News items for tag ipv6 - Koos van den Hout

2016-01-29 Linux dummy network interfaces can be very handy 3 years ago
The recent interruptions in the outside Internet connection made my wish to improve some things in the server at home so internal things keep running through an interruption.

I have to request an IPv6 range for an interface to make wide-dhcpv6-client run, it won't run when I don't configure the interface to assign a /64 to, and my ISP will not route IPv6 when I don't use IPv6 prefix delegation to request the space which is static anyway. But I want the wired and wireless network to have fixed IPv6 ranges so things keep running even when the outside link has a hickup. Solution: request the IPv6 range for a dummy network interface and assign static IPv6 ranges to the ethernet interfaces. In /etc/network/interfaces:
auto dumdh6
iface dumdh6 inet static
    pre-up ip link add name dumdh6 type dummy
    address 0.0.0.0
And in /etc/wide-dhcpv6/dhcp6c.conf:
interface ppp0
{
        send ia-pd 0;

                script "/etc/wide-dhcpv6/dhcp6c-script";
};
id-assoc pd {
        prefix-interface dumdh6 {
                sla-id 3;
        };
};
And there is another dummynet interface to assign the fixed IP addresses to I use for hosting services. This means those services can start (and keep running) even when the link hickups and removes the IP address from the ppp interface. Earlier I did this on an unused vlan interface, but using dummynet feels more tidy.

