bits to me for occasional checking.

To enable this I have appropriate pointers to use of ULOG in shorewall’s policy and rules files as follows:

policy

.

.

.

ext all DROP ULOG

.

.

.

and, for example:

rules

.

.

.

ACCEPT:ULOG all fwall 47
.
.
.

One then has an appropriate config in /etc/ulogd.conf to file things where you want them.

shorewall6 IPv6 logging

Having installed shorewall6 in a simple form and got it working, I naively assumed I could log in a similar manner as with the IPv4 version of shorewall. Oh no – I find ulogd is no longer supported in shorewall6 and the choices are:

syslog
nflog

The syslog option I specifically did not want, so I decided I’d better find out about nflog (Net Filter Log). It turns out that nflog is actually more commonly referred to as ulogd2, and is a dramatically enhanced version of the original ulog. In fact it’s so different that it is, for all practical purposes, an entirely different thing. Trying to relate ulog to ulog2 is a pretty futile exercise. Work on the basis that they are unrelated and it’ll prove less frustrating.

Anyway, the learning curve with ulogd2 was a bit steep, but it turns out to be a very neat product. Here I will present some key points that should help you to get it up, running and integrated on a Ubuntu system. Oh, and it’s not available as a pre-built package… Sorry – didn’t I mention that?

Implementing NFLOG (aka ulogd2) on a Ubuntu firewall

The first step to follow is to get hold of the ulogd2 source tree and build it. I worried that this would take me some time, but found a tremendously helpful article someone had already written which aided me a lot. (Thank you Pollux!)

If you’re familiar with building from source, that page will give you most of what you need. Here are a few points to add:

I’d suggest leaving the build PREFIX unspecified (i.e. default) so it will ultimately install in the /usr/local/ hierarchy. This means you can get it all working in parallel with an existing ulogd installation – much cleaner and safer!
Since we want to emulate ulogd just in so far as we are able to log to a disk file, disable any of the Postgres or MySQL build options to make things more compact and simple (unless of course you want to make use of these neat new features within ulogd2!)
Much of the article referenced assume that you will be logging to a database – keep it simple for now and ignore that.

ulogd2 config highlights

Once ulogd2 is installed, you need to copy the supplied ulogd.conf from the source tree you used to build into /usr/local/etc.

The contents of this file took a little working out, but here I present the key elements required in order to have ulogd2 set up to allow:

IPv6 to be logged to one file
IPv4 to be logged to another file (this used to be done using the original ulogd)

Once completed and the two shorewall configs tweaked to make use of it, this new ulogd2 replaces the previously used ulogd. Note that this is optional: you can have both versions of ulogd coexist. However it’s a lot cleaner and easier to maintain if just one subsystem is used. But that’s entirely a personal choice.

plugins section

plugin="/usr/local/lib/ulogd/ulogd_inppkt_NFLOG.so"
plugin="/usr/local/lib/ulogd/ulogd_inppkt_ULOG.so"
plugin="/usr/local/lib/ulogd/ulogd_inpflow_NFCT.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_IP2STR.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_IP2BIN.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_PRINTPKT.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_HWHDR.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_PRINTFLOW.so"
#plugin="/usr/local/lib/ulogd/ulogd_filter_MARK.so"
plugin="/usr/local/lib/ulogd/ulogd_output_LOGEMU.so"
plugin="/usr/local/lib/ulogd/ulogd_output_SYSLOG.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_OPRINT.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_NACCT.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_PCAP.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_PGSQL.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_MYSQL.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_DBI.so"
plugin="/usr/local/lib/ulogd/ulogd_raw2packet_BASE.so"

stacks section

# this is a stack for logging packets to syslog after a collect via NFLOG
stack=log4:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu4:LOGEMU
stack=log6:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu6:LOGEMU

log section

# Using log4 for IPv4
[log4]
group=4
numeric_lable=4
# Using log6 for IPv6
[log6]
group=6
numeric_label=6

log-specific sections

# IPv4
[emu4]
file="/var/log/firewall/nflog4.log"
sync=1
# IPv6
[emu6]
file="/var/log/firewall/nflog6.log"
sync=1

Changes to shorewall configs

And finally we need to tweak shorewall and shorewallt6 to use the new log facility. For shorewall6 that means simply adding the appropriate NFLOG references within the policies and/or rules. For shorewall IPv4 one simply has to replace existing ULOG references with an appropriate NFLOG reference.

shorewall6 additions

So my (very very over-logged – but then my IPv6 is still at the experimental stage…!) policy file is now:

#Source Dest Policy Log Burst/Limit

fwall all DROP NFLOG(6)

int all DROP NFLOG(6)

ext all DROP NFLOG(6)

all all DROP NFLOG(6)

And to test logging from individual rules I’ve specified rules as:

ACCEPT:NFLOG(6) ext fwall ipv6-icmp

ACCEPT:NFLOG(6) fwall ext ipv6-icmp

shorewall (IPv4) changes

And over in my IPv4 shorewall I just changed any reference to ULOG to read NFLOG(4), for example, where policy previously read:

office all DROP ULOG

it now reads

office all DROP NFLOG(4)

In Summary

If you are implementing IPv6 with shorewall6, ulog cannot be used for logging. You must either go back to the crude-but-efective use of syslog or go forward to NFLOG / ulogd2. Implementing ulogd2 is not entirely trivial, since it is not yet a pre-built package for Ubuntu. However building and implementing it is far from impossible if you’ve a little experience in such matters. And as a bonus, once implemented you can drop the original ulog and integrate both IPv4 and IPv6 logging within NFLOG.

Worth noting is that while we’ve achieved an elegant split between IPv4 and IPv6 firewall logs using ulog2d, while I can continue to process my IPv4 logs every night using fwlogwatch, as before, the processing and analysis of the IPv6 logs is another issue altogether! fwlogwatch is an old tool and does not process IPv6 log files. I’ll sort that out in a later article.