Tags: , ,
2016-01-28 Shodan using the IPv6 ntp pool to find active IPv6 addresses 3 years ago
Recently posted: shodan.io actively infiltrating ntp.org IPv6 pools for scanning purposes. So I tried:
ntpdate -d -u 2a03:b0c0:3:d0::18:b001
And indeed:
Jan 28 14:42:25 server kernel: [1187976.106758] FW reject: IN=ppp0 OUT= MAC= SRC=2604:a880:0800:0010:0000:0000:00fe:d001 DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=60 TC=0 HOPLIMIT=55 FLOWLBL=0 PROTO=TCP SPT=49717 DPT=55554 WINDOW=54358 RES=0x00 SYN URGP=0 
Jan 28 14:42:25 server kernel: [1187976.107191] FW reject: IN=ppp0 OUT= MAC= SRC=2604:a880:0800:0010:0000:0000:00fe:d001 DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=60 TC=0 HOPLIMIT=55 FLOWLBL=0 PROTO=TCP SPT=34680 DPT=50070 WINDOW=26315 RES=0x00 SYN URGP=0 
Jan 28 14:42:25 server kernel: [1187976.107256] FW reject: IN=ppp0 OUT= MAC= SRC=2604:a880:0800:0010:0000:0000:00fe:d001 DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=60 TC=0 HOPLIMIT=55 FLOWLBL=0 PROTO=TCP SPT=49717 DPT=32764 WINDOW=15398 RES=0x00 SYN URGP=0 
Jan 28 14:42:25 server kernel: [1187976.107309] FW reject: IN=ppp0 OUT= MAC= SRC=2604:a880:0800:0010:0000:0000:00fe:d001 DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=60 TC=0 HOPLIMIT=55 FLOWLBL=0 PROTO=TCP SPT=41249 DPT=44818 WINDOW=15146 RES=0x00 SYN URGP=0 
Jan 28 14:42:25 server kernel: [1187976.107380] FW dropped: IN=ppp0 OUT= MAC= SRC=2604:a880:0800:0010:0000:0000:00fe:d001 DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=52 TC=0 HOPLIMIT=55 FLOWLBL=0 PROTO=UDP SPT=13864 DPT=30718 LEN=12 
Jan 28 14:42:25 server kernel: [1187976.107427] FW reject: IN=ppp0 OUT= MAC= SRC=2604:a880:0800:0010:0000:0000:00fe:d001 DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=60 TC=0 HOPLIMIT=55 FLOWLBL=0 PROTO=TCP SPT=59140 DPT=25565 WINDOW=53087 RES=0x00 SYN URGP=0 
Jan 28 14:42:25 server kernel: [1187976.108613] FW dropped: IN=ppp0 OUT= MAC= SRC=2604:a880:0800:0010:0000:0000:00fe:d001 DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=55 TC=0 HOPLIMIT=55 FLOWLBL=0 PROTO=UDP SPT=32950 DPT=8888 LEN=15 
Jan 28 14:42:25 server kernel: [1187976.110197] FW dropped: IN=ppp0 OUT= MAC= SRC=2604:a880:0800:0010:0000:0000:00fe:d001 DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=60 TC=0 HOPLIMIT=55 FLOWLBL=0 PROTO=UDP SPT=39721 DPT=64738 LEN=20 
Jan 28 14:42:25 server kernel: [1187976.110315] FW dropped: IN=ppp0 OUT= MAC= SRC=2604:a880:0800:0010:0000:0000:00fe:d001 DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=50 TC=0 HOPLIMIT=55 FLOWLBL=0 PROTO=UDP SPT=46499 DPT=5632 LEN=10 
Jan 28 14:42:25 server kernel: [1187976.110405] FW dropped: IN=ppp0 OUT= MAC= SRC=2604:a880:0800:0010:0000:0000:00fe:d001 DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=65 TC=0 HOPLIMIT=55 FLOWLBL=0 PROTO=UDP SPT=21934 DPT=47808 LEN=25 
Jan 28 14:42:31 server kernel: [1187981.938880] FW reject: IN=ppp0 OUT= MAC= SRC=2604:a880:0800:0010:0000:0000:00fe:d001 DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=60 TC=0 HOPLIMIT=55 FLOWLBL=0 PROTO=TCP SPT=34235 DPT=993 WINDOW=0 RES=0x00 RST URGP=0 
Jan 28 14:42:31 server kernel: [1187982.030058] FW reject: IN=ppp0 OUT= MAC= SRC=2604:a880:0800:0010:0000:0000:00fe:d001 DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=60 TC=0 HOPLIMIT=55 FLOWLBL=0 PROTO=TCP SPT=34235 DPT=993 WINDOW=0 RES=0x00 RST URGP=0 
Jan 28 14:42:31 server kernel: [1187982.197203] FW reject: IN=ppp0 OUT= MAC= SRC=2604:a880:0800:0010:0000:0000:00fe:d001 DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=60 TC=0 HOPLIMIT=55 FLOWLBL=0 PROTO=TCP SPT=34237 DPT=993 WINDOW=0 RES=0x00 RST URGP=0 
Jan 28 14:42:33 server kernel: [1187984.398977] FW reject: IN=ppp0 OUT= MAC= SRC=2604:a880:0800:0010:0000:0000:00fe:d001 DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=60 TC=0 HOPLIMIT=55 FLOWLBL=0 PROTO=TCP SPT=34245 DPT=993 WINDOW=0 RES=0x00 RST URGP=0 
Jan 28 14:42:34 server kernel: [1187984.620836] FW reject: IN=ppp0 OUT= MAC= SRC=2604:a880:0800:0010:0000:0000:00fe:d001 DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=60 TC=0 HOPLIMIT=55 FLOWLBL=0 PROTO=TCP SPT=34244 DPT=993 WINDOW=0 RES=0x00 RST URGP=0 
I would have expected more ports tested.

Tags: , , ,
2016-01-14 Boot-time IPv6 on the homeserver not working 3 years ago
I shutdown and rebooted the homeserver to get an updated kernel and look at some other things. After booting up again I noticed the problem with IPv6 not active on interfaces that started early was happening again. No linklocal addresses configured, no global addresses configured. This affects all ethernet interfaces and ppp0 for the link to the outside world. I also noticed this problem after the upgrade, see Upgrading the homeserver to Ubuntu 12.04 but the problem remains even with an updated kernel (currently 3.2.0-97-generic).

I have no idea what causes this and how to fix it. It seems related to Debian bug #726569: haproxy doesn't start on boot due to missing IPv6 address on interface but in that case the address is configured but just not available to applications to bind to. Related Beware the IPv6 DAD Race Condition - Andrew Ayer suggests the same (duplicate address detection race condition) but has disabling duplicate address detection (DAD) as workaround.

Tags: , ,
2016-01-08 IPv6 visitor stats 2015 3 years ago
Time to count IPv6 visitor percentage to different websites again:
SiteJuly 2009July 2010July 2011July 2012July 2014July 2015
http://idefix.net/ my homepage 1% 2% 2% 3% 4% 6%
http://netwerk.idefix.net/ hcc!pcgg netwerkgroep 2% 2% 2% 3% 1% 3%
http://weather.idefix.net/ weather maps < 1% 5% 6% 7% 6% 12%
http://bbs.idefix.net/ BBS files 1% 1% 1% 3% 7%
http://webcam.idefix.net/ the webcam < 1% 1% < 1% 2% 2% 5%
http://www.virtualbookcase.com/ The Virtual Bookcase < 1% 1% 1% 4% 87% 3% 80% 6%
http://www.camp-wireless.org/ Camp Wireless < 1% 1% 1% 3% 70% 3% 82% 6%
http://weatherstation.idefix.net/ Weather station Utrecht Overvecht 1% 5%
Interesting numbers. Results for The Virtual Bookcase and Camp Wireless are totally skewed thanks to some IPv6 bot constantly checking the site from constantly changing IPv6 addresses .. but without privacy extensions enabled. Other sites are showing a growth consistent with general IPv6 growth in the world.

Method: unique IPv6 addresses seen in the whole month / total unique addresses (IPv4+IPv6) seen in the whole month.

Update: Filtering for 'curl' helped in normalizing the results.

Tags: ,
2015-12-13 Trying to squeeze in some radio hobby when propagation is cooperating 3 years ago
This weekend I wanted to play some radio but it was hard to find time and cooperating propagation. At the moment propagation seems very limited and it only happens during the hours the sun is up for the amateur bands I am active in (20 meter and 10 meter).

On Saturday it was rainy most of the day which ment the roof was wet and my signals weren't getting out when I got around to trying. I had enough incoming signals and had nice overviews on PSK reporter but nobody heard me when I had time to call/answer.

On Sunday it was dry and I made five PSK31 contacts, and one SSB contact. After sunset the 20 meter band dried up quickly for me so I hung out the endfed to try my luck on 40 meter. Calling CQ in RTTY mode on 7051 MHz got spotted on the reverse beacon network but nobody answered. What frequency on 40 meter is good for PSK31 varies, but the only frequency where I hear/see it active is 7.040 MHz which is currently outside the frequency range I'm allowed to use.

So I tried something else: JT-65 since I did hear the JT-65 tones above 7.076 MHz. The software was readily available via the Ubuntu ham radio software repository: wsjtx. It took me a bit of work to configure it to use hamlib via localhost: I can select the right rig type (NET rigctl 2) but I can't select a network host. Entering 'localhost' gave me a 'connection refused' error which I did not expect. I used strace to find out and the connection was only attempted to ::1, the IPv6 localhost where rigctld does not listen. I entered 127.0.0.1 as port and CAT control (controlling and monitoring my radio) started working. I saw some activity, and even tried answering a CQ call, but my answer was not received.

JT-65 takes time: transmitting a message of maximum 13 characters takes around 50 seconds(!). A full QSO including signal reports takes at least 6 minutes, it's really not a mode for chatting or for fast contacts. On the other hand: it is a weak-signal mode, JT-65 can dig up signals deep from the noise!

Tags: , ,
2015-06-03 Working IPv6 at Surfnet office 4 years ago
December last year I noticed IPv6 at the Surfnet office breaking in interesting ways. Recently I was invited to come over and test it again, news was that the problem I was seeing should be fixed now. I accepted that invitation and Yesterday I was at the new office and tested it. And indeed it now works good, I received a stable IPv6 assignment and I was able to keep long-running IPv6 sessions to multiple systems at home. The technical reasons behind it are 'interesting' but the good news is that the eduroamers network now has stable IPv6.

Tags: ,
2015-04-27 Upgrading the homeserver to Ubuntu 12.04 4 years ago
And to get to a version of Ubuntu with support available I kept doing and did 'do-release-upgrade' again today on the homeserver greenblatt.

Again the upgrade was running for a while. A big improvement is that the process now uses screen so I was able to attach to that running console from other sessions and answer questions.

After the upgrade the reboot came, and after the reboot I noticed resolving was broken. This was traced back to the ppp0 interface for the connection to the outside world and the internal interface for services having started completely without IPv6 support. Doing an ifdown and ifup helped, but this should all start correct automatically.

I noticed the new Postgresql 9.1 is already installed, but Postgresql 8.4 is the default version available over port 5432, so I can do the pg_upgradecluster when I have time for that.

Later I noticed some packages were held back. I traced this back to /etc/apt/preferences still being optimized for Ubuntu 8.04 hardy and hardy-backports. I emptied the preferences file and it all sorted itself out and now everything is up to date.

This was probably the reason Postgresql 8.4 was left installed and active. After the updates above apt-get autoremove was going to delete Postgresql 8.4.
Read the rest of Upgrading the homeserver to Ubuntu 12.04

Tags: , , ,
2015-03-27 Overly interested Amazon EC2 nodes 4 years ago
On Camp Wireless and The Virtual Bookcase I see the following pattern in the access logs:
2620:108:700f::36bc:aade - - [27/Mar/2015:13:27:11 +0100] "GET / HTTP/1.1" 302 298 "-" "curl/7.36.0"
2406:da00:ff00::36e2:d963 - - [27/Mar/2015:13:27:38 +0100] "GET / HTTP/1.1" 302 298 "-" "curl/7.36.0"
Constant requests, 2 or 3 per minute from Amazon EC2 IPv6 addresses just requesting the / using curl. Over the day I now see 1334 unique addresses with at most 5 requests from one url.

The same pattern as described in Stange stream of HTTP GET requests in apache logs, from amazon ec2 instances - Server Fault with no real answer to the why.

It's not a problematic amount of traffic, I'd just like to understand what is happenning!

Tags: , , , , ,
2015-01-05 Leap second announcement 4 years ago
Promptly after fixing the previus leapsecond file I get the IERS Bulletin C number 49 today which states:
                                   UTC TIME STEP
                            on the 1st of July 2015


 A positive leap second will be introduced at the end of June 2015.
 The sequence of dates of the UTC second markers will be:

                          2015 June 30,     23h 59m 59s
                          2015 June 30,     23h 59m 60s
                          2015 July  1,      0h  0m  0s
And I notice the IETF seems to update the canonical leap-seconds file about two months after the decision is made by the IERS.

It's a good thing ntpd starts complaining when the file is about to expire.

Update 2015-01-06: An update was available from ftp://time.nist.gov/ but only when I connected over IPv6. An interesting form of IPv6 promotion. Notice the difference in messages between the old file and the new file loading:
Jan  5 13:54:33 ritchie ntpd[13710]: leapsecond file ('/etc/ntp/leap-seconds.3644438400'): good hash signature
Jan  5 13:54:33 ritchie ntpd[13710]: leapsecond file ('/etc/ntp/leap-seconds.3644438400'): loaded, expire=2015-06-28T00:00Z ofs=35 (no entries after build date)
Jan  6 10:14:17 ritchie ntpd[26348]: leapsecond file ('/etc/ntp/leap-seconds.3629404800'): good hash signature
Jan  6 10:14:17 ritchie ntpd[26348]: leapsecond file ('/etc/ntp/leap-seconds.3629404800'): loaded, expire=2015-12-28T00:00Z last=2015-07-01T00:00Z ofs=36

Tags: , ,
2014-12-11 IPv6 breaking without default router 4 years ago
Interesting type of IPv6 breakage currently at the Surf office:
Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : eduroamers.nl
   IPv6 Address. . . . . . . . . . . : 2001:610:188:431:9d25:9938:408e:6714
   Temporary IPv6 Address. . . . . . : 2001:610:188:431:2c5e:681:fda1:702
   Link-local IPv6 Address . . . . . : fe80::9d25:9938:408e:6714%11
   IPv4 Address. . . . . . . . . . . : 145.96.1.57
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Default Gateway . . . . . . . . . : 145.96.0.1
What's missing here? A default gateway for IPv6. Which breaks any external IPv6 connectivity. And I like having external IPv6 connectivity, for example for logging into systems at home. The solution is simple:
C:\>ipconfig /renew6

Windows IP Configuration

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : eduroamers.nl
   IPv6 Address. . . . . . . . . . . : 2001:610:188:431:9d25:9938:408e:6714
   Temporary IPv6 Address. . . . . . : 2001:610:188:431:2c5e:681:fda1:702
   Link-local IPv6 Address . . . . . : fe80::9d25:9938:408e:6714%11
   IPv4 Address. . . . . . . . . . . : 145.96.1.57
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Default Gateway . . . . . . . . . : fe80::222:dff:fe84:8800%11
                                       145.96.0.1
I wonder how this happens.

Update 2014-12-15: And I got in touch with someone at SURFnet who suggested the best cause of action: see if this problem persists after the upcoming move of the SURFnet offices.

Update 2015-06-03: And now the IPv6 over the wireless network at the Surfnet offices is fixed.

Tags: ,
2014-11-03 Fun with network connection managers 4 years ago
I tried NetworkManager again because wicd was showing downsides, such as:
  • Not dealing correctly when the laptop is resumed with the ethernet cable attached: it doesn't run dhcp on the wired lan which makes services which only have IPv4 addresses unreachable. Took a while to understand that one for obvious reasons.
  • Making the wired network interface flap between connected and disconnected state when a network cable is inserted after boot. Solution: restart wicd first.
I tried NetworkManager again, kicked out ages ago because it fully depended on a Gnome desktop, which I don't run. But now it has nm-connection-editor and nm-cli which should make things less impossible. But after testing I found out NetworkManager is even worse for me than wicd.
Read the rest of Fun with network connection managers

Tags: , , ,
2014-09-22 (#) 4 years ago
So work made a laptop with the standard Windows 7 software image available to me and I noticed when I took it home it doesn't do any IPv6. Which is not what I want. Some searching found How to disable IPv6 or its components in Windows - Microsoft Support which has the right answers which were used by the people creating this software image. I changed the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents registry key to 0x01 so I don't get the Isatap/Teredo tunnels.

Interesting remark in that support article:
We do not recommend that you disable IPv6 or its components, or some Windows components may not function. Additionally, system startup will be delayed for 5 seconds if IPv6 is disabled.
I guess I'll have to find another way to disable the Isatap/Teredo tunnels to make the system boot faster. I want IPv6 to work when it's available native or not at all. Some aspects of the work network make things slow when tunneling protocols are tried. Which is probably the reason of disabling it in the first place.

Update 2014-10-01: It seems this setting gets reset somehow: I am at the Surfnet Relatiedagen 2014 and just noticed the laptop has no IPv6 on the network here, which surprised me. But a check of the settings showed no IPv6 addresses at all, not even link-local. A check on my Android phone shows globally routable IPv6 addresses.

Tags: , ,
2014-09-05 (#) 4 years ago
Oh and another interesting thing about the new TP-Link TL-WDR4300. It does IPv6. If I read the docs correctly it can do DHCP6 with prefix delegation or tunnels. It even gives itself an IPv6 address on the LAN side when that side runs address advertising. But ...
$ telnet -6 ap 80
Trying 2001:980:14ca:2:ea94:f6ff:fe91:21b3...
telnet: Unable to connect to remote host: Connection refused
the webinterface isn't available via IPv6. Nothing in the device is available via IPv6 according to nmap.

Tags: , ,
2014-08-04 IPv6 visitor stats 2014 5 years ago
Time to count IPv6 visitor percentage to different websites again:
SiteJuly 2009July 2010July 2011July 2012July 2014
http://idefix.net/ my homepage 1% 2% 2% 3% 4%
http://netwerk.pcgg.nl/ hcc!pcgg netwerkgroep 2% 2% 2% 3% 1%
http://weather.idefix.net/ weather maps < 1% 5% 6% 7% 6%
http://bbs.idefix.net/ BBS files 1% 1% 1% 3%
http://webcam.idefix.net/ the webcam < 1% 1% < 1% 2% 2%
http://www.virtualbookcase.com/ The Virtual Bookcase < 1% 1% 1% 4% 87%
http://www.camp-wireless.org/ Camp Wireless < 1% 1% 1% 3% 70%
http://weatherstation.idefix.net/ Weather station Utrecht Overvecht 1%
Interesting numbers. Results for The Virtual Bookcase and Camp Wireless are totally skewed thanks to some IPv6 bot constantly checking the site from constantly changing IPv6 addresses .. but without privacy extensions enabled.

Method: unique IPv6 addresses seen in the whole month / total unique addresses seen in the whole month.

Tags: , , , , , ,
2014-06-03 (#) 5 years ago
Na wat hikken van de verbinding naar buiten was ik er een paar maanden terug niet blij mee dat intern dan ook de IPv6 routering stukging. Dat bleek te zijn omdat wide-dhcpv6-client bij het niet meer kunnen verkrijgen van adressen via prefix delegation deze ook terugtrekt van de gedelegeerde interfaces. Vervolgens vervallen de routes naar de subnetten thuis en kan ik met clients daar niet meer werken. Maar ik wil ook met IPv6 werken als de verbinding naar buiten weg is.

Ik had als oplossing bedacht om wel een prefix op te vragen maar niet meer de interfaces te laten configureren door wide-dhcpv6-client, maar ze gewoon statisch te configureren. Uit /etc/wide-dhcpv6/dhcp6c.conf:
interface ppp0
{
        send ia-pd 0;

        script "/etc/wide-dhcpv6/dhcp6c-script";
};
id-assoc pd {
#    prefix-interface eth0.1 {
#        sla-id 1;
#    };
#    prefix-interface eth0.3 {
#        sla-id 2;
#    };
};
Alleen komt er dan een hele obscure foutmelding uit wide-dhcpv6:
Jun  3 09:26:18 greenblatt dhcp6c[6474]: add_options: /etc/wide-dhcpv6/dhcp6c.conf:14 IA_PD (0) is not defined
Jun  3 09:26:18 greenblatt dhcp6c[6474]: main: failed to parse configuration file
En bij xs4all krijg ik geen IPv6 meer als ik het niet opvraag met prefix-delegation. Dat is heel lang goedgegaan, maar met de laatste updates aan hun access-routers ging het echt mis en zat ik ineens zonder IPv6. Configuratie aangepast, ik ken ze nu weer toe. Er blijkt echt iets te moeten gebeuren met de prefix delegatie om wide-dhcpv6-client er eentje op te laten vragen.

Tags: , ,
2014-04-15 (#) 5 years ago
Modern times, attacks on hosts via both IPv4 and IPv6:
Apr 15 15:23:56 greenblatt kernel: [4741660.011622] FW reject: IN=ppp0 OUT= MAC= SRC=175.44.9.137 DST=xx.xx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=6517 DF PROTO=TCP SPT=49363 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0
Apr 15 15:23:57 greenblatt kernel: [4741660.370701] FW reject: IN=ppp0 OUT= MAC= SRC=175.44.9.137 DST=xx.xx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=8371 DF PROTO=TCP SPT=49363 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0
Apr 15 15:23:58 greenblatt kernel: [4741660.768693] FW reject: IN=ppp0 OUT= MAC= SRC=175.44.9.137 DST=xx.xx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=10428 DF PROTO=TCP SPT=49363 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0
Apr 15 15:23:58 greenblatt kernel: [4741660.924225] FW reject: IN=ppp0 OUT= MAC= SRC=2002:af2c:0989:0000:0000:0000:af2c:0989 DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=68 TC=0 HOPLIMIT=120 FLOWLBL=0 PROTO=TCP SPT=50764 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0
Apr 15 15:24:01 greenblatt kernel: [4741662.117101] FW reject: IN=ppp0 OUT= MAC= SRC=2002:af2c:0989:0000:0000:0000:af2c:0989 DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=68 TC=0 HOPLIMIT=120 FLOWLBL=0 PROTO=TCP SPT=50764 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0
Apr 15 15:24:07 greenblatt kernel: [4741664.510439] FW reject: IN=ppp0 OUT= MAC= SRC=2002:af2c:0989:0000:0000:0000:af2c:0989 DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=68 TC=0 HOPLIMIT=120 FLOWLBL=0 PROTO=TCP SPT=50764 DPT=21 WINDOW=8192 RES=0x00 SYN URGP=0
Same source via IPv4 and IPv6 with 6to4.

Tags: , ,
2014-03-12 (#) 5 years ago
Er kwam een nuttige tip van Miquel van Smoorenburg van xs4all voorbij:
Er is voor IPv6 geen MSS-clamping nodig als je radvd een MTU van 1492 adverteert op je LAN. Dat is ook wat de Fritzbox doet, en voor zover ik weet gaan alle OSen daar correct mee om.
Dus in radvd.conf:
interface eth0.1
{
    AdvSendAdvert on;
    AdvHomeAgentFlag off;
    AdvLinkMTU 1492;
    prefix ::/64 {
        AdvOnLink on;
        AdvAutonomous on;
        AdvPreferredLifetime 604800;
        AdvValidLifetime 2592000;
    };
};

Tags: ,
2014-03-01 Netgear GS716Tv2 switch and IPv6 management 5 years ago
Sharing my earlier experiences with the hidden telnet interface on the Netgear GS716T switch was appreciated by someone else with a Netgear GS110p switch: "Hidden" CLI interface on Netgear GS110TP. So I guess this is a feature on multiple netgear switches.

And that article made me look at the firmware version, finding in the release notes for the newer version:
New Features:
* Add IPv6 management, IPv6 ACL, and IPv6 DiffServ support.
I like that feature a lot! And indeed, after upgrade and setting the IPv6 management address:
Read the rest of Netgear GS716Tv2 switch and IPv6 management

Tags: , ,
2013-10-06 (#) 5 years ago
IPv6 is growing up: I'm seeing a portscan in my logs from an IPv6 address!
SRC=2001:0da8:0001:fffe:0000:0000:0000:0108 DST=2001:0980:14ca:0042:0000:0000:0000:0018 LEN=64 TC=0 HOPLIMIT=242 FLOWLBL=0 PROTO=TCP SPT=52537 DPT=110 WINDOW=1024 RES=0x00 SYN URGP=0
SRC=2001:0da8:0001:fffe:0000:0000:0000:0108 DST=2001:0980:14ca:0042:0000:0000:0000:0018 LEN=64 TC=0 HOPLIMIT=242 FLOWLBL=0 PROTO=TCP SPT=52537 DPT=135 WINDOW=1024 RES=0x00 SYN URGP=0
SRC=2001:0da8:0001:fffe:0000:0000:0000:0108 DST=2001:0980:14ca:0042:0000:0000:0000:0018 LEN=348 TC=0 HOPLIMIT=38 FLOWLBL=74565 PROTO=UDP SPT=57528 DPT=40408 LEN=308
sshd[5410]: Did not receive identification string from 2001:da8:1:fffe::108
Interesting source address:
inet6num:       2001:0DA8:0000::/40
netname:        CER2BKB6-CERNET2
descr:          ~{9z<RMxBgVPPD~}
descr:          CERNET2 Backbone Connection and Test Block
descr:          Beijing 100084, China
The scans were limited to 2 IPv6 addresses related to published services.

Tags: , ,
2013-08-20 (#) 6 years ago
Correctly firewalling IPv6 was a bit of a search for me but I think I managed it. There is a bit of an apparent contradiction: filtering too much ipv6-icmp will break things, and allowing it too much will allow a neighbour cache overflow attack. In the end I settled on allowing ipv6-icmp in the INPUT ip6tables rule but not on the FORWARD ip6tables rule. Both rules do have a rule for ESTABLISHED,RELATED traffic. This all for the external interface(s), internal interfaces are trusted.

I tested this with nmap from an external ipv6-enabled host and found out there is no way to input ipv6 address ranges. So to scan a number of addresses I had to type them all in full.

Tags: , , ,
⇐ Newer news items for tag ipv6  Older news items for tag ipv6 ⇒
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews