0.66wip.de.1 2014-05-10 0.66wip.de.1 2014-05-13 PB
\end_layout
@@ -463,6 +463,7 @@ CVS-Information:
\end_layout
\begin_layout Code
+
CVS-ID: $Id$
\end_layout
@@ -1259,6 +1260,7 @@ In allgemeinen Beispielen können Sie öfters lesen:
\end_layout
\begin_layout Code
+
\end_layout
@@ -1270,6 +1272,7 @@ In Skripts oder an Ihrer Kommandozeile müssen Sie die < und > weglassen
\end_layout
\begin_layout Code
+
1.2.3.4
\end_layout
@@ -1283,6 +1286,7 @@ Kommandos, die nicht als Root-Benutzer ausgeführt werden, beginnen mit $,
\end_layout
\begin_layout Code
+
$ whoami
\end_layout
@@ -1291,6 +1295,7 @@ Befehle, die mit Root-Rechten ausgeführt werden, beginnen mit #, z.B.
\end_layout
\begin_layout Code
+
# whoami
\end_layout
@@ -1480,58 +1485,72 @@ Der erste IPv6 Netzwerk Code wurde dem Linux Kernel 2.1.8 im November 1996
\end_layout
\begin_layout Code
+
diff -u --recursive --new-file v2.1.7/linux/include/linux/in6.h
\end_layout
\begin_layout Code
+
¬ linux/include/linux/in6.h
\end_layout
\begin_layout Code
+
--- v2.1.7/linux/include/linux/in6.h Thu Jan 1 02:00:00 1970
\end_layout
\begin_layout Code
+
+++ linux/include/linux/in6.h Sun Nov 3 11:04:42 1996
\end_layout
\begin_layout Code
+
@@ -0,0 +1,99 @@
\end_layout
\begin_layout Code
+
+/*
\end_layout
\begin_layout Code
+
+ * Types and definitions for AF_INET6
\end_layout
\begin_layout Code
+
+ * Linux INET6 implementation
\end_layout
\begin_layout Code
+
+ * + * Authors:
\end_layout
\begin_layout Code
+
+ * Pedro Roque <******>
\end_layout
\begin_layout Code
+
+ *
\end_layout
\begin_layout Code
+
+ * Source:
\end_layout
\begin_layout Code
+
+ * IPv6 Program Interfaces for BSD Systems
\end_layout
\begin_layout Code
+
+ *
\end_layout
@@ -1653,6 +1672,7 @@ Wie gesagt, IPv6 Adressen sind 128 bit lang.
\end_layout
\begin_layout Code
+
2^128-1: 340282366920938463463374607431768211455
\end_layout
@@ -1676,6 +1696,7 @@ nibble
\end_layout
\begin_layout Code
+
2^128-1: 0xffffffffffffffffffffffffffffffff
\end_layout
@@ -1698,6 +1719,7 @@ e Werte) entfernt:
\end_layout
\begin_layout Code
+
2^128-1: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
\end_layout
@@ -1708,6 +1730,7 @@ Eine gültige Adresse (s.u.
\end_layout
\begin_layout Code
+
2001:0db8:0100:f101:0210:a4ff:fee3:9566
\end_layout
@@ -1718,10 +1741,12 @@ Der Vereinfachung halber können führende Nullen jedes 16 bit-Blocks weggelasse
\end_layout
\begin_layout Code
+
2001:0db8:0100:f101:0210:a4ff:fee3:9566 ->
\end_layout
\begin_layout Code
+
¬ 2001:0db8:100:f101:210:a4ff:fee3:9566
\end_layout
@@ -1744,6 +1769,7 @@ Eine Sequenz von 16 bit-Blöcken, die nur Nullen enthaltet, kann durch ein
\end_layout
\begin_layout Code
+
2001:0db8:100:f101:0:0:0:1 -> 2001:0db8:100:f101::1
\end_layout
@@ -1753,6 +1779,7 @@ Die höchstmögliche Reduktion sieht man bei der IPv6 Localhost Adresse:
\end_layout
\begin_layout Code
+
0000:0000:0000:0000:0000:0000:0000:0001 -> ::1
\end_layout
@@ -1777,10 +1804,12 @@ h ein Aprilscherz.
\end_layout
\begin_layout Code
+
# ipv6calc --addr_to_base85 2001:0db8:0100:f101:0210:a4ff:fee3:9566
\end_layout
\begin_layout Code
+
Itu&-ZQ82s>J%s99FJXT
\end_layout
@@ -1993,6 +2022,7 @@ Dies ist eine spezielle Adresse für das Loopback Interface, vergleichbar
\end_layout
\begin_layout Code
+
0000:0000:0000:0000:0000:0000:0000:0001
\end_layout
@@ -2002,6 +2032,7 @@ bzw.
\end_layout
\begin_layout Code
+
::1
\end_layout
@@ -2037,6 +2068,7 @@ any
\end_layout
\begin_layout Code
+
0000:0000:0000:0000:0000:0000:0000:0000
\end_layout
@@ -2045,6 +2077,7 @@ oder:
\end_layout
\begin_layout Code
+
::
\end_layout
@@ -2090,6 +2123,7 @@ Diese Adressen sind mit einer speziellen Präfixlänge von 96 definiert (a.b.c.d
\end_layout
\begin_layout Code
+
0:0:0:0:0:ffff:a.b.c.d/96
\end_layout
@@ -2098,6 +2132,7 @@ oder in komprimiertem Format:
\end_layout
\begin_layout Code
+
::ffff:a.b.c.d/96
\end_layout
@@ -2108,6 +2143,7 @@ Die IPv4 Adresse 1.2.3.4.
\end_layout
\begin_layout Code
+
::ffff:1.2.3.4
\end_layout
@@ -2136,6 +2172,7 @@ reference "tunneling-6to4"
\end_layout
\begin_layout Code
+
0:0:0:0:0:0:a.b.c.d/96
\end_layout
@@ -2144,6 +2181,7 @@ oder in komprimierter Form:
\end_layout
\begin_layout Code
+
::a.b.c.d/96
\end_layout
@@ -2228,18 +2266,22 @@ x
\end_layout
\begin_layout Code
+
fe8x: <- zurzeit als einziger in Benutzung
\end_layout
\begin_layout Code
+
fe9x:
\end_layout
\begin_layout Code
+
feax:
\end_layout
\begin_layout Code
+
febx:
\end_layout
@@ -2279,18 +2321,22 @@ Die Adresse beginnt mit:
\end_layout
\begin_layout Code
+
fecx: <- meistens genutzt.
\end_layout
\begin_layout Code
+
fedx:
\end_layout
\begin_layout Code
+
feex:
\end_layout
\begin_layout Code
+
fefx:
\end_layout
@@ -2378,10 +2424,12 @@ Die Adresse beginnt mit:
\end_layout
\begin_layout Code
+
fcxx:
\end_layout
\begin_layout Code
+
fdxx: <- zurzeit als einziger in Benutzung
\end_layout
@@ -2409,6 +2457,7 @@ target "http://www.goebel-consult.de/ipv6/createLULA"
\end_layout
\begin_layout Code
+
fd0f:8b72:ac90::/48
\end_layout
@@ -2437,10 +2486,12 @@ Die Adresse beginnt mit (x sind hexadezimale Zeichen)
\end_layout
\begin_layout Code
+
2xxx:
\end_layout
\begin_layout Code
+
3xxx:
\end_layout
@@ -2472,6 +2523,7 @@ Diese globalen Adressen waren die Ersten definierten und auch benutzen Adressen.
\end_layout
\begin_layout Code
+
3ffe:
\end_layout
@@ -2480,6 +2532,7 @@ Beispiel:
\end_layout
\begin_layout Code
+
3ffe:ffff:100:f102::1
\end_layout
@@ -2489,6 +2542,7 @@ Eine spezielle 6bone Test-Adresse, die niemals weltweit einmalig ist, beginnt
\end_layout
\begin_layout Code
+
3ffe:ffff:
\end_layout
@@ -2547,6 +2601,7 @@ target "http://www.faqs.org/rfcs/rfc2893.html"
\end_layout
\begin_layout Code
+
2002:
\end_layout
@@ -2556,6 +2611,7 @@ z.B.
\end_layout
\begin_layout Code
+
2002:c0a8:0101:5::1
\end_layout
@@ -2564,10 +2620,12 @@ Ein kleines Shell-Kommando kann aus einer IPv4 eine 6to4 Adresse erstellen:
\end_layout
\begin_layout Code
+
ipv4="1.2.3.4"; sla="5"; printf "2002:%02x%02x:%02x%02x:%04x::1" `echo $ipv4
\end_layout
\begin_layout Code
+
¬ | tr "." " "` $sla
\end_layout
@@ -2601,6 +2659,7 @@ Diese Adressen werden an Internet Service Provider (ISP) delegiert und beginnen
\end_layout
\begin_layout Code
+
2001:
\end_layout
@@ -2643,10 +2702,12 @@ target "http://www.faqs.org/rfcs/rfc3849.html"
\end_layout
\begin_layout Code
+
3ffe:ffff::/32
\end_layout
\begin_layout Code
+
2001:0DB8::/32 EXAMPLENET-WF
\end_layout
@@ -2671,6 +2732,7 @@ Sie beginnen immer mit (xx ist hierbei der Wert der Reichweite)
\end_layout
\begin_layout Code
+
ffxy:
\end_layout
@@ -2766,6 +2828,7 @@ Ein Beispiel für diese Adresse könnte sein:
\end_layout
\begin_layout Code
+
ff02::1:ff00:1234
\end_layout
@@ -2834,6 +2897,7 @@ Die Subnet-Router Anycast Adresse ist ein einfaches Beispiel für eine Anycast
\end_layout
\begin_layout Code
+
2001:0db8:100:f101:210:a4ff:fee3:9566/64 <- Node's address
\end_layout
@@ -2843,6 +2907,7 @@ Die Subnet-Router Anycast Adresse wird durch komplette Streichung des Suffixes
\end_layout
\begin_layout Code
+
2001:0db8:100:f101::/64 <- subnet-router anycast address
\end_layout
@@ -2882,6 +2947,7 @@ Als Beispiel hat hier ein NIC folgende MAC-Adresse (48 bit):
\end_layout
\begin_layout Code
+
00:10:a4:01:23:45
\end_layout
@@ -2901,6 +2967,7 @@ target "http://standards.ieee.org/regauth/oui/tutorials/EUI64.html"
\end_layout
\begin_layout Code
+
0210:a4ff:fe01:2345
\end_layout
@@ -2912,6 +2979,7 @@ Mit einem gegebenen Präfix wird daraus die schon oben gezeigte IPv6-Adresse:
\end_layout
\begin_layout Code
+
2001:0db8:0100:f101:0210:a4ff:fe01:2345
\end_layout
@@ -2969,6 +3037,7 @@ Bei Servern ist es wahrscheinlich leichter, sich einfachere Adressen zu
\end_layout
\begin_layout Code
+
2001:0db8:100:f101::1
\end_layout
@@ -3066,6 +3135,7 @@ Ein Beispiel:
\end_layout
\begin_layout Code
+
2001:0db8:100:1:2:3:4:5/48
\end_layout
@@ -3079,6 +3149,7 @@ Netzwerk:
\end_layout
\begin_layout Code
+
2001:0db8:0100:0000:0000:0000:0000:0000
\end_layout
@@ -3087,6 +3158,7 @@ Netzmaske:
\end_layout
\begin_layout Code
+
ffff:ffff:ffff:0000:0000:0000:0000:0000
\end_layout
@@ -3106,10 +3178,12 @@ Wenn z.B.
\end_layout
\begin_layout Code
+
2001:0db8:100::/48 :: U 1 0 0 sit1
\end_layout
\begin_layout Code
+
2000::/3 ::192.88.99.1 UG 1 0 0 tun6to4
\end_layout
@@ -3119,10 +3193,12 @@ Die gezeigten Zieladressen der IPv6 Pakete werden über die entsprechenden
\end_layout
\begin_layout Code
+
2001:0db8:100:1:2:3:4:5/48 -> routed through device sit1
\end_layout
\begin_layout Code
+
2001:0db8:200:1:2:3:4:5/48 -> routed through device tun6to4
\end_layout
@@ -3182,6 +3258,7 @@ Um zu überprüfen, ob ihr aktueller Kernel IPv6 unterstützt, sollten sie
\end_layout
\begin_layout Code
+
/proc/net/if_inet6
\end_layout
@@ -3191,6 +3268,7 @@ Einen kleinen automatischen Test können Sie wie folgt durchführen:
\end_layout
\begin_layout Code
+
# test -f /proc/net/if_inet6 && echo "Running kernel is IPv6 ready"
\end_layout
@@ -3210,6 +3288,7 @@ Mit folgenden Befehl können Sie versuchen, das Modul zu laden:
\end_layout
\begin_layout Code
+
# modprobe ipv6
\end_layout
@@ -3220,6 +3299,7 @@ Wenn dieser Befehl positiv verläuft, dann sollten Sie das Modul mit folgendem
\end_layout
\begin_layout Code
+
# lsmod |grep -w 'ipv6' && echo "IPv6 module successfully loaded"
\end_layout
@@ -3245,6 +3325,7 @@ Es ist möglich das IPv6 Modul bei Bedarf automatisch zu laden.
\end_layout
\begin_layout Code
+
alias net-pf-10 ipv6 # automatically load IPv6 module on demand
\end_layout
@@ -3254,6 +3335,7 @@ Mit der folgenden Zeile ist es auch möglich, das automatische Laden des
\end_layout
\begin_layout Code
+
alias net-pf-10 off # disable automatically load of IPv6 module on demand
\end_layout
@@ -3511,10 +3593,12 @@ Automatische Überprüfung:
\end_layout
\begin_layout Code
+
# /sbin/ifconfig -? 2>& 1|grep -qw 'inet6' && echo "utility 'ifconfig' is
\end_layout
\begin_layout Code
+
¬ IPv6-ready"
\end_layout
@@ -3528,6 +3612,7 @@ route
\end_layout
\begin_layout Code
+
# /sbin/route -? 2>& 1|grep -qw 'inet6' && echo "utility 'route' is IPv6-ready"
\end_layout
@@ -3546,6 +3631,7 @@ Alexey N.Kuznetsov (gegenwärtig ein Betreuer des Linux Network Codes) erstellte
\end_layout
\begin_layout Code
+
# /sbin/ip 2>&1 |grep -qw 'inet6' && echo "utility 'ip' is IPv6-ready"
\end_layout
@@ -3611,14 +3697,17 @@ Anwendung
\end_layout
\begin_layout Code
+
# ping6
\end_layout
\begin_layout Code
+
# ping6
\end_layout
\begin_layout Code
+
# ping6 [-I ]
\end_layout
@@ -3630,6 +3719,7 @@ Einige Implementierungen unterstützen auch % Definition zusätzlich
\end_layout
\begin_layout Code
+
# ping6 %
\end_layout
@@ -3638,14 +3728,17 @@ Beispiel
\end_layout
\begin_layout Code
+
# ping6 -c 1 ::1
\end_layout
\begin_layout Code
+
PING ::1(::1) from ::1 : 56 data bytes
\end_layout
\begin_layout Code
+
64 bytes from ::1: icmp_seq=0 hops=64 time=292 usec
\end_layout
@@ -3654,14 +3747,17 @@ PING ::1(::1) from ::1 : 56 data bytes
\end_layout
\begin_layout Code
+
--- ::1 ping statistics ---
\end_layout
\begin_layout Code
+
1 packets transmitted, 1 packets received, 0% packet loss
\end_layout
\begin_layout Code
+
round-trip min/avg/max/mdev = 0.292/0.292/0.292/0.000 ms
\end_layout
@@ -3694,10 +3790,12 @@ Wenn link-lokale Adressen für ein IPv6 ping verwendet werden, dann hat der
\end_layout
\begin_layout Code
+
# ping6 fe80::212:34ff:fe12:3456
\end_layout
\begin_layout Code
+
connect: Invalid argument
\end_layout
@@ -3706,18 +3804,22 @@ In diesem Fall müssen Sie das Interface zusätzlich spezifizieren:
\end_layout
\begin_layout Code
+
# ping6 -I eth0 -c 1 fe80::2e0:18ff:fe90:9205
\end_layout
\begin_layout Code
+
PING fe80::212:23ff:fe12:3456(fe80::212:23ff:fe12:3456) from
\end_layout
\begin_layout Code
+
¬ fe80::212:34ff:fe12:3478 eth0: 56 data bytes
\end_layout
\begin_layout Code
+
64 bytes from fe80::212:23ff:fe12:3456: icmp_seq=0 hops=64 time=445 usec
\end_layout
@@ -3726,14 +3828,17 @@ PING fe80::212:23ff:fe12:3456(fe80::212:23ff:fe12:3456) from
\end_layout
\begin_layout Code
+
--- fe80::2e0:18ff:fe90:9205 ping statistics ---
\end_layout
\begin_layout Code
+
1 packets transmitted, 1 packets received, 0% packet loss round-trip
\end_layout
\begin_layout Code
+
¬ min/avg/max/mdev = 0.445/0.445/0.445/0.000 ms
\end_layout
@@ -3744,6 +3849,7 @@ Beispiel für % Notation:
\end_layout
\begin_layout Code
+
# ping6 -c 1 fe80::2e0:18ff:fe90:9205%eth0
\end_layout
@@ -3757,18 +3863,22 @@ Ein interessanter Mechanismus zum Aufspüren eines IPv6 aktiven Hosts am
\end_layout
\begin_layout Code
+
# ping6 -I eth0 ff02::1
\end_layout
\begin_layout Code
+
PING ff02::1(ff02::1) from fe80:::2ab:cdff:feef:0123 eth0: 56 data bytes
\end_layout
\begin_layout Code
+
64 bytes from ::1: icmp_seq=1 ttl=64 time=0.104 ms
\end_layout
\begin_layout Code
+
64 bytes from fe80::212:34ff:fe12:3450: icmp_seq=1 ttl=64 time=0.549 ms (DUP!)
\end_layout
@@ -3780,6 +3890,7 @@ Beispiel für % Notation:
\end_layout
\begin_layout Code
+
# ping6 ff02::1%eth0
\end_layout
@@ -3807,42 +3918,51 @@ Dieses Programm ist normal im Paket iputils enthalten.
\end_layout
\begin_layout Code
+
# traceroute6 www.6bone.net
\end_layout
\begin_layout Code
+
traceroute to 6bone.net (3ffe:b00:c18:1::10) from 2001:0db8:0000:f101::2,
30
\end_layout
\begin_layout Code
+
¬ hops max, 16 byte packets
\end_layout
\begin_layout Code
+
1 localipv6gateway (2001:0db8:0000:f101::1) 1.354 ms 1.566 ms 0.407 ms
\end_layout
\begin_layout Code
+
2 swi6T1-T0.ipv6.switch.ch (3ffe:2000:0:400::1) 90.431 ms 91.956 ms 92.377 ms
\end_layout
\begin_layout Code
+
3 3ffe:2000:0:1::132 (3ffe:2000:0:1::132) 118.945 ms 107.982 ms 114.557 ms
\end_layout
\begin_layout Code
+
4 3ffe:c00:8023:2b::2 (3ffe:c00:8023:2b::2) 968.468 ms 993.392 ms 973.441
ms
\end_layout
\begin_layout Code
+
5 3ffe:2e00:e:c::3 (3ffe:2e00:e:c::3) 507.784 ms 505.549 ms 508.928 ms
\end_layout
\begin_layout Code
+
6 www.6bone.net (3ffe:b00:c18:1::10) 1265.85 ms * 1304.74 ms
\end_layout
@@ -3882,42 +4002,52 @@ iputils
\end_layout
\begin_layout Code
+
# tracepath6 www.6bone.net
\end_layout
\begin_layout Code
+
1?: [LOCALHOST] pmtu 1480
\end_layout
\begin_layout Code
+
1: 3ffe:401::2c0:33ff:fe02:14 150.705ms
\end_layout
\begin_layout Code
+
2: 3ffe:b00:c18::5 267.864ms
\end_layout
\begin_layout Code
+
3: 3ffe:b00:c18::5 asymm 2 266.145ms pmtu 1280
\end_layout
\begin_layout Code
+
3: 3ffe:3900:5::2 asymm 4 346.632ms
\end_layout
\begin_layout Code
+
4: 3ffe:28ff:ffff:4::3 asymm 5 365.965ms
\end_layout
\begin_layout Code
+
5: 3ffe:1cff:0:ee::2 asymm 4 534.704ms
\end_layout
\begin_layout Code
+
6: 3ffe:3800::1:1 asymm 4 578.126ms !N
\end_layout
\begin_layout Code
+
Resume: pmtu 1280
\end_layout
@@ -4010,26 +4140,32 @@ IPv6 ping zur Adresse
\end_layout
\begin_layout Code
+
# tcpdump -t -n -i eth0 -s 512 -vv ip6 or proto ipv6
\end_layout
\begin_layout Code
+
tcpdump: listening on eth0
\end_layout
\begin_layout Code
+
2001:0db8:100:f101:2e0:18ff:fe90:9205 > 2001:0db8:100:f101::1: icmp6: echo
\end_layout
\begin_layout Code
+
¬ request (len 64, hlim 64)
\end_layout
\begin_layout Code
+
2001:0db8:100:f101::1 > 2001:0db8:100:f101:2e0:18ff:fe90:9205: icmp6: echo
\end_layout
\begin_layout Code
+
¬ reply (len 64, hlim 64)
\end_layout
@@ -4048,42 +4184,52 @@ IPv6 ping zur Adresse
\end_layout
\begin_layout Code
+
# tcpdump -t -n -i ppp0 -s 512 -vv ip6 or proto ipv6
\end_layout
\begin_layout Code
+
tcpdump: listening on ppp0
\end_layout
\begin_layout Code
+
1.2.3.4 > 5.6.7.8: 2002:ffff:f5f8::1 > 2001:0db8:100::1: icmp6: echo request
\end_layout
\begin_layout Code
+
¬ (len 64, hlim 64) (DF) (ttl 64, id 0, len 124)
\end_layout
\begin_layout Code
+
5.6.7.8 > 1.2.3.4: 2001:0db8:100::1 > 2002:ffff:f5f8::1: icmp6: echo reply (len
\end_layout
\begin_layout Code
+
¬ 64, hlim 61) (ttl 23, id 29887, len 124)
\end_layout
\begin_layout Code
+
1.2.3.4 > 5.6.7.8: 2002:ffff:f5f8::1 > 2001:0db8:100::1: icmp6: echo request
\end_layout
\begin_layout Code
+
¬ (len 64, hlim 64) (DF) (ttl 64, id 0, len 124)
\end_layout
\begin_layout Code
+
5.6.7.8 > 1.2.3.4: 2001:0db8:100::1 > 2002:ffff:f5f8::1: icmp6: echo reply (len
\end_layout
\begin_layout Code
+
¬ 64, hlim 61) (ttl 23, id 29919, len 124)
\end_layout
@@ -4169,6 +4315,7 @@ Jeder DNS-Server (Domain Name System) sollte aufgrund der Sicherheitsupdates
\end_layout
\begin_layout Code
+
# host -t AAAA www.join.uni-muenster.de
\end_layout
@@ -4177,17 +4324,20 @@ Die Ausgabe des Tests sollte etwa wie folgt sein:
\end_layout
\begin_layout Code
+
www.join.uni-muenster.de.
is an alias for tolot.join.uni-muenster.de.
\end_layout
\begin_layout Code
+
tolot.join.uni-muenster.de.
has AAAA address
\end_layout
\begin_layout Code
+
¬ 2001:638:500:101:2e0:81ff:fe24:37c6
\end_layout
@@ -4201,25 +4351,30 @@ IPv6 kompatible Clients sind verfügbar.
\end_layout
\begin_layout Code
+
$ telnet 3ffe:400:100::1 80
\end_layout
\begin_layout Code
+
Trying 3ffe:400:100::1...
\end_layout
\begin_layout Code
+
Connected to 3ffe:400:100::1.
\end_layout
\begin_layout Code
+
Escape character is '^]'.
\end_layout
\begin_layout Code
+
HEAD / HTTP/1.0
\end_layout
@@ -4228,38 +4383,47 @@ HEAD / HTTP/1.0
\end_layout
\begin_layout Code
+
HTTP/1.1 200 OK
\end_layout
\begin_layout Code
+
Date: Sun, 16 Dec 2001 16:07:21
\end_layout
\begin_layout Code
+
GMT Server: Apache/2.0.28 (Unix)
\end_layout
\begin_layout Code
+
Last-Modified: Wed, 01 Aug 2001 21:34:42 GMT
\end_layout
\begin_layout Code
+
ETag: "3f02-a4d-b1b3e080"
\end_layout
\begin_layout Code
+
Accept-Ranges: bytes
\end_layout
\begin_layout Code
+
Content-Length: 2637
\end_layout
\begin_layout Code
+
Connection: close
\end_layout
\begin_layout Code
+
Content-Type: text/html; charset=ISO-8859-1
\end_layout
@@ -4268,6 +4432,7 @@ Content-Type: text/html; charset=ISO-8859-1
\end_layout
\begin_layout Code
+
Connection closed by foreign host.
\end_layout
@@ -4309,14 +4474,17 @@ he Verhaltensweisen:
\end_layout
\begin_layout Code
+
$ ssh -6 ::1
\end_layout
\begin_layout Code
+
user@::1's password: ******
\end_layout
\begin_layout Code
+
[user@ipv6host user]$
\end_layout
@@ -4866,10 +5034,12 @@ Gebrauch:
\end_layout
\begin_layout Code
+
# ip link set dev up
\end_layout
\begin_layout Code
+
# ip link set dev down
\end_layout
@@ -4882,10 +5052,12 @@ Beispiel:
\end_layout
\begin_layout Code
+
# ip link set dev eth0 up
\end_layout
\begin_layout Code
+
# ip link set dev eth0 down
\end_layout
@@ -4899,10 +5071,12 @@ Gebrauch:
\end_layout
\begin_layout Code
+
# /sbin/ifconfig up
\end_layout
\begin_layout Code
+
# /sbin/ifconfig down
\end_layout
@@ -4911,10 +5085,12 @@ Beispiel:
\end_layout
\begin_layout Code
+
# /sbin/ifconfig eth0 up
\end_layout
\begin_layout Code
+
# /sbin/ifconfig eth0 down
\end_layout
@@ -4969,6 +5145,7 @@ Anwendung:
\end_layout
\begin_layout Code
+
# /sbin/ip -6 addr show dev
\end_layout
@@ -4977,22 +5154,27 @@ Beispiel für einen statisch konfigurierten Host:
\end_layout
\begin_layout Code
+
# /sbin/ip -6 addr show dev eth0
\end_layout
\begin_layout Code
+
2: eth0:
\end_layout
@@ -5070,18 +5261,22 @@ en (die Ausgabe wurde mit grep gefiltert)
\end_layout
\begin_layout Code
+
# /sbin/ifconfig eth0 |grep "inet6 addr:"
\end_layout
\begin_layout Code
+
inet6 addr: fe80::210:a4ff:fee3:9566/10 Scope:Link
\end_layout
\begin_layout Code
+
inet6 addr: 2001:0db8:0:f101::1/64 Scope:Global
\end_layout
\begin_layout Code
+
inet6 addr: fec0:0:0:f101::1/64 Scope:Site
\end_layout
@@ -5104,6 +5299,7 @@ Anwendung:
\end_layout
\begin_layout Code
+
# /sbin/ip -6 addr add / dev
\end_layout
@@ -5112,6 +5308,7 @@ Beispiel:
\end_layout
\begin_layout Code
+
# /sbin/ip -6 addr add 2001:0db8:0:f101::1/64 dev eth0
\end_layout
@@ -5125,6 +5322,7 @@ Anwendung:
\end_layout
\begin_layout Code
+
# /sbin/ifconfig inet6 add /
\end_layout
@@ -5133,6 +5331,7 @@ Beispiel:
\end_layout
\begin_layout Code
+
# /sbin/ifconfig eth0 inet6 add 2001:0db8:0:f101::1/64
\end_layout
@@ -5156,6 +5355,7 @@ Anwendung:
\end_layout
\begin_layout Code
+
# /sbin/ip -6 addr del / dev
\end_layout
@@ -5164,6 +5364,7 @@ Beispiel:
\end_layout
\begin_layout Code
+
# /sbin/ip -6 addr del 2001:0db8:0:f101::1/64 dev eth0
\end_layout
@@ -5177,6 +5378,7 @@ Anwendung:
\end_layout
\begin_layout Code
+
# /sbin/ifconfig inet6 del /
\end_layout
@@ -5185,6 +5387,7 @@ Beispiel:
\end_layout
\begin_layout Code
+
# /sbin/ifconfig eth0 inet6 del 2001:0db8:0:f101::1/64
\end_layout
@@ -5238,6 +5441,7 @@ Anwendung:
\end_layout
\begin_layout Code
+
# /sbin/ip -6 route show [dev ]
\end_layout
@@ -5247,22 +5451,27 @@ Beispiel:
\end_layout
\begin_layout Code
+
# /sbin/ip -6 route show dev eth0
\end_layout
\begin_layout Code
+
2001:0db8:0:f101::/64 proto kernel metric 256 mtu 1500 advmss 1440
\end_layout
\begin_layout Code
+
fe80::/10 proto kernel metric 256 mtu 1500 advmss 1440
\end_layout
\begin_layout Code
+
ff00::/8 proto kernel metric 256 mtu 1500 advmss 1440
\end_layout
\begin_layout Code
+
default proto kernel metric 256 mtu 1500 advmss 1440
\end_layout
@@ -5276,6 +5485,7 @@ Anwendung:
\end_layout
\begin_layout Code
+
# /sbin/route -A inet6
\end_layout
@@ -5286,34 +5496,42 @@ Sie sehen hier mehrere IPv6 Routen mit unterschiedlichen Adressen eines
\end_layout
\begin_layout Code
+
# /sbin/route -A inet6 |grep -w "eth0"
\end_layout
\begin_layout Code
+
2001:0db8:0:f101 ::/64 :: UA 256 0 0 eth0 <- Interface route for global
\end_layout
\begin_layout Code
+
¬ address
\end_layout
\begin_layout Code
+
fe80::/10 :: UA 256 0 0 eth0 <- Interface route for link-local
\end_layout
\begin_layout Code
+
¬ address
\end_layout
\begin_layout Code
+
ff00::/8 :: UA 256 0 0 eth0 <- Interface route for all multicast
\end_layout
\begin_layout Code
+
¬ addresses
\end_layout
\begin_layout Code
+
::/0 :: UDA 256 0 0 eth0 <- Automatic default route
\end_layout
@@ -5336,10 +5554,12 @@ Anwendung:
\end_layout
\begin_layout Code
+
# /sbin/ip -6 route add / via
\end_layout
\begin_layout Code
+
¬ [dev ]
\end_layout
@@ -5348,6 +5568,7 @@ Beispiel:
\end_layout
\begin_layout Code
+
# /sbin/ip -6 route add default via 2001:0db8:0:f101::1
\end_layout
@@ -5361,10 +5582,12 @@ Anwendung:
\end_layout
\begin_layout Code
+
# /sbin/route -A inet6 add / gw
\end_layout
\begin_layout Code
+
¬ [dev ]
\end_layout
@@ -5383,6 +5606,7 @@ Im folgenden Beispiel wird eine Route für alle Adressen (default) über das
\end_layout
\begin_layout Code
+
# /sbin/route -A inet6 add default gw 2001:0db8:0:f101::1
\end_layout
@@ -5407,10 +5631,12 @@ Anwendung:
\end_layout
\begin_layout Code
+
# /sbin/ip -6 route del / via
\end_layout
\begin_layout Code
+
¬ [dev ]
\end_layout
@@ -5419,6 +5645,7 @@ Beispiel:
\end_layout
\begin_layout Code
+
# /sbin/ip -6 route del default via 2001:0db8:0:f101::1
\end_layout
@@ -5432,11 +5659,13 @@ Anwendung:
\end_layout
\begin_layout Code
+
# /sbin/route -A inet6 del / gw
[dev
\end_layout
\begin_layout Code
+
¬ ]
\end_layout
@@ -5445,6 +5674,7 @@ Beispiel zum entfernen der im obigen Beispiel hinzugefügten Route:
\end_layout
\begin_layout Code
+
# /sbin/route -A inet6 del default gw 2001:0db8:0:f101::1
\end_layout
@@ -5468,10 +5698,12 @@ Anwendung:
\end_layout
\begin_layout Code
+
# /sbin/ip -6 route add / dev
\end_layout
\begin_layout Code
+
¬ metric 1
\end_layout
@@ -5480,6 +5712,7 @@ Beispiel:
\end_layout
\begin_layout Code
+
# /sbin/ip -6 route add default dev eth0 metric 1
\end_layout
@@ -5522,6 +5755,7 @@ Anwendung:
\end_layout
\begin_layout Code
+
# /sbin/route -A inet6 add / dev
\end_layout
@@ -5530,6 +5764,7 @@ Beispiel:
\end_layout
\begin_layout Code
+
# /sbin/route -A inet6 add default dev eth0
\end_layout
@@ -5552,6 +5787,7 @@ Anwendung:
\end_layout
\begin_layout Code
+
# /sbin/ip -6 route del / dev
\end_layout
@@ -5560,6 +5796,7 @@ Beispiel:
\end_layout
\begin_layout Code
+
# /sbin/ip -6 route del default dev eth0
\end_layout
@@ -5573,6 +5810,7 @@ Anwendung:
\end_layout
\begin_layout Code
+
# /sbin/route -A inet6 del / dev
\end_layout
@@ -5582,6 +5820,7 @@ Beispiel:
\end_layout
\begin_layout Code
+
# /sbin/route -A inet6 del default dev eth0
\end_layout
@@ -5621,14 +5860,17 @@ Ein client kann eine Default Route (z.B.
\end_layout
\begin_layout Code
+
# ip -6 route show | grep ^default
\end_layout
\begin_layout Code
+
default via fe80::212:34ff:fe12:3450 dev eth0 proto kernel metric 1024 expires
\end_layout
\begin_layout Code
+
¬ 29sec mtu 1500 advmss 1440
\end_layout
@@ -5725,6 +5967,7 @@ Mit dem folgenden Befehl können Sie die gelernten oder konfigurierten IPv6
\end_layout
\begin_layout Code
+
# ip -6 neigh show [dev ]
\end_layout
@@ -5733,10 +5976,12 @@ Das folgende Beispiel zeigt einen Nachbar, einen erreichbaren Router:
\end_layout
\begin_layout Code
+
# ip -6 neigh show
\end_layout
\begin_layout Code
+
fe80::201:23ff:fe45:6789 dev eth0 lladdr 00:01:23:45:67:89 router nud reachable
\end_layout
@@ -5761,6 +6006,7 @@ Mit folgendem Befehl können Sie einen Eintrag manuell hinzufügen:
\end_layout
\begin_layout Code
+
# ip -6 neigh add lladdr dev
\end_layout
@@ -5769,6 +6015,7 @@ Beispiel:
\end_layout
\begin_layout Code
+
# ip -6 neigh add fec0::1 lladdr 02:01:02:03:04:05 dev eth0
\end_layout
@@ -5781,6 +6028,7 @@ Sie können einen Eintrag auch löschen:
\end_layout
\begin_layout Code
+
# ip -6 neigh del lladdr dev
\end_layout
@@ -5789,6 +6037,7 @@ Beispiel:
\end_layout
\begin_layout Code
+
# ip -6 neigh del fec0::1 lladdr 02:01:02:03:04:05 dev eth0
\end_layout
@@ -5818,23 +6067,28 @@ help
\end_layout
\begin_layout Code
+
# ip -6 neigh help
\end_layout
\begin_layout Code
+
Usage: ip neigh { add | del | change | replace } { ADDR [ lladdr LLADDR
]
\end_layout
\begin_layout Code
+
[ nud { permanent | noarp | stale | reachable } ]
\end_layout
\begin_layout Code
+
| proxy ADDR } [ dev DEV ]
\end_layout
\begin_layout Code
+
ip neigh {show|flush} [ to PREFIX ] [ dev DEV ] [ nud STATE ]
\end_layout
@@ -6040,22 +6294,27 @@ target "http://www.faqs.org/rfcs/rfc3056.html"
\end_layout
\begin_layout Code
+
| 3+13 | 32 | 16 | 64 bits |
\end_layout
\begin_layout Code
+
+---+------+-----------+--------+--------------------------------+
\end_layout
\begin_layout Code
+
| FP+TLA | V4ADDR | SLA ID | Interface ID |
\end_layout
\begin_layout Code
+
| 0x2002 | | | |
\end_layout
\begin_layout Code
+
+---+------+-----------+--------+--------------------------------+
\end_layout
@@ -6287,6 +6546,7 @@ Anwendung:
\end_layout
\begin_layout Code
+
# /sbin/ip -6 tunnel show []
\end_layout
@@ -6295,14 +6555,17 @@ Beispiel:
\end_layout
\begin_layout Code
+
# /sbin/ip -6 tunnel show
\end_layout
\begin_layout Code
+
sit0: ipv6/ip remote any local any ttl 64 nopmtudisc
\end_layout
\begin_layout Code
+
sit1: ipv6/ip remote 195.226.187.50 local any ttl 64
\end_layout
@@ -6315,6 +6578,7 @@ Anwendung:
\end_layout
\begin_layout Code
+
# /sbin/route -A inet6
\end_layout
@@ -6324,6 +6588,7 @@ Beispiel (Ausgabe wurde derart gefiltert, dass nur Tunnels über das virtuelle
\end_layout
\begin_layout Code
+
# /sbin/route -A inet6 | grep "
\backslash
Wsit0
@@ -6332,22 +6597,27 @@ W*$"
\end_layout
\begin_layout Code
+
::/96 :: U 256 2 0 sit0
\end_layout
\begin_layout Code
+
2002::/16 :: UA 256 0 0 sit0
\end_layout
\begin_layout Code
+
2000::/3 ::193.113.58.75 UG 1 0 0 sit0
\end_layout
\begin_layout Code
+
fe80::/10 :: UA 256 0 0 sit0
\end_layout
\begin_layout Code
+
ff00::/8 :: UA 256 0 0 sit0
\end_layout
@@ -6425,10 +6695,12 @@ ert 0 ist):
\end_layout
\begin_layout Code
+
# /sbin/ip tunnel add mode sit ttl remote
\end_layout
\begin_layout Code
+
¬ local
\end_layout
@@ -6437,18 +6709,22 @@ Anwendung (drei allgemeine Beispiele):
\end_layout
\begin_layout Code
+
# /sbin/ip tunnel add sit1 mode sit ttl remote
\end_layout
\begin_layout Code
+
¬ local
\end_layout
\begin_layout Code
+
# /sbin/ip link set dev sit1 up
\end_layout
\begin_layout Code
+
# /sbin/ip -6 route add dev sit1 metric 1
\end_layout
@@ -6457,18 +6733,22 @@ Anwendung (drei allgemeine Beispiele):
\end_layout
\begin_layout Code
+
# /sbin/ip tunnel add sit2 mode sit ttl
\end_layout
\begin_layout Code
+
¬ local
\end_layout
\begin_layout Code
+
# /sbin/ip link set dev sit2 up
\end_layout
\begin_layout Code
+
# /sbin/ip -6 route add dev sit2 metric 1
\end_layout
@@ -6477,18 +6757,22 @@ Anwendung (drei allgemeine Beispiele):
\end_layout
\begin_layout Code
+
# /sbin/ip tunnel add sit3 mode sit ttl
\end_layout
\begin_layout Code
+
¬ local
\end_layout
\begin_layout Code
+
# /sbin/ip link set dev sit3 up
\end_layout
\begin_layout Code
+
# /sbin/ip -6 route add dev sit3 metric 1
\end_layout
@@ -6511,6 +6795,7 @@ Anwendung (drei allgemeine Beispiele):
\end_layout
\begin_layout Code
+
# /sbin/ifconfig sit0 up
\end_layout
@@ -6519,14 +6804,17 @@ Anwendung (drei allgemeine Beispiele):
\end_layout
\begin_layout Code
+
# /sbin/ifconfig sit0 tunnel
\end_layout
\begin_layout Code
+
# /sbin/ifconfig sit1 up
\end_layout
\begin_layout Code
+
# /sbin/route -A inet6 add dev sit1
\end_layout
@@ -6535,14 +6823,17 @@ Anwendung (drei allgemeine Beispiele):
\end_layout
\begin_layout Code
+
# /sbin/ifconfig sit0 tunnel
\end_layout
\begin_layout Code
+
# /sbin/ifconfig sit2 up
\end_layout
\begin_layout Code
+
# /sbin/route -A inet6 add dev sit2
\end_layout
@@ -6551,14 +6842,17 @@ Anwendung (drei allgemeine Beispiele):
\end_layout
\begin_layout Code
+
# /sbin/ifconfig sit0 tunnel
\end_layout
\begin_layout Code
+
# /sbin/ifconfig sit3 up
\end_layout
\begin_layout Code
+
# /sbin/route -A inet6 add dev sit3
\end_layout
@@ -6587,6 +6881,7 @@ Anwendung (drei allgemeine Beispiele):
\end_layout
\begin_layout Code
+
# /sbin/ifconfig sit0 up
\end_layout
@@ -6595,26 +6890,32 @@ Anwendung (drei allgemeine Beispiele):
\end_layout
\begin_layout Code
+
# /sbin/route -A inet6 add gw
\end_layout
\begin_layout Code
+
¬ :: dev sit0
\end_layout
\begin_layout Code
+
# /sbin/route -A inet6 add gw
\end_layout
\begin_layout Code
+
¬ :: dev sit0
\end_layout
\begin_layout Code
+
# /sbin/route -A inet6 add gw
\end_layout
\begin_layout Code
+
¬ :: dev sit0
\end_layout
@@ -6644,6 +6945,7 @@ Entfernen eines Tunnel-Devices:
\end_layout
\begin_layout Code
+
# /sbin/ip tunnel del
\end_layout
@@ -6652,14 +6954,17 @@ Anwendung (drei allgemeine Beispiele):
\end_layout
\begin_layout Code
+
# /sbin/ip -6 route del dev sit1
\end_layout
\begin_layout Code
+
# /sbin/ip link set sit1 down
\end_layout
\begin_layout Code
+
# /sbin/ip tunnel del sit1
\end_layout
@@ -6668,14 +6973,17 @@ Anwendung (drei allgemeine Beispiele):
\end_layout
\begin_layout Code
+
# /sbin/ip -6 route del dev sit2
\end_layout
\begin_layout Code
+
# /sbin/ip link set sit2 down
\end_layout
\begin_layout Code
+
# /sbin/ip tunnel del sit2
\end_layout
@@ -6684,14 +6992,17 @@ Anwendung (drei allgemeine Beispiele):
\end_layout
\begin_layout Code
+
# /sbin/ip -6 route del dev sit3
\end_layout
\begin_layout Code
+
# /sbin/ip link set sit3 down
\end_layout
\begin_layout Code
+
# /sbin/ip tunnel del sit3
\end_layout
@@ -6712,10 +7023,12 @@ Anwendung (drei allgemeine Beispiele):
\end_layout
\begin_layout Code
+
# /sbin/route -A inet6 del dev sit3
\end_layout
\begin_layout Code
+
# /sbin/ifconfig sit3 down
\end_layout
@@ -6724,10 +7037,12 @@ Anwendung (drei allgemeine Beispiele):
\end_layout
\begin_layout Code
+
# /sbin/route -A inet6 del dev sit2
\end_layout
\begin_layout Code
+
# /sbin/ifconfig sit2 down
\end_layout
@@ -6736,10 +7051,12 @@ Anwendung (drei allgemeine Beispiele):
\end_layout
\begin_layout Code
+
# /sbin/route -A inet6 add dev sit1
\end_layout
\begin_layout Code
+
# /sbin/ifconfig sit1 down
\end_layout
@@ -6748,6 +7065,7 @@ Anwendung (drei allgemeine Beispiele):
\end_layout
\begin_layout Code
+
# /sbin/ifconfig sit0 down
\end_layout
@@ -6769,26 +7087,32 @@ Anwendung (drei allgemeine Beispiele):
\end_layout
\begin_layout Code
+
# /sbin/route -A inet6 del gw
\end_layout
\begin_layout Code
+
¬ :: dev sit0
\end_layout
\begin_layout Code
+
# /sbin/route -A inet6 del gw
\end_layout
\begin_layout Code
+
¬ :: dev sit0
\end_layout
\begin_layout Code
+
# /sbin/route -A inet6 del gw
\end_layout
\begin_layout Code
+
¬ :: dev sit0
\end_layout
@@ -6797,6 +7121,7 @@ Anwendung (drei allgemeine Beispiele):
\end_layout
\begin_layout Code
+
# /sbin/ifconfig sit0 down
\end_layout
@@ -6857,6 +7182,7 @@ Angenommen, Ihre IPv4 Adresse ist:
\end_layout
\begin_layout Code
+
1.2.3.4
\end_layout
@@ -6865,6 +7191,7 @@ Dann ist das daraus resultierende 6to4 Präfix:
\end_layout
\begin_layout Code
+
2002:0102:0304::
\end_layout
@@ -6883,6 +7210,7 @@ pe Suffix kann benutzt werden) das Suffix
\end_layout
\begin_layout Code
+
2002:0102:0304::1
\end_layout
@@ -6891,6 +7219,7 @@ Zum automatischen Erstellen der Adresse können Sie folgenden Befehl nutzen:
\end_layout
\begin_layout Code
+
ipv4="1.2.3.4"; printf "2002:%02x%02x:%02x%02x::1" `echo $ipv4 | tr "." " "`
\end_layout
@@ -6912,10 +7241,12 @@ Erstellen eines neues Tunnel-Device:
\end_layout
\begin_layout Code
+
# /sbin/ip tunnel add tun6to4 mode sit ttl remote any local
\end_layout
\begin_layout Code
+
¬
\end_layout
@@ -6924,6 +7255,7 @@ Interface aktivieren:
\end_layout
\begin_layout Code
+
# /sbin/ip link set dev tun6to4 up
\end_layout
@@ -6933,6 +7265,7 @@ Eine lokale 6to4 Adresse am Interface hinzufügen (Hinweis: Präfix-Länge
\end_layout
\begin_layout Code
+
# /sbin/ip -6 addr add /16 dev tun6to4
\end_layout
@@ -6942,6 +7275,7 @@ Hinzufügen der (Standard-) Route zum globalen IPv6 Netz unter Verwendung
\end_layout
\begin_layout Code
+
# /sbin/ip -6 route add default via ::192.88.99.1 dev tun6to4 metric 1
\end_layout
@@ -6962,6 +7296,7 @@ ip
\end_layout
\begin_layout Code
+
# /sbin/ip -6 route add default via 2002:c058:6301::1 dev tun6to4 metric
1
\end_layout
@@ -6981,6 +7316,7 @@ Das allgemeine Tunnel Interface sit0 aktivieren:
\end_layout
\begin_layout Code
+
# /sbin/ifconfig sit0 up
\end_layout
@@ -6989,6 +7325,7 @@ Dem Interface eine lokale 6to4 Adresse hinzufügen:
\end_layout
\begin_layout Code
+
# /sbin/ifconfig sit0 add /16
\end_layout
@@ -6998,6 +7335,7 @@ Hinzufügen der (Standard-) Route zum globalen IPv6 Netz unter Verwendung
\end_layout
\begin_layout Code
+
# /sbin/route -A inet6 add default gw ::192.88.99.1 dev sit0
\end_layout
@@ -7014,6 +7352,7 @@ Entfernen aller Routen über dieses bestimmten Tunnel Devices:
\end_layout
\begin_layout Code
+
# /sbin/ip -6 route flush dev tun6to4
\end_layout
@@ -7022,6 +7361,7 @@ Interface deaktivieren:
\end_layout
\begin_layout Code
+
# /sbin/ip link set dev tun6to4 down
\end_layout
@@ -7030,6 +7370,7 @@ Ein erstelltes Tunnel Device entfernen:
\end_layout
\begin_layout Code
+
# /sbin/ip tunnel del tun6to4
\end_layout
@@ -7043,6 +7384,7 @@ Entfernen der (Standard-) Route über ein 6to4 Tunnel Device:
\end_layout
\begin_layout Code
+
# /sbin/route -A inet6 del default gw ::192.88.99.1 dev sit0
\end_layout
@@ -7051,6 +7393,7 @@ Eine 6to4 Adresse des Interfaces entfernen:
\end_layout
\begin_layout Code
+
# /sbin/ifconfig sit0 del /16
\end_layout
@@ -7060,6 +7403,7 @@ Ein allgemeines Tunnel Device deaktivieren (aber Achtung, eventuell ist
\end_layout
\begin_layout Code
+
# /sbin/ifconfig sit0 down
\end_layout
@@ -7107,6 +7451,7 @@ Anwendung:
\end_layout
\begin_layout Code
+
# /sbin/ip -6 tunnel show []
\end_layout
@@ -7117,15 +7462,18 @@ Beispiel:
\end_layout
\begin_layout Code
+
# /sbin/ip -6 tunnel show mode any
\end_layout
\begin_layout Code
+
ip6tnl0: ipv6/ipv6 remote :: local :: encaplimit 0 hoplimit 0 tclass 0x00
flowlabel 0x00000 (flowinfo 0x00000000)
\end_layout
\begin_layout Code
+
ip6tnl1: ip/ipv6 remote fd00:0:0:2::a local fd00:0:0:2::1 dev eth1 encaplimit
4 hoplimit 64 tclass 0x00 flowlabel 0x00000 (flowinfo 0x00000000)
\end_layout
@@ -7151,6 +7499,7 @@ Anwendung für die Erzeugung einer 4over6 Tunnel-Schnittstelle (welche danach
\end_layout
\begin_layout Code
+
# /sbin/ip tunnel add mode ip4ip6 remote
local
\end_layout
@@ -7162,15 +7511,18 @@ Anwendung (allgemeines Beispiel für drei Tunnels):
\end_layout
\begin_layout Code
+
# /sbin/ip -6 tunnel add ip6tnl1 mode ip4ip6 remote local
\end_layout
\begin_layout Code
+
# /sbin/ip link set dev ip6tnl1 up
\end_layout
\begin_layout Code
+
# /sbin/ip -6 route add dev ip6tnl1 metric 1
\end_layout
@@ -7179,15 +7531,18 @@ Anwendung (allgemeines Beispiel für drei Tunnels):
\end_layout
\begin_layout Code
+
# /sbin/ip -6 tunnel add ip6tnl2 mode ip4ip6 remote local
\end_layout
\begin_layout Code
+
# /sbin/ip link set dev ip6tnl2 up
\end_layout
\begin_layout Code
+
# /sbin/ip -6 route add dev ip6tnl2 metric 1
\end_layout
@@ -7196,15 +7551,18 @@ Anwendung (allgemeines Beispiel für drei Tunnels):
\end_layout
\begin_layout Code
+
# /sbin/ip -6 tunnel add ip6tnl3 mode ip4ip6 remote local
\end_layout
\begin_layout Code
+
# /sbin/ip link set dev ip6tnl3 up
\end_layout
\begin_layout Code
+
# /sbin/ip -6 route add dev ip6tnl3 metric 1
\end_layout
@@ -7221,6 +7579,7 @@ Anwendung für das Löschen einer Tunnel-Schnittstelle:
\end_layout
\begin_layout Code
+
# /sbin/ip -6 tunnel del
\end_layout
@@ -7231,14 +7590,17 @@ Anwendung (allgemeines Beispiel für drei Tunnels):
\end_layout
\begin_layout Code
+
# /sbin/ip -6 route del dev ip6tnl1
\end_layout
\begin_layout Code
+
# /sbin/ip link set ip6tnl1 down
\end_layout
\begin_layout Code
+
# /sbin/ip -6 tunnel del ip6tnl1
\end_layout
@@ -7247,14 +7609,17 @@ Anwendung (allgemeines Beispiel für drei Tunnels):
\end_layout
\begin_layout Code
+
# /sbin/ip -6 route del dev ip6tnl2
\end_layout
\begin_layout Code
+
# /sbin/ip link set ip6tnl2 down
\end_layout
\begin_layout Code
+
# /sbin/ip -6 tunnel del ip6tnl2
\end_layout
@@ -7263,14 +7628,17 @@ Anwendung (allgemeines Beispiel für drei Tunnels):
\end_layout
\begin_layout Code
+
# /sbin/ip -6 route del dev ip6tnl3
\end_layout
\begin_layout Code
+
# /sbin/ip link set ip6tnl3 down
\end_layout
\begin_layout Code
+
# /sbin/ip -6 tunnel del ip6tnl3
\end_layout
@@ -7350,6 +7718,7 @@ Das /proc-Dateisystem muss im Kernel aktiviert sein.
\end_layout
\begin_layout Code
+
CONFIG_PROC_FS=y
\end_layout
@@ -7359,10 +7728,12 @@ Das /proc-Dateisystem muss zuerst gemountet sein.
\end_layout
\begin_layout Code
+
# mount | grep "type proc"
\end_layout
\begin_layout Code
+
none on /proc type proc (rw)
\end_layout
@@ -7394,10 +7765,12 @@ cat
\end_layout
\begin_layout Code
+
# cat /proc/sys/net/ipv6/conf/all/forwarding
\end_layout
\begin_layout Code
+
0
\end_layout
@@ -7419,6 +7792,7 @@ echo
\end_layout
\begin_layout Code
+
# echo "1" >/proc/sys/net/ipv6/conf/all/forwarding
\end_layout
@@ -7467,6 +7841,7 @@ Das sysctl-Interface muss im Kernel aktiviert sein.
\end_layout
\begin_layout Code
+
CONFIG_SYSCTL=y
\end_layout
@@ -7479,10 +7854,12 @@ Der Wert eines Eintrags kann nun angezeigt werden:
\end_layout
\begin_layout Code
+
# sysctl net.ipv6.conf.all.forwarding
\end_layout
\begin_layout Code
+
net.ipv6.conf.all.forwarding = 0
\end_layout
@@ -7496,10 +7873,12 @@ Ein neuer Wert kann wie folgt zugewiesen werden (wenn der Eintrag beschreibbar
\end_layout
\begin_layout Code
+
# sysctl -w net.ipv6.conf.all.forwarding=1
\end_layout
\begin_layout Code
+
net.ipv6.conf.all.forwarding = 1
\end_layout
@@ -7519,10 +7898,12 @@ Anmerkung: Verwenden Sie beim setzen eines Wertes keine Leerzeichen vor
\end_layout
\begin_layout Code
+
# sysctl -w net.ipv4.ip_local_port_range="32768 61000"
\end_layout
\begin_layout Code
+
net.ipv4.ip_local_port_range = 32768 61000
\end_layout
@@ -8005,10 +8386,12 @@ target "http://www.zebra.org/"
\end_layout
\begin_layout Code
+
ZEBRA: netlink-listen error: No buffer space available, type=RTM_NEWROUTE(24),
\end_layout
\begin_layout Code
+
¬ seq=426, pid=0
\end_layout
@@ -8484,22 +8867,27 @@ net/ipv6/addrconf.c
\end_layout
\begin_layout Code
+
# cat /proc/net/if_inet6
\end_layout
\begin_layout Code
+
00000000000000000000000000000001 01 80 10 80 lo
\end_layout
\begin_layout Code
+
+------------------------------+ ++ ++ ++ ++ ++
\end_layout
\begin_layout Code
+
| | | | | |
\end_layout
\begin_layout Code
+
1 2 3 4 5 6
\end_layout
@@ -8593,22 +8981,27 @@ net/ipv6/route.c
\end_layout
\begin_layout Code
+
# cat /proc/net/ipv6_route
\end_layout
\begin_layout Code
+
00000000000000000000000000000000 00 00000000000000000000000000000000 00
\end_layout
\begin_layout Code
+
+------------------------------+ ++ +------------------------------+ ++
\end_layout
\begin_layout Code
+
| | | |
\end_layout
\begin_layout Code
+
1 2 3 4
\end_layout
@@ -8617,18 +9010,22 @@ net/ipv6/route.c
\end_layout
\begin_layout Code
+
¬ 00000000000000000000000000000000 ffffffff 00000001 00000001 00200200 lo
\end_layout
\begin_layout Code
+
¬ +------------------------------+ +------+ +------+ +------+ +------+ ++
\end_layout
\begin_layout Code
+
¬ | | | | | |
\end_layout
\begin_layout Code
+
¬ 5 6 7 8 9 10
\end_layout
@@ -8688,22 +9085,27 @@ Statistiken über verwendete IPv6 Sockets.
\end_layout
\begin_layout Code
+
# cat /proc/net/sockstat6
\end_layout
\begin_layout Code
+
TCP6: inuse 7
\end_layout
\begin_layout Code
+
UDP6: inuse 2
\end_layout
\begin_layout Code
+
RAW6: inuse 1
\end_layout
\begin_layout Code
+
FRAG6: inuse 0 memory 0
\end_layout
@@ -8803,41 +9205,6 @@ name "resolver"
Adress-Auflösung
\end_layout
-\begin_layout Standard
-
-\lang english
-Die Auflösung von Namen zu einer IPv4- bzw.
- IPv6-Adresse wird üblicherweise durch die Benutzung einer libc resolver
- Bibliothek durchgeführt.
- Es sind einige Seltsamkeiten bekannt bei der Nutzung der Funktion
-\emph on
-getaddrinfo
-\emph default
-.
-\end_layout
-
-\begin_layout Standard
-
-\lang english
-Mehr Information kann dazu aktuell gefunden werden unter
-\begin_inset CommandInset href
-LatexCommand href
-name "Linux & IPv6: getaddrinfo and search domains - Research"
-target "http://www.bieringer.de/linux/IPv6/getaddrinfo/"
-
-\end_inset
-
- and
-\begin_inset CommandInset href
-LatexCommand href
-name "RFC 3484 on Linux"
-target "http://people.redhat.com/drepper/linux-rfc3484.html"
-
-\end_inset
-
-.
-\end_layout
-
\begin_layout Standard
\begin_inset VSpace defskip
\end_inset
@@ -8846,7 +9213,674 @@ target "http://people.redhat.com/drepper/linux-rfc3484.html"
\end_layout
\begin_layout Standard
-Mehr Infos hierzu in späteren Versionen...
+
+\lang english
+Zusätzliche Informationen sind hier zu finden
+\end_layout
+
+\begin_layout Itemize
+
+\lang english
+\begin_inset CommandInset href
+LatexCommand href
+name "Linux & IPv6: getaddrinfo and search domains - Research"
+target "http://www.bieringer.de/linux/IPv6/getaddrinfo/"
+
+\end_inset
+
+
+\end_layout
+
+\begin_layout Itemize
+
+\lang english
+\begin_inset CommandInset href
+LatexCommand href
+name "RFC 3484 on Linux"
+target "http://people.redhat.com/drepper/linux-rfc3484.html"
+
+\end_inset
+
+
+\end_layout
+
+\begin_layout Itemize
+
+\lang english
+Karl Auer's Blog:
+\begin_inset CommandInset href
+LatexCommand href
+name "Controlling IPv6 source address selection"
+target "http://biplane.com.au/blog/?p=30"
+
+\end_inset
+
+ ,
+\begin_inset CommandInset href
+LatexCommand href
+name "IPv6 Source Address Selection - what, why, how"
+target "http://biplane.com.au/blog/?p=22"
+
+\end_inset
+
+
+\end_layout
+
+\begin_layout Itemize
+
+\lang english
+Into6:
+\begin_inset CommandInset href
+LatexCommand href
+name "/etc/gai.conf - it ain't what you think it is"
+target "http://into6.com.au/?p=288"
+
+\end_inset
+
+
+\end_layout
+
+\begin_layout Section*
+
+\lang english
+Address-Auflösung & Ziel-Adressen-Auswahl
+\end_layout
+
+\begin_layout Standard
+
+\lang english
+Die Auflösung von Namen zu einer IPv4- bzw.
+ IPv6-Adresse wird üblicherweise durch die Benutzung einer libc resolver
+ Bibliothek durchgeführt.
+ Dazu wird normalerweise die Funktion
+\emph on
+getaddrinfo
+\emph default
+ benutzt.
+ Im Fall, dass mehr als eine IPv6-Adresse zurückgegeben wird, soll nach
+
+\begin_inset CommandInset href
+LatexCommand href
+name "RFC 3484 / Default Address Selection for Internet Protocol version 6"
+target "http://www.faqs.org/rfcs/rfc3484.html"
+
+\end_inset
+
+ eine Sortierung angewandt werden, die optional auch konfiguriert werden
+ kann.
+\end_layout
+
+\begin_layout Standard
+
+\lang english
+Die
+\begin_inset Quotes sld
+\end_inset
+
+Magie
+\begin_inset Quotes srd
+\end_inset
+
+ ist durch die Datei /etc/gai.conf konfigurierbar (welche fehlt oder leer
+ ist, solange Standardwerte gelten sollen).
+ Die vorgegebene Sortierung ist üblicherweise in der Dokumentation (z.B.
+ /usr/share/doc/glibc-common/gai.conf) oder im Manual
+\begin_inset Quotes sld
+\end_inset
+
+man gai.conf
+\begin_inset Quotes srd
+\end_inset
+
+ zu sehen.
+\end_layout
+
+\begin_layout Standard
+
+\lang english
+Für die Kontrolle der Sortierung via benutzerdefinierter Konfiguration ist
+ für Tests folgendes notwendig:
+\end_layout
+
+\begin_layout Itemize
+
+\lang english
+Ein Hostname im DNS, der mehr als eine IPv6-Adresse zurückgibt, z.B.
+\end_layout
+
+\begin_layout Code
+
+$ dig +short aaaa st1.bieringer.de
+\end_layout
+
+\begin_layout Code
+
+2001:4dd0:ff00:834::2
+\end_layout
+
+\begin_layout Code
+
+2a01:238:423d:8800:85b3:9e6b:3019:8909
+\end_layout
+
+\begin_layout Itemize
+
+\lang english
+Lookup via DNS (mit /etc/hosts klappt es nicht)
+\end_layout
+
+\begin_layout Itemize
+
+\lang english
+/etc/gai.conf mit einer passenden Konfiguration, e.g.
+\end_layout
+
+\begin_layout Code
+
+precedence ::1/128 50 # default
+\end_layout
+
+\begin_layout Code
+
+precedence ::/0 40 # default
+\end_layout
+
+\begin_layout Code
+
+precedence 2002::/16 30 # default
+\end_layout
+
+\begin_layout Code
+
+precedence ::/96 20 # default
+\end_layout
+
+\begin_layout Code
+
+precedence ::ffff:0:0/96 10 # default
+\end_layout
+
+\begin_layout Code
+
+precedence 2001:4dd0:ff00:834::/64 80 # dst-A
+\end_layout
+
+\begin_layout Code
+
+precedence 2a01:238:423d:8800::/64 90 # dst-B
+\end_layout
+
+\begin_layout Itemize
+
+\lang english
+Für Tests kann dann ein Telnet-Client benutzt werden:
+\end_layout
+
+\begin_layout Code
+
+$ telnet st1.bieringer.de
+\end_layout
+
+\begin_layout Code
+
+Trying 2a01:238:423d:8800:85b3:9e6b:3019:8909...
+ (dst-B)
+\end_layout
+
+\begin_layout Code
+
+...
+\end_layout
+
+\begin_layout Code
+
+Trying 2001:4dd0:ff00:834::2...
+ (dst-A)
+\end_layout
+
+\begin_layout Code
+
+...
+\end_layout
+
+\begin_layout Itemize
+
+\lang english
+Wenn nun die precedence geändert wird in der Konfiguration:
+\end_layout
+
+\begin_layout Code
+
+precedence 2001:4dd0:ff00:834::/64 90 # dst-A ex 80
+\end_layout
+
+\begin_layout Code
+
+precedence 2a01:238:423d:8800::/64 80 # dst-B ex 90
+\end_layout
+
+\begin_layout Itemize
+
+\lang english
+Dann ändert sich die Reihenfolge entsprechend
+\end_layout
+
+\begin_layout Code
+
+$ telnet st1.bieringer.de
+\end_layout
+
+\begin_layout Code
+
+Trying 2001:4dd0:ff00:834::2...
+ (dst-A)
+\end_layout
+
+\begin_layout Code
+
+...
+\end_layout
+
+\begin_layout Code
+
+Trying 2a01:238:423d:8800:85b3:9e6b:3019:8909...
+ (dst-B)
+\end_layout
+
+\begin_layout Code
+
+...
+\end_layout
+
+\begin_layout Section*
+
+\lang english
+Quell-Addressen-Auswahl
+\end_layout
+
+\begin_layout Standard
+
+\lang english
+Source address selection in Linux wird automatisch vom Kernel vorgenommen,
+ üblicherweise abhängig von den Routing-Tabellen und unter der Vorgabe,
+ den Scope einer Adresse beizubehalten.
+\end_layout
+
+\begin_layout Subsection*
+
+\lang english
+Quell-Adressen-Auswahl mit
+\begin_inset Quotes sld
+\end_inset
+
+ip addrlabel
+\begin_inset Quotes srd
+\end_inset
+
+
+\end_layout
+
+\begin_layout Standard
+
+\lang english
+Mit einer Erweiterung der internen
+\begin_inset Quotes sld
+\end_inset
+
+ip addrlabel
+\begin_inset Quotes srd
+\end_inset
+
+ Tabelle kann eine Quell-Adresse zu einer Ziel-Adresse gebunden werden.
+ Bindung wird hier durch die Angabe des gleichen Labels (einer Nummer) konfiguri
+ert.
+\end_layout
+
+\begin_layout Itemize
+
+\lang english
+Standard von
+\begin_inset Quotes sld
+\end_inset
+
+ip addrlabel
+\begin_inset Quotes srd
+\end_inset
+
+ (hier von CentOS 6):
+\end_layout
+
+\begin_layout Code
+
+# ip addrlabel
+\end_layout
+
+\begin_layout Code
+
+prefix ::1/128 label 0
+\end_layout
+
+\begin_layout Code
+
+prefix ::/96 label 3
+\end_layout
+
+\begin_layout Code
+
+prefix ::ffff:0.0.0.0/96 label 4
+\end_layout
+
+\begin_layout Code
+
+prefix 2001::/32 label 6
+\end_layout
+
+\begin_layout Code
+
+prefix 2001:10::/28 label 7
+\end_layout
+
+\begin_layout Code
+
+prefix 2002::/16 label 2
+\end_layout
+
+\begin_layout Code
+
+prefix fc00::/7 label 5
+\end_layout
+
+\begin_layout Code
+
+prefix ::/0 label 1
+\end_layout
+
+\begin_layout Itemize
+
+\lang english
+Das System ist multihomed (hier an einem Interface), der Router verteilt
+ 2 Präfixe mit Hilfe von radvd:
+\end_layout
+
+\begin_layout Code
+
+# ip -6 addr show dev eth1 | grep -w inet6 |grep -w global
+\end_layout
+
+\begin_layout Code
+
+ inet6 2001:6f8:12d8:2:5054:ff:fefb:6582/64 scope global dynamic
+ (src-A)
+\end_layout
+
+\begin_layout Code
+
+ inet6 2001:6f8:900:8cbc:5054:ff:fefb:6582/64 scope global dynamic
+ (src-B)
+\end_layout
+
+\begin_layout Itemize
+
+\lang english
+Eine Verbindung zum Server zeigt nun:
+\end_layout
+
+\begin_layout Code
+
+$ telnet st1.bieringer.de
+\end_layout
+
+\begin_layout Code
+
+Trying 2001:4dd0:ff00:834::2...
+ (dst-A)
+\end_layout
+
+\begin_layout Code
+
+...
+\end_layout
+
+\begin_layout Code
+
+Trying 2a01:238:423d:8800:85b3:9e6b:3019:8909...
+ (dst-B)
+\end_layout
+
+\begin_layout Code
+
+...
+\end_layout
+
+\begin_layout Itemize
+
+\lang english
+Ein tcpdump mit filter
+\begin_inset Quotes sld
+\end_inset
+
+tcp and dst port 23
+\begin_inset Quotes srd
+\end_inset
+
+ zeigt nur die Benutzung der oberen lokalen Quell-IPv6-Adresse
+\end_layout
+
+\begin_layout Code
+
+IP6 2001:6f8:12d8:2:5054:ff:fefb:6582.37762 > 2001:4dd0:ff00:834::2.telnet:
+ (src-A -> dst-A)
+\end_layout
+
+\begin_layout Code
+
+IP6 2001:6f8:12d8:2:5054:ff:fefb:6582.45754 > 2a01:238:423d:8800:85b3:9e6b:3019:8
+909.telnet: (src-A -> dst-B)
+\end_layout
+
+\begin_layout Itemize
+
+\lang english
+Wenn nun Quelle und Ziel mit Hilfe von
+\begin_inset Quotes sld
+\end_inset
+
+ip addrlabel
+\begin_inset Quotes srd
+\end_inset
+
+ zusammengebunden werden:
+\end_layout
+
+\begin_layout Code
+
+# ip addrlabel add prefix 2001:6f8:12d8:2::/64 label 200
+\end_layout
+
+\begin_layout Code
+
+# ip addrlabel add prefix 2001:6f8:900:8cbc::/64 label 300
+\end_layout
+
+\begin_layout Code
+
+# ip addrlabel add prefix 2001:4dd0:ff00:834::/64 label 200
+\end_layout
+
+\begin_layout Code
+
+# ip addrlabel add prefix 2a01:238:423d:8800::/64 label 300
+\end_layout
+
+\begin_layout Itemize
+
+\lang english
+Was in folgender
+\begin_inset Quotes sld
+\end_inset
+
+ip addrlabel
+\begin_inset Quotes srd
+\end_inset
+
+resultiert:
+\end_layout
+
+\begin_layout Code
+
+# ip addrlabel
+\end_layout
+
+\begin_layout Code
+
+prefix ::1/128 label 0
+\end_layout
+
+\begin_layout Code
+
+prefix ::/96 label 3
+\end_layout
+
+\begin_layout Code
+
+prefix ::ffff:0.0.0.0/96 label 4
+\end_layout
+
+\begin_layout Code
+
+prefix 2a01:238:423d:8800::/64 label 300 # dst-B
+\end_layout
+
+\begin_layout Code
+
+prefix 2001:4dd0:ff00:834::/64 label 200 # dst-A
+\end_layout
+
+\begin_layout Code
+
+prefix 2001:6f8:900:8cbc::/64 label 300 # src-B
+\end_layout
+
+\begin_layout Code
+
+prefix 2001:6f8:12d8:2::/64 label 200 # src-A
+\end_layout
+
+\begin_layout Code
+
+prefix 2001::/32 label 6
+\end_layout
+
+\begin_layout Code
+
+prefix 2001:10::/28 label 7
+\end_layout
+
+\begin_layout Code
+
+prefix 2002::/16 label 2
+\end_layout
+
+\begin_layout Code
+
+prefix fc00::/7 label 5
+\end_layout
+
+\begin_layout Code
+
+prefix ::/0 label 1
+\end_layout
+
+\begin_layout Itemize
+
+\lang english
+Und dann nochmal eine Verbindung zum Server versucht wird
+\end_layout
+
+\begin_layout Code
+
+$ telnet st1.bieringer.de
+\end_layout
+
+\begin_layout Code
+
+Trying 2001:4dd0:ff00:834::2...
+ (dst-A)
+\end_layout
+
+\begin_layout Code
+
+...
+\end_layout
+
+\begin_layout Code
+
+Trying 2a01:238:423d:8800:85b3:9e6b:3019:8909...
+ (dst-B)
+\end_layout
+
+\begin_layout Code
+
+...
+\end_layout
+
+\begin_layout Itemize
+
+\lang english
+tcpdump mit filter
+\begin_inset Quotes sld
+\end_inset
+
+tcp and dst port 23
+\begin_inset Quotes srd
+\end_inset
+
+ zeigt nun die Benutzung beider Quell-IPv6-Adressen wie konfiguriert
+\end_layout
+
+\begin_layout Code
+
+IP6 2001:6f8:12d8:2:5054:ff:fefb:6582.37765 > 2001:4dd0:ff00:834::2.telnet:
+ (src-A -> dst-A)
+\end_layout
+
+\begin_layout Code
+
+IP6 2001:6f8:900:8cbc:5054:ff:fefb:6582.39632 > 2a01:238:423d:8800:85b3:9e6b:3019
+:8909.telnet: (src-B -> dst-B)
+\end_layout
+
+\begin_layout Standard
+
+Persistente Konfiguration von
+\begin_inset Quotes sld
+\end_inset
+
+ip addrtable
+\begin_inset Quotes srd
+\end_inset
+
+ ist wahrscheinlich in aktuellen Linux-Distributionen nicht unterstützt,
+ somit wäre eine Erweiterung der Netzwerk-Init-Scripts oder rc.local notwendig.
+ Ein Skript, welches Informationen aus /etc/gai.conf in entsprechendes
+\begin_inset Quotes sld
+\end_inset
+
+ip addrtable
+\begin_inset Quotes srd
+\end_inset
+
+ umwandelt, gibt es hier:
+\lang english
+
+\begin_inset CommandInset href
+LatexCommand href
+name "/etc/gai.conf - it ain't what you think it is"
+target "http://into6.com.au/?p=288"
+
+\end_inset
+
+
\end_layout
\begin_layout Chapter
@@ -8897,307 +9931,375 @@ Beispiel:
\end_layout
\begin_layout Code
+
# netstat -nlptu
\end_layout
\begin_layout Code
+
Active Internet connections (only servers)
\end_layout
\begin_layout Code
+
Proto Recv-Q Send-Q Local Address Foreign Address State
\end_layout
\begin_layout Code
+
¬ PID/Program name
\end_layout
\begin_layout Code
+
tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN
\end_layout
\begin_layout Code
+
¬ 1258/rpc.statd
\end_layout
\begin_layout Code
+
tcp 0 0 0.0.0.0:32769 0.0.0.0:* LISTEN
\end_layout
\begin_layout Code
+
¬ 1502/rpc.mountd
\end_layout
\begin_layout Code
+
tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN
\end_layout
\begin_layout Code
+
¬ 22433/lpd Waiting
\end_layout
\begin_layout Code
+
tcp 0 0 1.2.3.1:139 0.0.0.0:* LISTEN
\end_layout
\begin_layout Code
+
¬ 1746/smbd
\end_layout
\begin_layout Code
+
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
\end_layout
\begin_layout Code
+
¬ 1230/portmap
\end_layout
\begin_layout Code
+
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN
\end_layout
\begin_layout Code
+
¬ 3551/X
\end_layout
\begin_layout Code
+
tcp 0 0 1.2.3.1:8081 0.0.0.0:* LISTEN
\end_layout
\begin_layout Code
+
¬ 18735/junkbuster
\end_layout
\begin_layout Code
+
tcp 0 0 1.2.3.1:3128 0.0.0.0:* LISTEN
\end_layout
\begin_layout Code
+
¬ 18822/(squid)
\end_layout
\begin_layout Code
+
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
\end_layout
\begin_layout Code
+
¬ 30734/named
\end_layout
\begin_layout Code
+
tcp 0 0 ::ffff:1.2.3.1:993 :::* LISTEN
\end_layout
\begin_layout Code
+
¬ 6742/xinetd-ipv6
\end_layout
\begin_layout Code
+
tcp 0 0 :::13 :::* LISTEN
\end_layout
\begin_layout Code
+
¬ 6742/xinetd-ipv6
\end_layout
\begin_layout Code
+
tcp 0 0 ::ffff:1.2.3.1:143 :::* LISTEN
\end_layout
\begin_layout Code
+
¬ 6742/xinetd-ipv6
\end_layout
\begin_layout Code
+
tcp 0 0 :::53 :::* LISTEN
\end_layout
\begin_layout Code
+
¬ 30734/named
\end_layout
\begin_layout Code
+
tcp 0 0 :::22 :::* LISTEN
\end_layout
\begin_layout Code
+
¬ 1410/sshd
\end_layout
\begin_layout Code
+
tcp 0 0 :::6010 :::* LISTEN
\end_layout
\begin_layout Code
+
¬ 13237/sshd
\end_layout
\begin_layout Code
+
udp 0 0 0.0.0.0:32768 0.0.0.0:*
\end_layout
\begin_layout Code
+
¬ 1258/rpc.statd
\end_layout
\begin_layout Code
+
udp 0 0 0.0.0.0:2049 0.0.0.0:*
\end_layout
\begin_layout Code
+
¬ -
\end_layout
\begin_layout Code
+
udp 0 0 0.0.0.0:32770 0.0.0.0:*
\end_layout
\begin_layout Code
+
¬ 1502/rpc.mountd
\end_layout
\begin_layout Code
+
udp 0 0 0.0.0.0:32771 0.0.0.0:*
\end_layout
\begin_layout Code
+
¬ -
\end_layout
\begin_layout Code
+
udp 0 0 1.2.3.1:137 0.0.0.0:*
\end_layout
\begin_layout Code
+
¬ 1751/nmbd
\end_layout
\begin_layout Code
+
udp 0 0 0.0.0.0:137 0.0.0.0:*
\end_layout
\begin_layout Code
+
¬ 1751/nmbd
\end_layout
\begin_layout Code
+
udp 0 0 1.2.3.1:138 0.0.0.0:*
\end_layout
\begin_layout Code
+
¬ 1751/nmbd
\end_layout
\begin_layout Code
+
udp 0 0 0.0.0.0:138 0.0.0.0:*
\end_layout
\begin_layout Code
+
¬ 1751/nmbd
\end_layout
\begin_layout Code
+
udp 0 0 0.0.0.0:33044 0.0.0.0:*
\end_layout
\begin_layout Code
+
¬ 30734/named
\end_layout
\begin_layout Code
+
udp 0 0 1.2.3.1:53 0.0.0.0:*
\end_layout
\begin_layout Code
+
¬ 30734/named
\end_layout
\begin_layout Code
+
udp 0 0 127.0.0.1:53 0.0.0.0:*
\end_layout
\begin_layout Code
+
¬ 30734/named
\end_layout
\begin_layout Code
+
udp 0 0 0.0.0.0:67 0.0.0.0:*
\end_layout
\begin_layout Code
+
¬ 1530/dhcpd
\end_layout
\begin_layout Code
+
udp 0 0 0.0.0.0:67 0.0.0.0:*
\end_layout
\begin_layout Code
+
¬ 1530/dhcpd
\end_layout
\begin_layout Code
+
udp 0 0 0.0.0.0:32858 0.0.0.0:*
\end_layout
\begin_layout Code
+
¬ 18822/(squid)
\end_layout
\begin_layout Code
+
udp 0 0 0.0.0.0:4827 0.0.0.0:*
\end_layout
\begin_layout Code
+
¬ 18822/(squid)
\end_layout
\begin_layout Code
+
udp 0 0 0.0.0.0:111 0.0.0.0:*
\end_layout
\begin_layout Code
+
¬ 1230/portmap
\end_layout
\begin_layout Code
+
udp 0 0 :::53 :::*
\end_layout
\begin_layout Code
+
¬ 30734/named
\end_layout
@@ -9230,26 +10332,32 @@ Router Advertisement
\end_layout
\begin_layout Code
+
15:43:49.484751 fe80::212:34ff:fe12:3450 > ff02::1: icmp6: router
\end_layout
\begin_layout Code
+
¬ advertisement(chlim=64, router_ltime=30, reachable_time=0,
\end_layout
\begin_layout Code
+
¬ retrans_time=0)(prefix info: AR valid_ltime=30, preffered_ltime=20,
\end_layout
\begin_layout Code
+
¬ prefix=2002:0102:0304:1::/64)(prefix info: LAR valid_ltime=2592000,
\end_layout
\begin_layout Code
+
¬ preffered_ltime=604800, prefix=2001:0db8:0:1::/64)(src lladdr:
\end_layout
\begin_layout Code
+
¬ 0:12:34:12:34:50) (len 88, hlim 255)
\end_layout
@@ -9302,10 +10410,12 @@ Router Anfrage
\end_layout
\begin_layout Code
+
15:44:21.152646 fe80::212:34ff:fe12:3456 > ff02::2: icmp6: router solicitation
\end_layout
\begin_layout Code
+
¬ (src lladdr: 0:12:34:12:34:56) (len 16, hlim 255)
\end_layout
@@ -9374,10 +10484,12 @@ fe80:212:34ff:fe12:3456
\end_layout
\begin_layout Code
+
15:44:17.712338 :: > ff02::1:ff12:3456: icmp6: neighbor sol: who has
\end_layout
\begin_layout Code
+
¬ fe80::212:34ff:fe12:3456(src lladdr: 0:12:34:12:34:56) (len 32, hlim 255)
\end_layout
@@ -9395,15 +10507,18 @@ Der Knoten will seine globale Adresse
\end_layout
\begin_layout Code
+
15:44:21.905596 :: > ff02::1:ff12:3456: icmp6: neighbor sol: who has
\end_layout
\begin_layout Code
+
¬ 2002:0102:0304:1:212:34ff:fe12:3456(src lladdr: 0:12:34:12:34:56) (len
32,
\end_layout
\begin_layout Code
+
¬ hlim 255)
\end_layout
@@ -9421,15 +10536,18 @@ Der Knoten will seine globale Adresse
\end_layout
\begin_layout Code
+
15:44:22.304028 :: > ff02::1:ff12:3456: icmp6: neighbor sol: who has
\end_layout
\begin_layout Code
+
¬ 2001:0db8:0:1:212:34ff:fe12:3456(src lladdr: 0:12:34:12:34:56) (len 32,
hlim
\end_layout
\begin_layout Code
+
¬ 255)
\end_layout
@@ -9451,15 +10569,18 @@ Der Knoten möchte Pakete an die Adresse
\end_layout
\begin_layout Code
+
13:07:47.664538 2002:0102:0304:1:2e0:18ff:fe90:9205 > ff02::1:ff00:10: icmp6:
\end_layout
\begin_layout Code
+
¬ neighbor sol: who has 2001:0db8:0:1::10(src lladdr: 0:e0:18:90:92:5) (len
32,
\end_layout
\begin_layout Code
+
¬ hlim 255)
\end_layout
@@ -9476,10 +10597,12 @@ fe80::10
\end_layout
\begin_layout Code
+
13:11:20.870070 fe80::2e0:18ff:fe90:9205 > ff02::1:ff00:10: icmp6: neighbor
\end_layout
\begin_layout Code
+
¬ sol: who has fe80::10(src lladdr: 0:e0:18:90:92:5) (len 32, hlim 255)
\end_layout
@@ -9607,6 +10730,7 @@ Sie können überprüfen, ob Ihre Distribution eine permanente IPv6 Konfiguratio
\end_layout
\begin_layout Code
+
/etc/sysconfig/network-scripts/network-functions-ipv6
\end_layout
@@ -9615,11 +10739,13 @@ Automatischer Test:
\end_layout
\begin_layout Code
+
# test -f /etc/sysconfig/network-scripts/network-functions-ipv6 && echo
"Main
\end_layout
\begin_layout Code
+
¬ IPv6 script library exists"
\end_layout
@@ -9631,14 +10757,17 @@ Die Versionsnummer der Library ist von Interesse, wenn Sie Features vermissen
\end_layout
\begin_layout Code
+
# source /etc/sysconfig/network-scripts/network-functions-ipv6 &&
\end_layout
\begin_layout Code
+
¬ getversion_ipv6_functions
\end_layout
\begin_layout Code
+
20011124
\end_layout
@@ -9682,10 +10811,12 @@ Kurze Anleitung zum aktivieren von IPv6 bei RHL 7.1, 7.2, 7.3, ...
\end_layout
\begin_layout Code
+
# modprobe -c | grep net-pf-10
\end_layout
\begin_layout Code
+
alias net-pf-10 off
\end_layout
@@ -9703,6 +10834,7 @@ twork
\end_layout
\begin_layout Code
+
NETWORKING_IPV6=yes
\end_layout
@@ -9712,6 +10844,7 @@ Rebooten bzw.
\end_layout
\begin_layout Code
+
# service network restart
\end_layout
@@ -9720,10 +10853,12 @@ Nun sollte das IPv6 Modul geladen sein
\end_layout
\begin_layout Code
+
# modprobe -c | grep ipv6
\end_layout
\begin_layout Code
+
alias net-pf-10 ipv6
\end_layout
@@ -9792,6 +10927,7 @@ Editiere Datei /etc/sysconfig/network/ifcfg- und setze folgende
\end_layout
\begin_layout Code
+
IP6ADDR="/"
\end_layout
@@ -9827,6 +10963,7 @@ Editiere Datei /etc/sysconfig/network/ifcfg- und setze folgende
\end_layout
\begin_layout Code
+
IPADDR="/"
\end_layout
@@ -9881,44 +11018,54 @@ Konfiguriere die Schnittstelle (hier im Beispiel: eth0).
\end_layout
\begin_layout Code
+
iface eth0 inet6 static
\end_layout
\begin_layout Code
+
pre-up modprobe ipv6
\end_layout
\begin_layout Code
+
address 2001:0db8:1234:5::1:1
\end_layout
\begin_layout Code
+
# To suppress completely autoconfiguration:
\end_layout
\begin_layout Code
+
# up echo 0 > /proc/sys/net/ipv6/conf/all/autoconf
\end_layout
\begin_layout Code
+
netmask 64
\end_layout
\begin_layout Code
+
# The router is autoconfigured and has no fixed address.
\end_layout
\begin_layout Code
+
# It is magically
\end_layout
\begin_layout Code
+
# found.
(/proc/sys/net/ipv6/conf/all/accept_ra).
Otherwise:
\end_layout
\begin_layout Code
+
#gateway 2001:0db8:1234:5::1
\end_layout
@@ -9929,6 +11076,7 @@ Danach rebooten oder folgendes Kommando ausführen
\end_layout
\begin_layout Code
+
# ifup --force eth0
\end_layout
@@ -10005,18 +11153,22 @@ Beispiel:
\end_layout
\begin_layout Code
+
# ip -6 addr show dev eth0 scope link
\end_layout
\begin_layout Code
+
2: eth0: mtu 1500 qlen1000
\end_layout
\begin_layout Code
+
inet6 fe80::211:d8ff:fe6b:f0f5/64 scope link
\end_layout
\begin_layout Code
+
valid_lft forever preferred_lft forever
\end_layout
@@ -10592,6 +11744,7 @@ Wechseln Sie in das Source-Verzeichnis:
\end_layout
\begin_layout Code
+
# cd /path/to/src
\end_layout
@@ -10600,10 +11753,12 @@ Entpacken sie die Kernel-Quellen und vergeben diesen einen neuen Namen
\end_layout
\begin_layout Code
+
# tar z|jxf kernel-version.tar.gz|bz2
\end_layout
\begin_layout Code
+
# mv linux linux-version-iptables-version+IPv6
\end_layout
@@ -10612,6 +11767,7 @@ Entpacken Sie die iptables Quellen
\end_layout
\begin_layout Code
+
# tar z|jxf iptables-version.tar.gz|bz2
\end_layout
@@ -10624,6 +11780,7 @@ Wechseln Sie in das iptables Verzeichnis
\end_layout
\begin_layout Code
+
# cd iptables-version
\end_layout
@@ -10632,6 +11789,7 @@ Fügen Sie relevante Patches hinzu
\end_layout
\begin_layout Code
+
# make pending-patches KERNEL_DIR=/path/to/src/linux-version-iptables-version/
\end_layout
@@ -10642,6 +11800,7 @@ Fügen Sie zusätzliche IPv6 relevante IPv6 Patches hinzu (die nach wie vor
\end_layout
\begin_layout Code
+
# make patch-o-matic KERNEL_DIR=/path/to/src/linux-version-iptables-version/
\end_layout
@@ -10680,10 +11839,12 @@ REJECT.patch.ipv6
\end_layout
\begin_layout Code
+
# make print-extensions
\end_layout
\begin_layout Code
+
Extensions found: IPv6:owner IPv6:limit IPv6:mac IPv6:multiport
\end_layout
@@ -10696,6 +11857,7 @@ Wechseln Sie zu den Kernel-Quellen
\end_layout
\begin_layout Code
+
# cd /path/to/src/linux-version-iptables-version/
\end_layout
@@ -10704,10 +11866,12 @@ Editieren Sie das Makefile
\end_layout
\begin_layout Code
+
- EXTRAVERSION =
\end_layout
\begin_layout Code
+
+ EXTRAVERSION = -iptables-version+IPv6-try
\end_layout
@@ -10716,80 +11880,99 @@ Starten Sie configure und aktivieren Sie IPv6 relevante Optionen
\end_layout
\begin_layout Code
+
Code maturity level options
\end_layout
\begin_layout Code
+
Prompt for development and/or incomplete code/drivers
: yes
\end_layout
\begin_layout Code
+
Networking options
\end_layout
\begin_layout Code
+
Network packet filtering: yes
\end_layout
\begin_layout Code
+
The IPv6 protocol: module
\end_layout
\begin_layout Code
+
IPv6: Netfilter Configuration
\end_layout
\begin_layout Code
+
IP6 tables support: module
\end_layout
\begin_layout Code
+
All new options like following:
\end_layout
\begin_layout Code
+
limit match support: module
\end_layout
\begin_layout Code
+
MAC address match support: module
\end_layout
\begin_layout Code
+
Multiple port match support: module
\end_layout
\begin_layout Code
+
Owner match support: module
\end_layout
\begin_layout Code
+
netfilter MARK match support: module
\end_layout
\begin_layout Code
+
Aggregated address check: module
\end_layout
\begin_layout Code
+
Packet filtering: module
\end_layout
\begin_layout Code
+
REJECT target support: module
\end_layout
\begin_layout Code
+
LOG target support: module
\end_layout
\begin_layout Code
+
Packet mangling: module
\end_layout
\begin_layout Code
+
MARK target support: module
\end_layout
@@ -10815,6 +11998,7 @@ Benennen sie das ältere Verzeichnis um
\end_layout
\begin_layout Code
+
# mv /usr/src/linux /usr/src/linux.old
\end_layout
@@ -10823,6 +12007,7 @@ Erstellen Sie einen neuen symbolischen Link
\end_layout
\begin_layout Code
+
# ln -s /path/to/src/linux-version-iptables-version /usr/src/linux
\end_layout
@@ -10831,6 +12016,7 @@ Erstellen Sie ein neues SRPMS
\end_layout
\begin_layout Code
+
# rpm --rebuild /path/to/SRPMS/iptables-version-release.src.rpm
\end_layout
@@ -10852,6 +12038,7 @@ Freshen
\end_layout
\begin_layout Code
+
# rpm -Fhv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm
\end_layout
@@ -10868,6 +12055,7 @@ install
\end_layout
\begin_layout Code
+
# rpm -ihv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm
\end_layout
@@ -10886,6 +12074,7 @@ nodeps
\end_layout
\begin_layout Code
+
# rpm -ihv --nodeps /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm
\end_layout
@@ -10895,6 +12084,7 @@ Damit iptables die Libraries finden kann, ist es eventuell notwendig, einen
\end_layout
\begin_layout Code
+
# ln -s /lib/iptables/ /usr/lib/iptables
\end_layout
@@ -10911,6 +12101,7 @@ Laden Sie das Modul (falls dies im Kernel so kompiliert wurde):
\end_layout
\begin_layout Code
+
# modprobe ip6_tables
\end_layout
@@ -10919,10 +12110,12 @@ Laden Sie das Modul (falls dies im Kernel so kompiliert wurde):
\end_layout
\begin_layout Code
+
# [ ! -f /proc/net/ip6_tables_names ] && echo "Current kernel doesn't support
\end_layout
\begin_layout Code
+
¬ 'ip6tables' firewalling (IPv6)!"
\end_layout
@@ -10939,6 +12132,7 @@ Kurze Auflistung:
\end_layout
\begin_layout Code
+
# ip6tables -L
\end_layout
@@ -10947,6 +12141,7 @@ Erweiterte Auflistung:
\end_layout
\begin_layout Code
+
# ip6tables -n -v --line-numbers -L
\end_layout
@@ -10955,6 +12150,7 @@ Auflistung angegebener Filter
\end_layout
\begin_layout Code
+
# ip6tables -n -v --line-numbers -L INPUT
\end_layout
@@ -10963,10 +12159,12 @@ Hinzufügen einer Log-Regel zum Input-Filter mit Optionen
\end_layout
\begin_layout Code
+
# ip6tables --table filter --append INPUT -j LOG --log-prefix "INPUT:"
\end_layout
\begin_layout Code
+
¬ --log-level 7
\end_layout
@@ -10975,6 +12173,7 @@ Hinzufügen einer Drop-Regel zum Input-Filter
\end_layout
\begin_layout Code
+
# ip6tables --table filter --append INPUT -j DROP
\end_layout
@@ -10983,6 +12182,7 @@ Löschen einer Regel mit Hilfe der Regelnummer
\end_layout
\begin_layout Code
+
# ip6tables --table filter --delete INPUT 1
\end_layout
@@ -11001,6 +12201,7 @@ Seit Kernel-Version 2.6.20 ist die Auswertung des IPv6-Verbindungsstatus gut
\end_layout
\begin_layout Code
+
# ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
\end_layout
@@ -11018,6 +12219,7 @@ Eingehender ICMPv6 Verkehr durch Tunnel erlauben
\end_layout
\begin_layout Code
+
# ip6tables -A INPUT -i sit+ -p icmpv6 -j ACCEPT
\end_layout
@@ -11026,6 +12228,7 @@ Ausgehenden ICMPv6 Verkehr durch Tunnel erlauben
\end_layout
\begin_layout Code
+
# ip6tables -A OUTPUT -o sit+ -p icmpv6 -j ACCEPT
\end_layout
@@ -11034,6 +12237,7 @@ Neuere Kernel erlauben das Spezifizieren des ICMPv6-Typs:
\end_layout
\begin_layout Code
+
# ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
\end_layout
@@ -11052,10 +12256,12 @@ n Patitionen entgegenzuwirken.
\end_layout
\begin_layout Code
+
# ip6tables -A INPUT --protocol icmpv6 --icmpv6-type echo-request
\end_layout
\begin_layout Code
+
¬ -j ACCEPT --match limit --limit 30/minute
\end_layout
@@ -11074,10 +12280,12 @@ Eingehende SSH Verbindungen werden von der Adresse 2001:0db8:100::1/128
\end_layout
\begin_layout Code
+
# ip6tables -A INPUT -i sit+ -p tcp -s 2001:0db8:100::1/128 --sport 512:65535
\end_layout
\begin_layout Code
+
¬ --dport 22 -j ACCEPT
\end_layout
@@ -11092,10 +12300,12 @@ nicht mehr notwendig, wenn der IPv6-Verbindungsstatus ausgewertet wird!
\end_layout
\begin_layout Code
+
# ip6tables -A OUTPUT -o sit+ -p tcp -d 2001:0db8:100::1/128 --dport 512:65535
\end_layout
\begin_layout Code
+
¬ --sport 22 ! --syn -j ACCEPT
\end_layout
@@ -11113,6 +12323,7 @@ Akzeptiere eingehende IPv6-in-IPv4 Daten am interface ppp0
\end_layout
\begin_layout Code
+
# iptables -A INPUT -i ppp0 -p ipv6 -j ACCEPT
\end_layout
@@ -11121,6 +12332,7 @@ Akzeptiere ausgehende IPv6-in-IPv4 Daten am interface ppp0
\end_layout
\begin_layout Code
+
# iptables -A OUTPUT -o ppp0 -p ipv6 -j ACCEPT
\end_layout
@@ -11135,6 +12347,7 @@ Akzeptiere eingehende IPv6-in-IPv4 Daten vom Tunnel-Endpunkt 192.0.2.2 am interf
\end_layout
\begin_layout Code
+
# iptables -A INPUT -i ppp0 -p ipv6 -s 192.0.2.2 -j ACCEPT
\end_layout
@@ -11144,6 +12357,7 @@ Akzeptiere ausgehende IPv6-in-IPv4 Daten vom Tunnel-Endpunkt 192.0.2.2 am interf
\end_layout
\begin_layout Code
+
# iptables -A OUTPUT -o ppp0 -p ipv6 -d 192.0.2.2 -j ACCEPT
\end_layout
@@ -11167,6 +12381,7 @@ Blockiere eingehende TCP-Verbindungs-Anfragen zu diesem Host
\end_layout
\begin_layout Code
+
# ip6tables -I INPUT -i sit+ -p tcp --syn -j DROP
\end_layout
@@ -11175,6 +12390,7 @@ Blockiere eingehende TCP-Verbindungs-Anfragen zu Hosts hinter diesem Router
\end_layout
\begin_layout Code
+
# ip6tables -I FORWARD -i sit+ -p tcp --syn -j DROP
\end_layout
@@ -11207,6 +12423,7 @@ Blockiere eingehende UDP-Pakete, die nicht Antworten ausgehender Anfragen
\end_layout
\begin_layout Code
+
# ip6tables -I INPUT -i sit+ -p udp ! --dport 32768:60999 -j DROP
\end_layout
@@ -11216,6 +12433,7 @@ Blockiere eingehende UDP-Pakete, die nicht Antworten auf Anfragen von hinter
\end_layout
\begin_layout Code
+
# ip6tables -I FORWARD -i sit+ -p udp ! --dport 32768:60999 -j DROP
\end_layout
@@ -11244,6 +12462,7 @@ system-config-firewall
\end_layout
\begin_layout Code
+
Datei: /etc/sysconfig/ip6tables
\end_layout
@@ -11252,70 +12471,87 @@ Datei: /etc/sysconfig/ip6tables
\end_layout
\begin_layout Code
+
*filter :INPUT ACCEPT [0:0]
\end_layout
\begin_layout Code
+
:FORWARD ACCEPT [0:0]
\end_layout
\begin_layout Code
+
:OUTPUT ACCEPT [0:0]
\end_layout
\begin_layout Code
+
:RH-Firewall-1-INPUT - [0:0]
\end_layout
\begin_layout Code
+
-A INPUT -j RH-Firewall-1-INPUT
\end_layout
\begin_layout Code
+
-A FORWARD -j RH-Firewall-1-INPUT
\end_layout
\begin_layout Code
+
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
\end_layout
\begin_layout Code
+
-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT
\end_layout
\begin_layout Code
+
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
\end_layout
\begin_layout Code
+
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
\end_layout
\begin_layout Code
+
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d ff02::fb -j ACCEPT
\end_layout
\begin_layout Code
+
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
\end_layout
\begin_layout Code
+
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
\end_layout
\begin_layout Code
+
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
\end_layout
\begin_layout Code
+
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
\end_layout
\begin_layout Code
+
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited
\end_layout
\begin_layout Code
+
COMMIT
\end_layout
@@ -11327,6 +12563,7 @@ Zwecks der Vollständigkeit ist hier auch die entsprechende Konfiguration
\end_layout
\begin_layout Code
+
Datei: /etc/sysconfig/iptables
\end_layout
@@ -11335,71 +12572,88 @@ Datei: /etc/sysconfig/iptables
\end_layout
\begin_layout Code
+
*filter :INPUT ACCEPT [0:0]
\end_layout
\begin_layout Code
+
:FORWARD ACCEPT [0:0]
\end_layout
\begin_layout Code
+
:OUTPUT ACCEPT [0:0]
\end_layout
\begin_layout Code
+
:RH-Firewall-1-INPUT - [0:0]
\end_layout
\begin_layout Code
+
-A INPUT -j RH-Firewall-1-INPUT
\end_layout
\begin_layout Code
+
-A FORWARD -j RH-Firewall-1-INPUT
\end_layout
\begin_layout Code
+
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
\end_layout
\begin_layout Code
+
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
\end_layout
\begin_layout Code
+
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
\end_layout
\begin_layout Code
+
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
\end_layout
\begin_layout Code
+
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
\end_layout
\begin_layout Code
+
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
\end_layout
\begin_layout Code
+
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
\end_layout
\begin_layout Code
+
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
\end_layout
\begin_layout Code
+
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
\end_layout
\begin_layout Code
+
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
\end_layout
\begin_layout Code
+
COMMIT
\end_layout
@@ -11422,10 +12676,12 @@ Aktivieren von IPv4 & IPv6 Firewalling
\end_layout
\begin_layout Code
+
# service iptables start
\end_layout
\begin_layout Code
+
# service ip6tables start
\end_layout
@@ -11436,10 +12692,12 @@ Aktivieren des automatischen Starts nach dem Reboot
\end_layout
\begin_layout Code
+
# chkconfig iptables on
\end_layout
\begin_layout Code
+
# chkconfig ip6tables on
\end_layout
@@ -11453,472 +12711,578 @@ Folgende Zeilen zeigen ein umfangreicheres Setup.
\end_layout
\begin_layout Code
+
# ip6tables -n -v -L
\end_layout
\begin_layout Code
+
Chain INPUT (policy DROP 0 packets, 0 bytes)
\end_layout
\begin_layout Code
+
pkts bytes target prot opt in out source destination
\end_layout
\begin_layout Code
+
0 0 extIN all sit+ * ::/0 ::/0
\end_layout
\begin_layout Code
+
4 384 intIN all eth0 * ::/0 ::/0
\end_layout
\begin_layout Code
+
0 0 ACCEPT all * * ::1/128 ::1/128
\end_layout
\begin_layout Code
+
0 0 ACCEPT all lo * ::/0 ::/0
\end_layout
\begin_layout Code
+
0 0 LOG all * * ::/0 ::/0
\end_layout
\begin_layout Code
+
¬ LOG flags 0 level 7 prefix `INPUT-default:'
\end_layout
\begin_layout Code
+
0 0 DROP all * * ::/0 ::/0
\end_layout
\begin_layout Code
+
\end_layout
\begin_layout Code
+
Chain FORWARD (policy DROP 0 packets, 0 bytes)
\end_layout
\begin_layout Code
+
pkts bytes target prot opt in out source destination
\end_layout
\begin_layout Code
+
¬
\end_layout
\begin_layout Code
+
0 0 int2ext all eth0 sit+ ::/0 ::/0
\end_layout
\begin_layout Code
+
0 0 ext2int all sit+ eth0 ::/0 ::/0
\end_layout
\begin_layout Code
+
0 0 LOG all * * ::/0 ::/0
\end_layout
\begin_layout Code
+
¬ LOG flags 0 level 7 prefix `FORWARD-default:'
\end_layout
\begin_layout Code
+
0 0 DROP all * * ::/0 ::/0
\end_layout
\begin_layout Code
+
\end_layout
\begin_layout Code
+
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
\end_layout
\begin_layout Code
+
pkts bytes target prot opt in out source destination
\end_layout
\begin_layout Code
+
¬
\end_layout
\begin_layout Code
+
0 0 extOUT all * sit+ ::/0 ::/0
\end_layout
\begin_layout Code
+
4 384 intOUT all * eth0 ::/0 ::/0
\end_layout
\begin_layout Code
+
0 0 ACCEPT all * * ::1/128 ::1/128
\end_layout
\begin_layout Code
+
0 0 ACCEPT all * lo ::/0 ::/0
\end_layout
\begin_layout Code
+
0 0 LOG all * * ::/0 ::/0
\end_layout
\begin_layout Code
+
¬ LOG flags 0 level 7 prefix `OUTPUT-default:'
\end_layout
\begin_layout Code
+
0 0 DROP all * * ::/0 ::/0
\end_layout
\begin_layout Code
+
\end_layout
\begin_layout Code
+
Chain ext2int (1 references)
\end_layout
\begin_layout Code
+
pkts bytes target prot opt in out source destination
\end_layout
\begin_layout Code
+
¬
\end_layout
\begin_layout Code
+
0 0 ACCEPT icmpv6 * * ::/0 ::/0
\end_layout
\begin_layout Code
+
0 0 ACCEPT tcp * * ::/0 ::/0
\end_layout
\begin_layout Code
+
¬ tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02
\end_layout
\begin_layout Code
+
0 0 LOG all * * ::/0 ::/0
\end_layout
\begin_layout Code
+
¬ LOG flags 0 level 7 prefix `ext2int-default:'
\end_layout
\begin_layout Code
+
0 0 DROP tcp * * ::/0 ::/0
\end_layout
\begin_layout Code
+
0 0 DROP udp * * ::/0 ::/0
\end_layout
\begin_layout Code
+
0 0 DROP all * * ::/0 ::/0
\end_layout
\begin_layout Code
+
\end_layout
\begin_layout Code
+
Chain extIN (1 references)
\end_layout
\begin_layout Code
+
pkts bytes target prot opt in out source destination
\end_layout
\begin_layout Code
+
¬
\end_layout
\begin_layout Code
+
0 0 ACCEPT tcp * * 3ffe:400:100::1/128 ::/0
\end_layout
\begin_layout Code
+
¬ tcp spts:512:65535 dpt:22
\end_layout
\begin_layout Code
+
0 0 ACCEPT tcp * * 3ffe:400:100::2/128 ::/0
\end_layout
\begin_layout Code
+
¬ tcp spts:512:65535 dpt:22
\end_layout
\begin_layout Code
+
0 0 ACCEPT icmpv6 * * ::/0 ::/0
\end_layout
\begin_layout Code
+
0 0 ACCEPT tcp * * ::/0 ::/0
\end_layout
\begin_layout Code
+
¬ tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02
\end_layout
\begin_layout Code
+
0 0 ACCEPT udp * * ::/0 ::/0
\end_layout
\begin_layout Code
+
¬ udp spts:1:65535 dpts:1024:65535
\end_layout
\begin_layout Code
+
0 0 LOG all * * ::/0 ::/0
\end_layout
\begin_layout Code
+
¬ limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `extIN-default:'
\end_layout
\begin_layout Code
+
0 0 DROP all * * ::/0 ::/0
\end_layout
\begin_layout Code
+
\end_layout
\begin_layout Code
+
Chain extOUT (1 references)
\end_layout
\begin_layout Code
+
pkts bytes target prot opt in out source destination
\end_layout
\begin_layout Code
+
¬
\end_layout
\begin_layout Code
+
0 0 ACCEPT tcp * * ::/0
\end_layout
\begin_layout Code
+
¬ 2001:0db8:100::1/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02
\end_layout
\begin_layout Code
+
0 0 ACCEPT tcp * * ::/0
\end_layout
\begin_layout Code
+
¬ 2001:0db8:100::2/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02
\end_layout
\begin_layout Code
+
0 0 ACCEPT icmpv6 * * ::/0 ::/0
\end_layout
\begin_layout Code
+
0 0 ACCEPT tcp * * ::/0 ::/0
\end_layout
\begin_layout Code
+
¬ tcp spts:1024:65535 dpts:1:65535
\end_layout
\begin_layout Code
+
0 0 ACCEPT udp * * ::/0 ::/0
\end_layout
\begin_layout Code
+
¬ udp spts:1024:65535 dpts:1:65535
\end_layout
\begin_layout Code
+
0 0 LOG all * * ::/0 ::/0
\end_layout
\begin_layout Code
+
¬ LOG flags 0 level 7 prefix `extOUT-default:'
\end_layout
\begin_layout Code
+
0 0 DROP all * * ::/0 ::/0
\end_layout
\begin_layout Code
+
\end_layout
\begin_layout Code
+
Chain int2ext (1 references)
\end_layout
\begin_layout Code
+
pkts bytes target prot opt in out source destination
\end_layout
\begin_layout Code
+
¬
\end_layout
\begin_layout Code
+
0 0 ACCEPT icmpv6 * * ::/0 ::/0
\end_layout
\begin_layout Code
+
0 0 ACCEPT tcp * * ::/0 ::/0
\end_layout
\begin_layout Code
+
¬ tcp spts:1024:65535 dpts:1:65535
\end_layout
\begin_layout Code
+
0 0 LOG all * * ::/0 ::/0
\end_layout
\begin_layout Code
+
¬ LOG flags 0 level 7 prefix `int2ext:'
\end_layout
\begin_layout Code
+
0 0 DROP all * * ::/0 ::/0
\end_layout
\begin_layout Code
+
0 0 LOG all * * ::/0 ::/0
\end_layout
\begin_layout Code
+
¬ LOG flags 0 level 7 prefix `int2ext-default:'
\end_layout
\begin_layout Code
+
0 0 DROP tcp * * ::/0 ::/0
\end_layout
\begin_layout Code
+
0 0 DROP udp * * ::/0 ::/0
\end_layout
\begin_layout Code
+
0 0 DROP all * * ::/0 ::/0
\end_layout
\begin_layout Code
+
\end_layout
\begin_layout Code
+
Chain intIN (1 references)
\end_layout
\begin_layout Code
+
pkts bytes target prot opt in out source destination
\end_layout
\begin_layout Code
+
¬
\end_layout
\begin_layout Code
+
0 0 ACCEPT all * * ::/0
\end_layout
\begin_layout Code
+
¬ fe80::/ffc0::
\end_layout
\begin_layout Code
+
4 384 ACCEPT all * * ::/0 ff02::/16
\end_layout
\begin_layout Code
+
\end_layout
\begin_layout Code
+
Chain intOUT (1 references)
\end_layout
\begin_layout Code
+
pkts bytes target prot opt in out source destination
\end_layout
\begin_layout Code
+
¬
\end_layout
\begin_layout Code
+
0 0 ACCEPT all * * ::/0
\end_layout
\begin_layout Code
+
¬ fe80::/ffc0::
\end_layout
\begin_layout Code
+
4 384 ACCEPT all * * ::/0 ff02::/16
\end_layout
\begin_layout Code
+
0 0 LOG all * * ::/0 ::/0
\end_layout
\begin_layout Code
+
¬ LOG flags 0 level 7 prefix `intOUT-default:'
\end_layout
\begin_layout Code
+
0 0 DROP all * * ::/0 ::/0
\end_layout
@@ -11956,6 +13320,7 @@ Wie bei IPv4 können Systeme hinter einem Router versteckt werden mit Hilfe
\end_layout
\begin_layout Code
+
# ip6tables -t nat -A POSTROUTING -o sixxs -s fec0::/64 -j MASQUERADE
\end_layout
@@ -11973,6 +13338,7 @@ Eine dedizierte öffentliche IPv6-Adresse kann zu einer internen IPv6-Adresse
\end_layout
\begin_layout Code
+
# ip6tables -t nat -A PREROUTING -d 2001:db8:0:1:5054:ff:fe01:2345 -i sixxs
-j DNAT --to-destination fec0::5054:ff:fe01:2345
\end_layout
@@ -11991,6 +13357,7 @@ Ein dedizierter Port kann zu einem internen System weitergeleitet werden,
\end_layout
\begin_layout Code
+
# ip6tables -t nat -A PREROUTING -i sixxs -p tcp --dport 8080 -j DNAT --to-desti
nation [fec0::1234]:80
\end_layout
@@ -12044,18 +13411,22 @@ Laden der Kernel-Module:
\end_layout
\begin_layout Code
+
# modprobe nf_tables
\end_layout
\begin_layout Code
+
# modprobe nf_tables_ipv4
\end_layout
\begin_layout Code
+
# modprobe nf_tables_ipv6
\end_layout
\begin_layout Code
+
# modprobe nf_tables_inet
\end_layout
@@ -12066,10 +13437,12 @@ Löschen der Regeln in iptables and ip6tables um Interferenzen zu vermeiden:
\end_layout
\begin_layout Code
+
# iptables -F
\end_layout
\begin_layout Code
+
# ip6tables -F
\end_layout
@@ -12080,6 +13453,7 @@ Erzeugen der Filter-Tabelle:
\end_layout
\begin_layout Code
+
# nft add table inet filter
\end_layout
@@ -12090,6 +13464,7 @@ Erzeugen einer input chain in der Filter-Tabelle:
\end_layout
\begin_layout Code
+
# nft add chain inet filter input { type filter hook input priority 0
\backslash
; }
@@ -12115,6 +13490,7 @@ Tabelle gehören
\end_layout
\begin_layout Code
+
# nft add rule inet filter input ct state established,related counter accept
\end_layout
@@ -12126,11 +13502,13 @@ Erlauben von IPv4 und IPv6 ICMP echo-request (aka ping)
\end_layout
\begin_layout Code
+
# nft add rule inet filter input meta nfproto ipv4 icmp type { echo-request
} counter accept
\end_layout
\begin_layout Code
+
# nft add rule inet filter input meta nfproto ipv6 icmpv6 type echo-request
counter accept
\end_layout
@@ -12143,19 +13521,23 @@ Erlauben einiger wichtiger IPv6 ICMP Pakete, ohne Zähler, dafür mit Hop-Limit-
\end_layout
\begin_layout Code
+
# nft add rule inet filter input meta nfproto ipv6
\end_layout
\begin_layout Code
+
¬ icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert}
ip6 hoplimit 1 accept
\end_layout
\begin_layout Code
+
# nft add rule inet filter input meta nfproto ipv6
\end_layout
\begin_layout Code
+
¬ icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert}
ip6 hoplimit 255 counter accept
\end_layout
@@ -12167,6 +13549,7 @@ Erlauben von eingehenden SSH-Verbindungen für IPv4 und IPv6
\end_layout
\begin_layout Code
+
# nft add rule inet filter input tcp dport 22 ct state new tcp flags
\backslash
&
@@ -12185,14 +13568,17 @@ Reject/drop anderer Pakete
\end_layout
\begin_layout Code
+
# nft add rule inet filter input tcp dport 0-65535 reject
\end_layout
\begin_layout Code
+
# nft add rule inet filter input udp dport 0-65535 counter drop
\end_layout
\begin_layout Code
+
# nft add rule inet filter input counter drop
\end_layout
@@ -12209,63 +13595,77 @@ Tabelle für IP unabhängigen Filter
\end_layout
\begin_layout Code
+
table inet filter {
\end_layout
\begin_layout Code
+
chain input {
\end_layout
\begin_layout Code
+
type filter hook input priority 0;
\end_layout
\begin_layout Code
+
ct state established,related counter packets 0 bytes 0 accept
\end_layout
\begin_layout Code
+
ip protocol icmp icmp type { echo-request} counter packets 0 bytes 0
accept
\end_layout
\begin_layout Code
+
ip6 nexthdr ipv6-icmp icmpv6 type echo-request counter packets 0 bytes
0 accept
\end_layout
\begin_layout Code
+
ip6 nexthdr ipv6-icmp ip6 hoplimit 1 icmpv6 type { nd-neighbor-advert,
nd-neighbor-solicit, nd-router-advert} accept
\end_layout
\begin_layout Code
+
ip6 nexthdr ipv6-icmp ip6 hoplimit 255 icmpv6 type { nd-neighbor-advert,
nd-neighbor-solicit, nd-router-advert} accept
\end_layout
\begin_layout Code
+
tcp dport ssh ct state new tcp flags & (syn | ack) == syn counter packets
0 bytes 0 accept
\end_layout
\begin_layout Code
+
tcp dport >= 0 tcp dport <= 65535 counter packets 0 bytes 0 reject
\end_layout
\begin_layout Code
+
udp dport >= 0 udp dport <= 65535 counter packets 0 bytes 0 drop
\end_layout
\begin_layout Code
+
log prefix counter packets 0 bytes 0 drop
\end_layout
\begin_layout Code
+
}
\end_layout
\begin_layout Code
+
}
\end_layout
@@ -12282,6 +13682,7 @@ Für Logging wird ein zusätzliches Kernelmodul benötigt:
\end_layout
\begin_layout Code
+
# modprobe xt_LOG
\end_layout
@@ -12310,6 +13711,7 @@ Für erste Tests mit der Log-Option kann es nützlich sein, das Loggens für
\end_layout
\begin_layout Code
+
#*.emerg :omusrmsg:*
\end_layout
@@ -12320,6 +13722,7 @@ Regel von oben, welche SSH auf Port 22 erlaubt, nun mit Logging:
\end_layout
\begin_layout Code
+
# nft add rule inet filter input tcp dport 22 ct state new tcp flags
\backslash
&
@@ -12401,114 +13804,141 @@ mark xxxx
\end_layout
\begin_layout Code
+
# for table in ip ip6 inet; do nft list table $table filter; done
\end_layout
\begin_layout Code
+
table ip filter {
\end_layout
\begin_layout Code
+
chain input {
\end_layout
\begin_layout Code
+
type filter hook input priority 0;
\end_layout
\begin_layout Code
+
ct state established,related counter packets 241 bytes 25193 accept
\end_layout
\begin_layout Code
+
counter packets 2 bytes 120 mark 0x00000100 accept
\end_layout
\begin_layout Code
+
icmp type { echo-request} counter packets 0 bytes 0 meta mark set 0x00000100
accept
\end_layout
\begin_layout Code
+
}
\end_layout
\begin_layout Code
+
}
\end_layout
\begin_layout Code
+
table ip6 filter {
\end_layout
\begin_layout Code
+
chain input {
\end_layout
\begin_layout Code
+
type filter hook input priority 0;
\end_layout
\begin_layout Code
+
ct state established,related counter packets 14 bytes 4077 accept
\end_layout
\begin_layout Code
+
counter packets 4 bytes 408 mark 0x00000100 accept
\end_layout
\begin_layout Code
+
icmpv6 type echo-request counter packets 1 bytes 104 meta mark set 0x00000100
\end_layout
\begin_layout Code
+
icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert}
counter packets 2 bytes 224 meta mark set 0x00000100 accept
\end_layout
\begin_layout Code
+
}
\end_layout
\begin_layout Code
+
}
\end_layout
\begin_layout Code
+
table inet filter {
\end_layout
\begin_layout Code
+
chain input {
\end_layout
\begin_layout Code
+
type filter hook input priority 0;
\end_layout
\begin_layout Code
+
ct state established,related counter packets 307 bytes 31974 accept
\end_layout
\begin_layout Code
+
counter packets 6 bytes 528 mark 0x00000100 accept
\end_layout
\begin_layout Code
+
tcp dport ssh ct state new tcp flags & (syn | ack) == syn log prefix
"inet/input/accept: " meta mark set 0x00000100 counter packets 3 bytes
200 accept
\end_layout
\begin_layout Code
+
log prefix "inet/input/reject: " counter packets 0 bytes 0 reject
\end_layout
\begin_layout Code
+
}
\end_layout
\begin_layout Code
+
}
\end_layout
@@ -12620,10 +14050,12 @@ target "http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-apps.html#se
\end_layout
\begin_layout Code
+
# nc6 ::1 daytime
\end_layout
\begin_layout Code
+
13 JUL 2002 11:22:22 CEST
\end_layout
@@ -12645,43 +14077,53 @@ target "http://www.insecure.org/nmap/"
\end_layout
\begin_layout Code
+
# nmap -6 -sT ::1
\end_layout
\begin_layout Code
+
Starting nmap V.
3.10ALPHA3 ( www.insecure.org/nmap/ )
\end_layout
\begin_layout Code
+
Interesting ports on localhost6 (::1):
\end_layout
\begin_layout Code
+
(The 1600 ports scanned but not shown below are in state: closed)
\end_layout
\begin_layout Code
+
Port State Service
\end_layout
\begin_layout Code
+
22/tcp open ssh
\end_layout
\begin_layout Code
+
53/tcp open domain
\end_layout
\begin_layout Code
+
515/tcp open printer
\end_layout
\begin_layout Code
+
2401/tcp open cvspserver
\end_layout
\begin_layout Code
+
Nmap run completed -- 1 IP address (1 host up) scanned in 0.525 seconds
\end_layout
@@ -12704,26 +14146,32 @@ target "http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-apps.html#se
\end_layout
\begin_layout Code
+
# ./strobe ::1 strobe 1.05 (c) 1995-1999 Julian Assange .
\end_layout
\begin_layout Code
+
::1 2401 unassigned unknown
\end_layout
\begin_layout Code
+
::1 22 ssh Secure Shell - RSA encrypted rsh
\end_layout
\begin_layout Code
+
::1 515 printer spooler (lpd)
\end_layout
\begin_layout Code
+
::1 6010 unassigned unknown
\end_layout
\begin_layout Code
+
::1 53 domain Domain Name Server
\end_layout
@@ -13094,22 +14542,27 @@ Beispiel für eine Ende-zu-Ende verschlüsselte Verbindung im Transport-Modus
\end_layout
\begin_layout Code
+
#!/sbin/setkey -f
\end_layout
\begin_layout Code
+
flush;
\end_layout
\begin_layout Code
+
spdflush;
\end_layout
\begin_layout Code
+
spdadd 2001:db8:1:1::1 2001:db8:2:2::2 any -P out ipsec esp/transport//require;
\end_layout
\begin_layout Code
+
spdadd 2001:db8:2:2::2 2001:db8:1:1::1 any -P in ipsec esp/transport//require;
\end_layout
@@ -13124,30 +14577,37 @@ Beispiel für eine Ende-zu-Ende verschlüsselte Verbindung im Tunnel-Modus
\end_layout
\begin_layout Code
+
#!/sbin/setkey -f
\end_layout
\begin_layout Code
+
flush;
\end_layout
\begin_layout Code
+
spdflush;
\end_layout
\begin_layout Code
+
spdadd 2001:db8:1:1::1 2001:db8:2:2::2 any -P out ipsec
\end_layout
\begin_layout Code
+
¬ esp/tunnel/2001:db8:1:1::1-2001:db8:2:2::2/require;
\end_layout
\begin_layout Code
+
spdadd 2001:db8:2:2::2 2001:db8:1:1::1 any -P in ipsec
\end_layout
\begin_layout Code
+
¬ esp/tunnel/2001:db8:2:2::2-2001:db8:1:1::1/require;
\end_layout
@@ -13217,18 +14677,22 @@ Datei: /etc/racoon/racoon.conf
\end_layout
\begin_layout Code
+
# Racoon IKE daemon configuration file.
\end_layout
\begin_layout Code
+
# See 'man racoon.conf' for a description of the format and entries.
\end_layout
\begin_layout Code
+
path include "/etc/racoon";
\end_layout
\begin_layout Code
+
path pre_shared_key "/etc/racoon/psk.txt";
\end_layout
@@ -13237,18 +14701,22 @@ path pre_shared_key "/etc/racoon/psk.txt";
\end_layout
\begin_layout Code
+
listen
\end_layout
\begin_layout Code
+
{
\end_layout
\begin_layout Code
+
isakmp 2001:db8:1:1::1;
\end_layout
\begin_layout Code
+
}
\end_layout
@@ -13257,50 +14725,62 @@ listen
\end_layout
\begin_layout Code
+
remote 2001:db8:2:2::2
\end_layout
\begin_layout Code
+
{
\end_layout
\begin_layout Code
+
exchange_mode main;
\end_layout
\begin_layout Code
+
lifetime time 24 hour;
\end_layout
\begin_layout Code
+
proposal
\end_layout
\begin_layout Code
+
{
\end_layout
\begin_layout Code
+
encryption_algorithm 3des;
\end_layout
\begin_layout Code
+
hash_algorithm md5;
\end_layout
\begin_layout Code
+
authentication_method pre_shared_key;
\end_layout
\begin_layout Code
+
dh_group 2;
\end_layout
\begin_layout Code
+
}
\end_layout
\begin_layout Code
+
}
\end_layout
@@ -13309,34 +14789,42 @@ remote 2001:db8:2:2::2
\end_layout
\begin_layout Code
+
# gateway-to-gateway
\end_layout
\begin_layout Code
+
sainfo address 2001:db8:1:1::1 any address 2001:db8:2:2::2 any
\end_layout
\begin_layout Code
+
{
\end_layout
\begin_layout Code
+
lifetime time 1 hour;
\end_layout
\begin_layout Code
+
encryption_algorithm 3des;
\end_layout
\begin_layout Code
+
authentication_algorithm hmac_md5;
\end_layout
\begin_layout Code
+
compression_algorithm deflate;
\end_layout
\begin_layout Code
+
}
\end_layout
@@ -13345,30 +14833,37 @@ sainfo address 2001:db8:1:1::1 any address 2001:db8:2:2::2 any
\end_layout
\begin_layout Code
+
sainfo address 2001:db8:2:2::2 any address 2001:db8:1:1::1 any
\end_layout
\begin_layout Code
+
{
\end_layout
\begin_layout Code
+
lifetime time 1 hour;
\end_layout
\begin_layout Code
+
encryption_algorithm 3des;
\end_layout
\begin_layout Code
+
authentication_algorithm hmac_md5;
\end_layout
\begin_layout Code
+
compression_algorithm deflate;
\end_layout
\begin_layout Code
+
}
\end_layout
@@ -13385,10 +14880,12 @@ Datei: /etc/racoon/psk.txt
\end_layout
\begin_layout Code
+
# file for pre-shared keys used for IKE authentication
\end_layout
\begin_layout Code
+
# format is: 'identifier' 'key'
\end_layout
@@ -13397,6 +14894,7 @@ Datei: /etc/racoon/psk.txt
\end_layout
\begin_layout Code
+
2001:db8:2:2::2 verysecret
\end_layout
@@ -13424,81 +14922,100 @@ Zum Schluss muss der Daemon gestartet werden.
\end_layout
\begin_layout Code
+
# racoon -F -v -f /etc/racoon/racoon.conf
\end_layout
\begin_layout Code
+
Foreground mode.
\end_layout
\begin_layout Code
+
2005-01-01 20:30:15: INFO: @(#)ipsec-tools 0.3.3 (http://ipsec-tools.sourceforge.net
)
\end_layout
\begin_layout Code
+
2005-01-01 20:30:15: INFO: @(#)This product linked
\end_layout
\begin_layout Code
+
¬ OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/)
\end_layout
\begin_layout Code
+
2005-01-01 20:30:15: INFO: 2001:db8:1:1::1[500] used as isakmp port (fd=7)
\end_layout
\begin_layout Code
+
2005-01-01 20:31:06: INFO: IPsec-SA request for 2001:db8:2:2::2
\end_layout
\begin_layout Code
+
¬ queued due to no phase1 found.
\end_layout
\begin_layout Code
+
2005-01-01 20:31:06: INFO: initiate new phase 1 negotiation:
\end_layout
\begin_layout Code
+
¬ 2001:db8:1:1::1[500]<=>2001:db8:2:2::2[500]
\end_layout
\begin_layout Code
+
2005-01-01 20:31:06: INFO: begin Identity Protection mode.
\end_layout
\begin_layout Code
+
2005-01-01 20:31:09: INFO: ISAKMP-SA established
\end_layout
\begin_layout Code
+
¬ 2001:db8:1:1::1[500]-2001:db8:2:2::2[500] spi:da3d3693289c9698:ac039a402b2db40
1
\end_layout
\begin_layout Code
+
2005-01-01 20:31:09: INFO: initiate new phase 2 negotiation:
\end_layout
\begin_layout Code
+
¬ 2001:6f8:900:94::2[0]<=>2001:db8:2:2::2[0]
\end_layout
\begin_layout Code
+
2005-01-01 20:31:10: INFO: IPsec-SA established:
\end_layout
\begin_layout Code
+
¬ ESP/Tunnel 2001:db8:2:2::2->2001:db8:1:1::1 spi=253935531(0xf22bfab)
\end_layout
\begin_layout Code
+
2005-01-01 20:31:10: INFO: IPsec-SA established:
\end_layout
\begin_layout Code
+
¬ ESP/Tunnel 2001:db8:1:1::1->2001:db8:2:2::2 spi=175002564(0xa6e53c4)
\end_layout
@@ -13519,10 +15036,12 @@ tcpdump
\end_layout
\begin_layout Code
+
20:35:55.305707 2001:db8:1:1::1 > 2001:db8:2:2::2: ESP(spi=0x0a6e53c4,seq=0x3)
\end_layout
\begin_layout Code
+
20:35:55.537522 2001:db8:2:2::2 > 2001:db8:1:1::1: ESP(spi=0x0f22bfab,seq=0x3)
\end_layout
@@ -13547,94 +15066,117 @@ setkey
\end_layout
\begin_layout Code
+
# setkey -D
\end_layout
\begin_layout Code
+
2001:db8:1:1::1 2001:db8:2:2::2
\end_layout
\begin_layout Code
+
esp mode=tunnel spi=175002564(0x0a6e53c4) reqid=0(0x00000000)
\end_layout
\begin_layout Code
+
E: 3des-cbc bd26bc45 aea0d249 ef9c6b89 7056080f 5d9fa49c 924e2edd
\end_layout
\begin_layout Code
+
A: hmac-md5 60c2c505 517dd8b7 c9609128 a5efc2db
\end_layout
\begin_layout Code
+
seq=0x00000000 replay=4 flags=0x00000000 state=mature
\end_layout
\begin_layout Code
+
created: Jan 1 20:31:10 2005 current: Jan 1 20:40:47 2005
\end_layout
\begin_layout Code
+
diff: 577(s) hard: 3600(s) soft: 2880(s)
\end_layout
\begin_layout Code
+
last: Jan 1 20:35:05 2005 hard: 0(s) soft: 0(s)
\end_layout
\begin_layout Code
+
current: 540(bytes) hard: 0(bytes) soft: 0(bytes)
\end_layout
\begin_layout Code
+
allocated: 3 hard: 0 soft: 0
\end_layout
\begin_layout Code
+
sadb_seq=1 pid=22358 refcnt=0
\end_layout
\begin_layout Code
+
2001:db8:2:2::2 2001:db8:1:1::1
\end_layout
\begin_layout Code
+
esp mode=tunnel spi=253935531(0x0f22bfab) reqid=0(0x00000000)
\end_layout
\begin_layout Code
+
E: 3des-cbc c1ddba65 83debd62 3f6683c1 20e747ac 933d203f 4777a7ce
\end_layout
\begin_layout Code
+
A: hmac-md5 3f957db9 9adddc8c 44e5739d 3f53ca0e
\end_layout
\begin_layout Code
+
seq=0x00000000 replay=4 flags=0x00000000 state=mature
\end_layout
\begin_layout Code
+
created: Jan 1 20:31:10 2005 current: Jan 1 20:40:47 2005
\end_layout
\begin_layout Code
+
diff: 577(s) hard: 3600(s) soft: 2880(s)
\end_layout
\begin_layout Code
+
last: Jan 1 20:35:05 2005 hard: 0(s) soft: 0(s)
\end_layout
\begin_layout Code
+
current: 312(bytes) hard: 0(bytes) soft: 0(bytes)
\end_layout
\begin_layout Code
+
allocated: 3 hard: 0 soft: 0
\end_layout
\begin_layout Code
+
sadb_seq=0 pid=22358 refcnt=0
\end_layout
@@ -13739,18 +15281,22 @@ Datei: /etc/ipsec.conf
\end_layout
\begin_layout Code
+
# /etc/ipsec.conf - Openswan IPsec configuration file
\end_layout
\begin_layout Code
+
#
\end_layout
\begin_layout Code
+
# Manual: ipsec.conf.5
\end_layout
\begin_layout Code
+
version 2.0 # conforms to second version of ipsec.conf specification
\end_layout
@@ -13759,22 +15305,27 @@ version 2.0 # conforms to second version of ipsec.conf specification
\end_layout
\begin_layout Code
+
# basic configuration
\end_layout
\begin_layout Code
+
config setup
\end_layout
\begin_layout Code
+
# Debug-logging controls: "none" for (almost) none, "all" for lots.
\end_layout
\begin_layout Code
+
# klipsdebug=none
\end_layout
\begin_layout Code
+
# plutodebug="control parsing"
\end_layout
@@ -13783,10 +15334,12 @@ config setup
\end_layout
\begin_layout Code
+
#Disable Opportunistic Encryption
\end_layout
\begin_layout Code
+
include /etc/ipsec.d/examples/no_oe.conf
\end_layout
@@ -13795,55 +15348,68 @@ include /etc/ipsec.d/examples/no_oe.conf
\end_layout
\begin_layout Code
+
conn ipv6-p1-p2
\end_layout
\begin_layout Code
+
connaddrfamily=ipv6 # Important for IPv6, but no longer needed
since StrongSwan 4
\end_layout
\begin_layout Code
+
left=2001:db8:1:1::1
\end_layout
\begin_layout Code
+
right=2001:db8:2:2::2
\end_layout
\begin_layout Code
+
authby=secret
\end_layout
\begin_layout Code
+
esp=aes128-sha1
\end_layout
\begin_layout Code
+
ike=aes128-sha-modp1024
\end_layout
\begin_layout Code
+
type=transport
\end_layout
\begin_layout Code
+
#type=tunnel
\end_layout
\begin_layout Code
+
compress=no
\end_layout
\begin_layout Code
+
#compress=yes
\end_layout
\begin_layout Code
+
auto=add
\end_layout
\begin_layout Code
+
#auto=up
\end_layout
@@ -13864,6 +15430,7 @@ Datei: /etc/ipsec.secrets
\end_layout
\begin_layout Code
+
2001:db8:1:1::1 2001:db8:2:2::2 : PSK "verysecret"
\end_layout
@@ -13890,6 +15457,7 @@ Wenn die Installation von Openswan erfolgreich war, sollte ein initscript
\end_layout
\begin_layout Code
+
# /etc/rc.d/init.d/ipsec start
\end_layout
@@ -13909,34 +15477,42 @@ IPsec SA established
\end_layout
\begin_layout Code
+
# ipsec auto --up ipv6-peer1-peer2
\end_layout
\begin_layout Code
+
104 "ipv6-p1-p2" #1: STATE_MAIN_I1: initiate
\end_layout
\begin_layout Code
+
106 "ipv6-p1-p2" #1: STATE_MAIN_I2: sent MI2, expecting MR2
\end_layout
\begin_layout Code
+
108 "ipv6-p1-p2" #1: STATE_MAIN_I3: sent MI3, expecting MR3
\end_layout
\begin_layout Code
+
004 "ipv6-p1-p2" #1: STATE_MAIN_I4: ISAKMP SA established
\end_layout
\begin_layout Code
+
112 "ipv6-p1-p2" #2: STATE_QUICK_I1: initiate
\end_layout
\begin_layout Code
+
004 "ipv6-p1-p2" #2: STATE_QUICK_I2: sent QI2,
\end_layout
\begin_layout Code
+
¬ IPsec SA established {ESP=>0xa98b7710 <0xa51e1f22}
\end_layout
@@ -13956,94 +15532,117 @@ setkey
\end_layout
\begin_layout Code
+
# setkey -D
\end_layout
\begin_layout Code
+
2001:db8:1:1::1 2001:db8:2:2::2
\end_layout
\begin_layout Code
+
esp mode=transport spi=2844489488(0xa98b7710) reqid=16385(0x00004001)
\end_layout
\begin_layout Code
+
E: aes-cbc 082ee274 2744bae5 7451da37 1162b483
\end_layout
\begin_layout Code
+
A: hmac-sha1 b7803753 757417da 477b1c1a 64070455 ab79082c
\end_layout
\begin_layout Code
+
seq=0x00000000 replay=64 flags=0x00000000 state=mature
\end_layout
\begin_layout Code
+
created: Jan 1 21:16:32 2005 current: Jan 1 21:22:20 2005
\end_layout
\begin_layout Code
+
diff: 348(s) hard: 0(s) soft: 0(s)
\end_layout
\begin_layout Code
+
last: hard: 0(s) soft: 0(s)
\end_layout
\begin_layout Code
+
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
\end_layout
\begin_layout Code
+
allocated: 0 hard: 0 soft: 0
\end_layout
\begin_layout Code
+
sadb_seq=1 pid=23825 refcnt=0
\end_layout
\begin_layout Code
+
2001:db8:2:2::2 2001:db8:1:1::1
\end_layout
\begin_layout Code
+
esp mode=transport spi=2770214690(0xa51e1f22) reqid=16385(0x00004001)
\end_layout
\begin_layout Code
+
E: aes-cbc 6f59cc30 8d856056 65e07b76 552cac18
\end_layout
\begin_layout Code
+
A: hmac-sha1 c7c7d82b abfca8b1 5440021f e0c3b335 975b508b
\end_layout
\begin_layout Code
+
seq=0x00000000 replay=64 flags=0x00000000 state=mature
\end_layout
\begin_layout Code
+
created: Jan 1 21:16:31 2005 current: Jan 1 21:22:20 2005
\end_layout
\begin_layout Code
+
diff: 349(s) hard: 0(s) soft: 0(s)
\end_layout
\begin_layout Code
+
last: hard: 0(s) soft: 0(s)
\end_layout
\begin_layout Code
+
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
\end_layout
\begin_layout Code
+
allocated: 0 hard: 0 soft: 0
\end_layout
\begin_layout Code
+
sadb_seq=0 pid=23825 refcnt=0
\end_layout
@@ -14068,10 +15667,12 @@ ip
\end_layout
\begin_layout Code
+
# ip xfrm policy
\end_layout
\begin_layout Code
+
...
\end_layout
@@ -14080,10 +15681,12 @@ ip
\end_layout
\begin_layout Code
+
# ip xfrm state
\end_layout
\begin_layout Code
+
...
\end_layout
@@ -14133,32 +15736,39 @@ Vernünftig funktionierendes QoS ist nur an der ausgehenden Schnittstelle
\end_layout
\begin_layout Code
+
------------------->-------
\end_layout
\begin_layout Code
+
Queue 1
\backslash
\end_layout
\begin_layout Code
+
--->--- ---->--------->--------->-------------------
\end_layout
\begin_layout Code
+
Dicke Leitung Queue 2 Queue 1 / Queue 2 / Queue 3 Dünne Leitung
\end_layout
\begin_layout Code
+
--->---- ---->--------->--------->-------------------
\end_layout
\begin_layout Code
+
Queue 3 /
\end_layout
\begin_layout Code
+
------------------->-------
\end_layout
@@ -14240,6 +15850,7 @@ Definition einer root qdisc mit einer Bandbreite von 1000 MBit/s an eth1
\end_layout
\begin_layout Code
+
# tc qdisc add dev eth1 root handle 1: cbq avpkt 1000 bandwidth 1000Mbit
\end_layout
@@ -14256,6 +15867,7 @@ Definition einer Klasse 1:1 mit 1 MBit/s
\end_layout
\begin_layout Code
+
# tc class add dev eth1 parent 1: classid 1:1 cbq rate 1Mbit allot 1500
bounded
\end_layout
@@ -14267,6 +15879,7 @@ Definition einer Klasse 1:2 mit 50 MBit/s
\end_layout
\begin_layout Code
+
# tc class add dev eth1 parent 1: classid 1:2 cbq rate 50Mbit allot 1500
bounded
\end_layout
@@ -14278,6 +15891,7 @@ Definition einer Klasse 1:3 mit 10 MBit/s
\end_layout
\begin_layout Code
+
# tc class add dev eth1 parent 1: classid 1:3 cbq rate 10Mbit allot 1500
bounded
\end_layout
@@ -14289,6 +15903,7 @@ Definition einer Klasse 1:4 mit 200 kBit/s
\end_layout
\begin_layout Code
+
# tc class add dev eth1 parent 1: classid 1:4 cbq rate 200kbit allot 1500
bounded
\end_layout
@@ -14318,6 +15933,7 @@ match ip dport 5001 0xffff
\end_layout
\begin_layout Code
+
# tc filter add dev eth1 parent 1: protocol ip u32 match ip protocol
6 0xff match ip dport 5001 0xffff flowid 1:1
\end_layout
@@ -14337,6 +15953,7 @@ match ip6 protocol 6 0xff
\end_layout
\begin_layout Code
+
# tc filter add dev eth1 parent 1: protocol ipv6 u32 match ip6 protocol
6 0xff match ip6 dport 5001 0xffff flowid 1:2
\end_layout
@@ -14352,6 +15969,7 @@ match ip6 flowlabel 0x12345 0x3ffff
\end_layout
\begin_layout Code
+
# tc filter add dev eth1 parent 1: protocol ipv6 u32 match ip6 flowlabel
12345 0x3ffff flowid 1:3
\end_layout
@@ -14368,6 +15986,7 @@ handle 32 fw
\end_layout
\begin_layout Code
+
# tc filter add dev eth1 parent 1: protocol ipv6 handle 32 fw flowid 1:4
\end_layout
@@ -14379,6 +15998,7 @@ Die letzte Filterdefinition benötigt auch einen Eintrag in ip6tables um
\end_layout
\begin_layout Code
+
# ip6tables -A POSTROUTING -t mangle -p tcp --dport 5003 -j MARK --set-mark
32
\end_layout
@@ -14396,14 +16016,17 @@ Starten auf Serverseite in separaten Konsolen:
\end_layout
\begin_layout Code
+
# iperf -V -s -p 5001
\end_layout
\begin_layout Code
+
# iperf -V -s -p 5002
\end_layout
\begin_layout Code
+
# iperf -V -s -p 5003
\end_layout
@@ -14414,29 +16037,35 @@ Starten auf Clientseite und Vergleichen der Ergebnisse:
\end_layout
\begin_layout Code
+
# iperf -V -c SERVER-IPv4 -p 5001 (erwartet: 1 MBit/s)
\end_layout
\begin_layout Code
+
# iperf -V -c SERVER-IPv6 -p 5001 (erwartet: 50 MBit/s)
\end_layout
\begin_layout Code
+
# iperf -V -c SERVER-IPv4 -p 5002 (erwartet: >> 50 MBit/s && <= 1000
MBit/s)
\end_layout
\begin_layout Code
+
# iperf -V -c SERVER-IPv6 -p 5002 (erwartet: >> 50 MBit/s && <= 1000
MBit/s)
\end_layout
\begin_layout Code
+
# iperf -V -c SERVER-IPv4 -p 5003 (erwartet: >> 50 MBit/s && <= 1000
MBit/s)
\end_layout
\begin_layout Code
+
# iperf -V -c SERVER-IPv6 -p 5003 (erwartet: 200 kBit/s)
\end_layout
@@ -14520,18 +16149,22 @@ Folgende Optionen müssen geändert werden, damit IPv6 aktiviert wird
\end_layout
\begin_layout Code
+
options {
\end_layout
\begin_layout Code
+
# sure other options here, too
\end_layout
\begin_layout Code
+
listen-on-v6 { any; };
\end_layout
\begin_layout Code
+
};
\end_layout
@@ -14541,48 +16174,59 @@ Nach einem Neustart (des Dienstes) sollte z.B.
\end_layout
\begin_layout Code
+
# netstat -lnptu |grep "named
\backslash
W*$"
\end_layout
\begin_layout Code
+
tcp 0 0 :::53 :::* LISTEN 1234/named
\end_layout
\begin_layout Code
+
¬ # incoming TCP requests
\end_layout
\begin_layout Code
+
udp 0 0 1.2.3.4:53 0.0.0.0:* 1234/named
\end_layout
\begin_layout Code
+
¬ # incoming UDP requests to IPv4 1.2.3.4
\end_layout
\begin_layout Code
+
udp 0 0 127.0.0.1:53 0.0.0.0:* 1234/named
\end_layout
\begin_layout Code
+
¬ # incoming UDP requests to IPv4 localhost
\end_layout
\begin_layout Code
+
udp 0 0 0.0.0.0:32868 0.0.0.0:* 1234/named
\end_layout
\begin_layout Code
+
¬ # dynamic chosen port for outgoing queries
\end_layout
\begin_layout Code
+
udp 0 0 :::53 :::* 1234/named
\end_layout
\begin_layout Code
+
¬ # incoming UDP request to any IPv6
\end_layout
@@ -14591,6 +16235,7 @@ Ein kleiner Test sieht wie folgt aus:
\end_layout
\begin_layout Code
+
# dig localhost @::1
\end_layout
@@ -14607,18 +16252,22 @@ Folgende Optionen müssen geändert werden, damit IPv6 deaktiviert wird:
\end_layout
\begin_layout Code
+
options {
\end_layout
\begin_layout Code
+
# sure other options here, too
\end_layout
\begin_layout Code
+
listen-on-v6 { none; };
\end_layout
\begin_layout Code
+
};
\end_layout
@@ -14633,54 +16282,67 @@ ACLs mit IPv6 Adressen sind realisierbar und sollten wann immer möglich
\end_layout
\begin_layout Code
+
acl internal-net {
\end_layout
\begin_layout Code
+
127.0.0.1;
\end_layout
\begin_layout Code
+
1.2.3.0/24;
\end_layout
\begin_layout Code
+
2001:0db8:100::/56;
\end_layout
\begin_layout Code
+
::1/128;
\end_layout
\begin_layout Code
+
::ffff:1.2.3.4/128;
\end_layout
\begin_layout Code
+
};
\end_layout
\begin_layout Code
+
acl ns-internal-net {
\end_layout
\begin_layout Code
+
1.2.3.4;
\end_layout
\begin_layout Code
+
1.2.3.5;
\end_layout
\begin_layout Code
+
2001:0db8:100::4/128;
\end_layout
\begin_layout Code
+
2001:0db8:100::5/128;
\end_layout
\begin_layout Code
+
};
\end_layout
@@ -14692,26 +16354,32 @@ Diese ACLs können für Client-Anfragen und Zonentransfers zu Secondary Nameserv
\end_layout
\begin_layout Code
+
options {
\end_layout
\begin_layout Code
+
# sure other options here, too
\end_layout
\begin_layout Code
+
listen-on-v6 { none; };
\end_layout
\begin_layout Code
+
allow-query { internal-net; };
\end_layout
\begin_layout Code
+
allow-transfer { ns-internal-net; };
\end_layout
\begin_layout Code
+
};
\end_layout
@@ -14737,6 +16405,7 @@ Diese Option ist nicht verpflichtend, ev.
\end_layout
\begin_layout Code
+
query-source-v6 address port ;
\end_layout
@@ -14757,6 +16426,7 @@ Die Transfer source Adresse wird für ausgehende Zonentransfers verwendet:
\end_layout
\begin_layout Code
+
transfer-source-v6 [port port];
\end_layout
@@ -14769,6 +16439,7 @@ Die Notify source Adresse wird für ausgehende notify Mitteilungen verwendet:
\end_layout
\begin_layout Code
+
notify-source-v6 [port port];
\end_layout
@@ -14925,22 +16596,27 @@ Eine IPv6 Verbindung kann durch Angabe eines dedizierten Server, der abgefragt
\end_layout
\begin_layout Code
+
$ host -t aaaa www.6bone.net 2001:0db8:200:f101::1
\end_layout
\begin_layout Code
+
Using domain server:
\end_layout
\begin_layout Code
+
Name: 2001:0db8:200:f101::1
\end_layout
\begin_layout Code
+
Address: 2001:0db8:200:f101::1#53
\end_layout
\begin_layout Code
+
Aliases:
\end_layout
@@ -14949,6 +16625,7 @@ Aliases:
\end_layout
\begin_layout Code
+
Host www.6bone.net.
not found: 5(REFUSED)
\end_layout
@@ -14958,14 +16635,17 @@ Ein entsprechender Log-Eintrag sieht wie folgt aus:
\end_layout
\begin_layout Code
+
Jan 3 12:43:32 gate named[12347]: client
\end_layout
\begin_layout Code
+
¬ 2001:0db8:200:f101:212:34ff:fe12:3456#32770:
\end_layout
\begin_layout Code
+
query denied
\end_layout
@@ -14984,22 +16664,27 @@ Eine erfolgreiche IPv6 Verbindung sieht wie folgt aus:
\end_layout
\begin_layout Code
+
$ host -t aaaa www.6bone.net 2001:0db8:200:f101::1
\end_layout
\begin_layout Code
+
Using domain server:
\end_layout
\begin_layout Code
+
Name: 2001:0db8:200:f101::1
\end_layout
\begin_layout Code
+
Address: 2001:0db8:200:f101::1#53
\end_layout
\begin_layout Code
+
Aliases:
\end_layout
@@ -15008,12 +16693,14 @@ Aliases:
\end_layout
\begin_layout Code
+
www.6bone.net.
is an alias for 6bone.net.
\end_layout
\begin_layout Code
+
6bone.net.
has AAAA address 3ffe:b00:c18:1::10
\end_layout
@@ -15058,42 +16745,52 @@ Wenn Sie nun einen "eingebauten" Service wie z.B.
\end_layout
\begin_layout Code
+
# diff -u /etc/xinetd.d/daytime.orig /etc/xinetd.d/daytime
\end_layout
\begin_layout Code
+
--- /etc/xinetd.d/daytime.orig Sun Dec 16 19:00:14 2001
\end_layout
\begin_layout Code
+
+++ /etc/xinetd.d/daytime Sun Dec 16 19:00:22 2001
\end_layout
\begin_layout Code
+
@@ -10,5 +10,5 @@
\end_layout
\begin_layout Code
+
protocol = tcp
\end_layout
\begin_layout Code
+
user = root
\end_layout
\begin_layout Code
+
wait = no
\end_layout
\begin_layout Code
+
- disable = yes
\end_layout
\begin_layout Code
+
+ disable = no
\end_layout
\begin_layout Code
+
}
\end_layout
@@ -15103,22 +16800,27 @@ dann sollten Sie nach einem Neustart des xinetd-Dienstes z.B.
\end_layout
\begin_layout Code
+
# netstat -lnptu -A inet6 |grep "xinetd*"
\end_layout
\begin_layout Code
+
tcp 0 0 ::ffff:192.168.1.1:993 :::* LISTEN 12345/xinetd-ipv6
\end_layout
\begin_layout Code
+
tcp 0 0 :::13 :::* LISTEN 12345/xinetd-ipv6 <- service
\end_layout
\begin_layout Code
+
¬ daytime/tcp
\end_layout
\begin_layout Code
+
tcp 0 0 ::ffff:192.168.1.1:143 :::* LISTEN 12345/xinetd-ipv6
\end_layout
@@ -15179,22 +16881,27 @@ Virtueller Host mit IPv6 Adresse
\end_layout
\begin_layout Code
+
Listen [2001:0db8:100::1]:80
\end_layout
\begin_layout Code
+
\end_layout
\begin_layout Code
+
ServerName ipv6only.yourdomain.yourtopleveldomain
\end_layout
\begin_layout Code
+
# ...sure more config lines
\end_layout
\begin_layout Code
+
\end_layout
@@ -15203,26 +16910,32 @@ Virtueller Host mit IPv4 und IPv6 Adresse
\end_layout
\begin_layout Code
+
Listen [2001:0db8:100::2]:80
\end_layout
\begin_layout Code
+
Listen 1.2.3.4:80
\end_layout
\begin_layout Code
+
\end_layout
\begin_layout Code
+
ServerName ipv6andipv4.yourdomain.yourtopleveldomain
\end_layout
\begin_layout Code
+
# ...sure more config lines
\end_layout
\begin_layout Code
+
\end_layout
@@ -15231,20 +16944,24 @@ Das Ergebnis sollten nach einen Neustart des Dienstes etwa Folgendes sein:
\end_layout
\begin_layout Code
+
# netstat -lnptu |grep "httpd2
\backslash
W*$"
\end_layout
\begin_layout Code
+
tcp 0 0 1.2.3.4:80 0.0.0.0:* LISTEN 12345/httpd2
\end_layout
\begin_layout Code
+
tcp 0 0 2001:0db8:100::1:80 :::* LISTEN 12345/httpd2
\end_layout
\begin_layout Code
+
tcp 0 0 2001:0db8:100::2:80 :::* LISTEN 12345/httpd2
\end_layout
@@ -15351,42 +17068,52 @@ Die Konfigurationsdatei des radvd ist normalerweise die Datei /etc/radvd.conf.
\end_layout
\begin_layout Code
+
interface eth0 {
\end_layout
\begin_layout Code
+
AdvSendAdvert on;
\end_layout
\begin_layout Code
+
MinRtrAdvInterval 3;
\end_layout
\begin_layout Code
+
MaxRtrAdvInterval 10;
\end_layout
\begin_layout Code
+
prefix 2001:0db8:0100:f101::/64 {
\end_layout
\begin_layout Code
+
AdvOnLink on;
\end_layout
\begin_layout Code
+
AdvAutonomous on;
\end_layout
\begin_layout Code
+
AdvRouterAddr on;
\end_layout
\begin_layout Code
+
};
\end_layout
\begin_layout Code
+
};
\end_layout
@@ -15395,23 +17122,28 @@ Als Ergebnis auf der Client-Seite ergibt sich hieraus:
\end_layout
\begin_layout Code
+
# ip -6 addr show eth0
\end_layout
\begin_layout Code
+
3: eth0: mtu 1500 qdisc pfifo_fast qlen 100
\end_layout
\begin_layout Code
+
inet6 2001:0db8:100:f101:2e0:12ff:fe34:1234/64 scope global dynamic
\end_layout
\begin_layout Code
+
valid_lft 2591992sec preferred_lft 604792sec
\end_layout
\begin_layout Code
+
inet6 fe80::2e0:12ff:fe34:1234/10 scope link
\end_layout
@@ -15438,54 +17170,67 @@ Seit der Version 0.6.2pl3 wird die automatische (Neu)-Erstellung des Präfixes
\end_layout
\begin_layout Code
+
interface eth0 {
\end_layout
\begin_layout Code
+
AdvSendAdvert on;
\end_layout
\begin_layout Code
+
MinRtrAdvInterval 3;
\end_layout
\begin_layout Code
+
MaxRtrAdvInterval 10;
\end_layout
\begin_layout Code
+
prefix 0:0:0:f101::/64 {
\end_layout
\begin_layout Code
+
AdvOnLink off;
\end_layout
\begin_layout Code
+
AdvAutonomous on;
\end_layout
\begin_layout Code
+
AdvRouterAddr on;
\end_layout
\begin_layout Code
+
Base6to4Interface ppp0;
\end_layout
\begin_layout Code
+
AdvPreferredLifetime 20;
\end_layout
\begin_layout Code
+
AdvValidLifetime 30;
\end_layout
\begin_layout Code
+
};
\end_layout
\begin_layout Code
+
};
\end_layout
@@ -15495,23 +17240,28 @@ Das Ergebnis auf Clientseite ist (unter der Annahme, dass ppp0 die lokale
\end_layout
\begin_layout Code
+
# /sbin/ip -6 addr show eth0
\end_layout
\begin_layout Code
+
3: eth0: mtu 1500 qdisc pfifo_fast qlen 100
\end_layout
\begin_layout Code
+
inet6 2002:0102:0304:f101:2e0:12ff:fe34:1234/64 scope global dynamic
\end_layout
\begin_layout Code
+
valid_lft 22sec preferred_lft 12sec
\end_layout
\begin_layout Code
+
inet6 fe80::2e0:12ff:fe34:1234/10 scope link
\end_layout
@@ -15530,6 +17280,7 @@ Achtung: wenn keine spezielle 6to4-Unterstützung der initscripts benutzt
\end_layout
\begin_layout Code
+
# /sbin/ip -6 route add 2002:0102:0304:f101::/64 dev eth0 metric 1
\end_layout
@@ -15559,86 +17310,107 @@ radvdump
\end_layout
\begin_layout Code
+
# radvdump
\end_layout
\begin_layout Code
+
Router advertisement from fe80::280:c8ff:feb9:cef9 (hoplimit 255)
\end_layout
\begin_layout Code
+
AdvCurHopLimit: 64
\end_layout
\begin_layout Code
+
AdvManagedFlag: off
\end_layout
\begin_layout Code
+
AdvOtherConfigFlag: off
\end_layout
\begin_layout Code
+
AdvHomeAgentFlag: off
\end_layout
\begin_layout Code
+
AdvReachableTime: 0
\end_layout
\begin_layout Code
+
AdvRetransTimer: 0
\end_layout
\begin_layout Code
+
Prefix 2002:0102:0304:f101::/64
\end_layout
\begin_layout Code
+
AdvValidLifetime: 30
\end_layout
\begin_layout Code
+
AdvPreferredLifetime: 20
\end_layout
\begin_layout Code
+
AdvOnLink: off
\end_layout
\begin_layout Code
+
AdvAutonomous: on
\end_layout
\begin_layout Code
+
AdvRouterAddr: on
\end_layout
\begin_layout Code
+
Prefix 2001:0db8:100:f101::/64
\end_layout
\begin_layout Code
+
AdvValidLifetime: 2592000
\end_layout
\begin_layout Code
+
AdvPreferredLifetime: 604800
\end_layout
\begin_layout Code
+
AdvOnLink: on
\end_layout
\begin_layout Code
+
AdvAutonomous: on
\end_layout
\begin_layout Code
+
AdvRouterAddr: on
\end_layout
\begin_layout Code
+
AdvSourceLLAddress: 00 80 12 34 56 78
\end_layout
@@ -15704,54 +17476,67 @@ Die Konfigurationsdatei des dhcp6s ist normalerweise /etc/dhcp6s.conf.
\end_layout
\begin_layout Code
+
interface eth0 {
\end_layout
\begin_layout Code
+
server-preference 255;
\end_layout
\begin_layout Code
+
renew-time 60;
\end_layout
\begin_layout Code
+
rebind-time 90;
\end_layout
\begin_layout Code
+
prefer-life-time 130;
\end_layout
\begin_layout Code
+
valid-life-time 200;
\end_layout
\begin_layout Code
+
allow rapid-commit;
\end_layout
\begin_layout Code
+
option dns_servers 2001:db8:0:f101::1 sub.domain.example;
\end_layout
\begin_layout Code
+
link AAA {
\end_layout
\begin_layout Code
+
range 2001:db8:0:f101::1000 to 2001:db8:0:f101::ffff/64;
\end_layout
\begin_layout Code
+
prefix 2001:db8:0:f101::/64;
\end_layout
\begin_layout Code
+
};
\end_layout
\begin_layout Code
+
};
\end_layout
@@ -15775,18 +17560,22 @@ Die Konfigurationsdatei von dhcp6c ist normalerweise /etc/dhcp6c.conf.
\end_layout
\begin_layout Code
+
interface eth0 {
\end_layout
\begin_layout Code
+
send rapid-commit;
\end_layout
\begin_layout Code
+
request domain-name-servers;
\end_layout
\begin_layout Code
+
};
\end_layout
@@ -15810,6 +17599,7 @@ Starten des Servers, z.B.
\end_layout
\begin_layout Code
+
# service dhcp6s start
\end_layout
@@ -15827,10 +17617,12 @@ Starten des Clients im Vordergrund, z.B.
\end_layout
\begin_layout Code
+
# dhcp6c -f eth0
\end_layout
\begin_layout Code
+
...
\end_layout
@@ -15854,6 +17646,7 @@ Der Server hat einen Vordergrund und zwei Debug-Schalter (von denen beide
\end_layout
\begin_layout Code
+
# dhcp6c -d -D -f eth0
\end_layout
@@ -15871,6 +17664,7 @@ Mit einem IPv6 Ping an die DHCP Multicast-Adresse kann getestet werden,
\end_layout
\begin_layout Code
+
# ping6 -I eth0 ff02::1:2
\end_layout
@@ -15881,47 +17675,58 @@ Der Client hat einen Vordergrund und zwei Debug-Schalter, hier ein Beispiel:
\end_layout
\begin_layout Code
+
# dhcp6c -d -f eth0
\end_layout
\begin_layout Code
+
Oct/03/2005 17:18:16 dhcpv6 doesn't support hardware type 776
\end_layout
\begin_layout Code
+
Oct/03/2005 17:18:16 doesn't support sit0 address family 0
\end_layout
\begin_layout Code
+
Oct/03/2005 17:18:16 netlink_recv_rtgenmsg error
\end_layout
\begin_layout Code
+
Oct/03/2005 17:18:16 netlink_recv_rtgenmsg error
\end_layout
\begin_layout Code
+
Oct/03/2005 17:18:17 status code for this address is: success
\end_layout
\begin_layout Code
+
Oct/03/2005 17:18:17 status code: success
\end_layout
\begin_layout Code
+
Oct/03/2005 17:18:17 netlink_recv_rtgenmsg error
\end_layout
\begin_layout Code
+
Oct/03/2005 17:18:17 netlink_recv_rtgenmsg error
\end_layout
\begin_layout Code
+
Oct/03/2005 17:18:17 assigned address 2001:db8:0:f101::1002 prefix len is
not in any RAs prefix length using 64 bit instead
\end_layout
\begin_layout Code
+
Oct/03/2005 17:18:17 renew time 60, rebind time 9
\end_layout
@@ -15988,26 +17793,32 @@ Erstellen einer eigenen Konfigurationsdatei /etc/dhcp/dhcpd6.conf für den
\end_layout
\begin_layout Code
+
default-lease-time 600;
\end_layout
\begin_layout Code
+
max-lease-time 7200;
\end_layout
\begin_layout Code
+
log-facility local7;
\end_layout
\begin_layout Code
+
subnet6 2001:db8:0:1::/64 {
\end_layout
\begin_layout Code
+
# Range for clients
\end_layout
\begin_layout Code
+
range6 2001:db8:0:1::129 2001:db8:0:1::254;
\end_layout
@@ -16016,10 +17827,12 @@ subnet6 2001:db8:0:1::/64 {
\end_layout
\begin_layout Code
+
# Range for clients requesting a temporary address
\end_layout
\begin_layout Code
+
range6 2001:db8:0:1::/64 temporary;
\end_layout
@@ -16028,14 +17841,17 @@ subnet6 2001:db8:0:1::/64 {
\end_layout
\begin_layout Code
+
# Additional options
\end_layout
\begin_layout Code
+
option dhcp6.name-servers fec0:0:0:1::1;
\end_layout
\begin_layout Code
+
option dhcp6.domain-search "domain.example";
\end_layout
@@ -16044,10 +17860,12 @@ subnet6 2001:db8:0:1::/64 {
\end_layout
\begin_layout Code
+
# Prefix range for delegation to sub-routers
\end_layout
\begin_layout Code
+
prefix6 2001:db8:0:100:: 2001:db8:0:f00:: /56;
\end_layout
@@ -16056,27 +17874,33 @@ subnet6 2001:db8:0:1::/64 {
\end_layout
\begin_layout Code
+
# Example for a fixed host address
\end_layout
\begin_layout Code
+
host specialclient {
\end_layout
\begin_layout Code
+
host-identifier option dhcp6.client-id 00:01:00:01:4a:1f:ba:e3:60:b9:1f:01:
23:45;
\end_layout
\begin_layout Code
+
fixed-address6 2001:db8:0:1::127;
\end_layout
\begin_layout Code
+
}
\end_layout
\begin_layout Code
+
}
\end_layout
@@ -16115,6 +17939,7 @@ dhcp6c
\end_layout
\begin_layout Code
+
# hexdump -e '"%07.7_ax " 1/2 "%04x" " " 14/1 "%02x:" "
\backslash
n"' /var/lib/dhcpv6/dhcp6c_duid 0000000 000e 00:01:00:01:4a:1f:ba:e3:60:b9:1f:01
@@ -16140,46 +17965,56 @@ Starte den Server im Vordergrund:
\end_layout
\begin_layout Code
+
# /usr/sbin/dhcpd -6 -d -cf /etc/dhcp/dhcpd6.conf eth1
\end_layout
\begin_layout Code
+
Internet Systems Consortium DHCP Server 4.1.0
\end_layout
\begin_layout Code
+
Copyright 2004-2008 Internet Systems Consortium.
\end_layout
\begin_layout Code
+
All rights reserved.
\end_layout
\begin_layout Code
+
For info, please visit http://www.isc.org/sw/dhcp/
\end_layout
\begin_layout Code
+
Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were not
specified in the config file
\end_layout
\begin_layout Code
+
Wrote 0 leases to leases file.
\end_layout
\begin_layout Code
+
Bound to *:547
\end_layout
\begin_layout Code
+
Listening on Socket/5/eth1/2001:db8:0:1::/64
\end_layout
\begin_layout Code
+
Sending on Socket/5/eth1/2001:db8:0:1::/64
\end_layout
@@ -16222,50 +18057,62 @@ Erstellen der Konfigurationsdatei /etc/dibbler/server.conf .
\end_layout
\begin_layout Code
+
log-level 8
\end_layout
\begin_layout Code
+
log-mode short
\end_layout
\begin_layout Code
+
preference 0
\end_layout
\begin_layout Code
+
iface "eth1" {
\end_layout
\begin_layout Code
+
prefered-lifetime 3600
\end_layout
\begin_layout Code
+
valid-lifetime 7200
\end_layout
\begin_layout Code
+
class {
\end_layout
\begin_layout Code
+
pool 2001:db8:0:1::/64
\end_layout
\begin_layout Code
+
}
\end_layout
\begin_layout Code
+
option dns-server fec0:0:0:1::1
\end_layout
\begin_layout Code
+
option domain domain.example
\end_layout
\begin_layout Code
+
}
\end_layout
@@ -16288,124 +18135,148 @@ Start Server im Vorgergrund:
\end_layout
\begin_layout Code
+
# dibbler-server run
\end_layout
\begin_layout Code
+
| Dibbler - a portable DHCPv6, version 0.7.3 (SERVER, Linux port)
\end_layout
\begin_layout Code
+
| Authors : Tomasz Mrugalski,Marek Senderski
\end_layout
\begin_layout Code
+
| Licence : GNU GPL v2 only.
Developed at Gdansk University of Technology.
\end_layout
\begin_layout Code
+
| Homepage: http://klub.com.pl/dhcpv6/
\end_layout
\begin_layout Code
+
2009.05.28 10:18:48 Server Notice My pid (1789) is stored in /var/lib/dibbler/s
erver.pid
\end_layout
\begin_layout Code
+
2009.05.28 10:18:48 Server Notice Detected iface eth0/3, MAC=54:52:00:01:23:45.
\end_layout
\begin_layout Code
+
2009.05.28 10:18:48 Server Notice Detected iface eth1/2, MAC=54:52:00:67:89:ab.
\end_layout
\begin_layout Code
+
2009.05.28 10:18:48 Server Notice Detected iface lo/1, MAC=00:00:00:00:00:00.
\end_layout
\begin_layout Code
+
2009.05.28 10:18:48 Server Debug Skipping database loading.
\end_layout
\begin_layout Code
+
2009.05.28 10:18:48 Server Debug Cache:server-cache.xml file: parsing started,
expecting 0 entries.
\end_layout
\begin_layout Code
+
2009.05.28 10:18:48 Server Notice Parsing /etc/dibbler/server.conf config
file...
\end_layout
\begin_layout Code
+
18:48 Server Debug Setting 0 generic option(s).
\end_layout
\begin_layout Code
+
18:48 Server Debug 0 per-client configurations (exceptions) added.
\end_layout
\begin_layout Code
+
18:48 Server Debug Parsing /etc/dibbler/server.conf done.
\end_layout
\begin_layout Code
+
18:48 Server Info 0 client class(es) defined.
\end_layout
\begin_layout Code
+
18:48 Server Debug 1 interface(s) specified in /etc/dibbler/server.conf
\end_layout
\begin_layout Code
+
18:48 Server Info Mapping allow, deny list to class 0:0 allow/deny
entries in total.
\end_layout
\begin_layout Code
+
18:48 Server Info Interface eth1/2 configuration has been loaded.
\end_layout
\begin_layout Code
+
18:48 Server Notice Running in stateful mode.
\end_layout
\begin_layout Code
+
18:48 Server Info My DUID is 00:01:00:01:11:aa:6d:a7:54:52:00:67:89:ab.
\end_layout
\begin_layout Code
+
18:48 Server Notice Creating multicast (ff02::1:2) socket on eth1/2 (eth1/2)
interface.
\end_layout
\begin_layout Code
+
18:48 Server Debug Cache: size set to 1048576 bytes, 1 cache entry size
is 87 bytes, so maximum 12052 address-client pair(s) may be cached.
\end_layout
\begin_layout Code
+
18:48 Server Notice Accepting connections.
Next event in 4294967295 second(s).
\end_layout
@@ -16470,6 +18341,7 @@ s.allow sowie /etc/hosts.deny.
\end_layout
\begin_layout Code
+
$ man hosts.allow
\end_layout
@@ -16484,11 +18356,13 @@ In dieser Datei wird ein Dienst pro Zeile eingetragen, der positiv gefiltert
\end_layout
\begin_layout Code
+
sshd: 1.2.3.
[2001:0db8:100:200::]/64
\end_layout
\begin_layout Code
+
daytime-stream: 1.2.3.
[2001:0db8:100:200::]/64
\end_layout
@@ -16509,6 +18383,7 @@ In dieser Datei werden alle Einträge negativ gefiltert.
\end_layout
\begin_layout Code
+
ALL: ALL
\end_layout
@@ -16520,10 +18395,12 @@ Sie können bei Bedarf obige Standardzeile auch durch Folgende ersetzen,
\end_layout
\begin_layout Code
+
ALL: ALL: spawn (echo "Attempt from %h %a to %d at `date`"
\end_layout
\begin_layout Code
+
| tee -a /var/log/tcp.deny.log | mail root@localhost)
\end_layout
@@ -16546,18 +18423,22 @@ Das Logging einer abgelehnten IPv4-Verbindung zu einem durch den xinetd
\end_layout
\begin_layout Code
+
Jan 2 20:40:44 gate xinetd-ipv6[12346]: FAIL: daytime-stream libwrap
\end_layout
\begin_layout Code
+
¬ from=::ffff:1.2.3.4
\end_layout
\begin_layout Code
+
Jan 2 20:32:06 gate xinetd-ipv6[12346]: FAIL: daytime-stream libwrap
\end_layout
\begin_layout Code
+
from=2001:0db8:100:200::212:34ff:fe12:3456
\end_layout
@@ -16568,22 +18449,27 @@ Das Logging einer abgelehnten IPv4-Verbindung zu einem durch den xinetd
\end_layout
\begin_layout Code
+
Jan 2 20:24:17 gate sshd[12345]: refused connect from ::ffff:1.2.3.4
\end_layout
\begin_layout Code
+
¬ (::ffff:1.2.3.4)
\end_layout
\begin_layout Code
+
Jan 2 20:39:33 gate sshd[12345]: refused connect
\end_layout
\begin_layout Code
+
from 2001:0db8:100:200::212:34ff:fe12:3456
\end_layout
\begin_layout Code
+
¬ (2001:0db8:100:200::212:34ff:fe12:3456)
\end_layout
@@ -16597,18 +18483,22 @@ Das Logging einer akzeptierten IPv4-Verbindung zu einem durch den xinetd
\end_layout
\begin_layout Code
+
Jan 2 20:37:50 gate xinetd-ipv6[12346]: START: daytime-stream pid=0
\end_layout
\begin_layout Code
+
¬ from=::ffff:1.2.3.4
\end_layout
\begin_layout Code
+
Jan 2 20:37:56 gate xinetd-ipv6[12346]: START: daytime-stream pid=0
\end_layout
\begin_layout Code
+
from=2001:0db8:100:200::212:34ff:fe12:3456
\end_layout
@@ -16618,18 +18508,22 @@ Das Logging einer akzeptierten IPv4-Verbindung zu einem auf zwei Ports hörenden
\end_layout
\begin_layout Code
+
Jan 2 20:43:10 gate sshd[21975]: Accepted password for user from ::ffff:1.2.3.4
\end_layout
\begin_layout Code
+
¬ port 33381 ssh2
\end_layout
\begin_layout Code
+
Jan 2 20:42:19 gate sshd[12345]: Accepted password for user
\end_layout
\begin_layout Code
+
from 2001:0db8:100:200::212:34ff:fe12:3456 port 33380 ssh2
\end_layout
@@ -16665,6 +18559,7 @@ listen
\end_layout
\begin_layout Code
+
listen_ipv6=yes
\end_layout
@@ -16699,22 +18594,27 @@ Editiere die Konfigurationsdatei, üblicherweise /etc/proftpd.conf, allerdings
\end_layout
\begin_layout Code
+
\end_layout
\begin_layout Code
+
...
\end_layout
\begin_layout Code
+
Bind 2001:0DB8::1
\end_layout
\begin_layout Code
+
...
\end_layout
\begin_layout Code
+
\end_layout
diff --git a/LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.de.pdf b/LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.de.pdf
index 9aab0555..e4eb8225 100644
Binary files a/LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.de.pdf and b/LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.de.pdf differ
diff --git a/LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.de.sgml b/LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.de.sgml
index 3233f944..ee360fbf 100644
--- a/LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.de.sgml
+++ b/LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.de.sgml
@@ -14,7 +14,7 @@
Linux IPv6 HOWTO (de)
PeterBieringerpb at bieringer dot de
- 0.66wip.de.1 2014-05-10 PB
+ 0.66wip.de.1 2014-05-13 PB
0.65.de.1 2009-12-13 PB
0.64.de.1 2009-06-11 PB
0.61.de.1 2007-10-06 PB
@@ -1384,11 +1384,107 @@ FRAG6: inuse 0 memory 0
Netlink-Interface zum Kernel
Mehr Infos hierzu in späteren Versionen... der Autor hat hiermit keine Erfahrung...
Adress-Auflösung
-Die Auflösung von Namen zu einer IPv4- bzw. IPv6-Adresse wird üblicherweise durch die Benutzung einer libc resolver Bibliothek durchgeführt. Es sind einige Seltsamkeiten bekannt bei der Nutzung der Funktion getaddrinfo.
-Mehr Information kann dazu aktuell gefunden werden unter Linux & IPv6: getaddrinfo and search domains - Research and RFC 3484 on Linux.
-Mehr Infos hierzu in späteren Versionen...
+Zusätzliche Informationen sind hier zu finden
+Linux & IPv6: getaddrinfo and search domains - ResearchRFC 3484 on Linux Karl Auer's Blog: Controlling IPv6 source address selection , IPv6 Source Address Selection - what, why, howInto6: /etc/gai.conf - it ain't what you think it isAddress-Auflösung & Ziel-Adressen-Auswahl
+Die Auflösung von Namen zu einer IPv4- bzw. IPv6-Adresse wird üblicherweise durch die Benutzung einer libc resolver Bibliothek durchgeführt. Dazu wird normalerweise die Funktion getaddrinfo benutzt. Im Fall, dass mehr als eine IPv6-Adresse zurückgegeben wird, soll nach RFC 3484 / Default Address Selection for Internet Protocol version 6 eine Sortierung angewandt werden, die optional auch konfiguriert werden kann.
+Die “Magie” ist durch die Datei /etc/gai.conf konfigurierbar (welche fehlt oder leer ist, solange Standardwerte gelten sollen). Die vorgegebene Sortierung ist üblicherweise in der Dokumentation (z.B. /usr/share/doc/glibc-common/gai.conf) oder im Manual “man gai.conf” zu sehen.
+Für die Kontrolle der Sortierung via benutzerdefinierter Konfiguration ist für Tests folgendes notwendig:
+Ein Hostname im DNS, der mehr als eine IPv6-Adresse zurückgibt, z.B.
+
+Lookup via DNS (mit /etc/hosts klappt es nicht)/etc/gai.conf mit einer passenden Konfiguration, e.g.
+
+Für Tests kann dann ein Telnet-Client benutzt werden:
+
+Wenn nun die precedence geändert wird in der Konfiguration:
+
+Dann ändert sich die Reihenfolge entsprechend
+Quell-Addressen-Auswahl
+Source address selection in Linux wird automatisch vom Kernel vorgenommen, üblicherweise abhängig von den Routing-Tabellen und unter der Vorgabe, den Scope einer Adresse beizubehalten.
+Quell-Adressen-Auswahl mit “ip addrlabel”
+Mit einer Erweiterung der internen “ip addrlabel” Tabelle kann eine Quell-Adresse zu einer Ziel-Adresse gebunden werden. Bindung wird hier durch die Angabe des gleichen Labels (einer Nummer) konfiguriert.
+Standard von “ip addrlabel” (hier von CentOS 6):
+
+Das System ist multihomed (hier an einem Interface), der Router verteilt 2 Präfixe mit Hilfe von radvd:
+
+Eine Verbindung zum Server zeigt nun:
+
+Ein tcpdump mit filter “tcp and dst port 23” zeigt nur die Benutzung der oberen lokalen Quell-IPv6-Adresse
+ 2001:4dd0:ff00:834::2.telnet: (src-A -> dst-A)
+IP6 2001:6f8:12d8:2:5054:ff:fefb:6582.45754 > 2a01:238:423d:8800:85b3:9e6b:3019:8909.telnet: (src-A -> dst-B)
+]]>
+Wenn nun Quelle und Ziel mit Hilfe von “ip addrlabel” zusammengebunden werden:
+
+Was in folgender “ip addrlabel”resultiert:
+
+Und dann nochmal eine Verbindung zum Server versucht wird
+
+tcpdump mit filter “tcp and dst port 23” zeigt nun die Benutzung beider Quell-IPv6-Adressen wie konfiguriert
+ 2001:4dd0:ff00:834::2.telnet: (src-A -> dst-A)
+IP6 2001:6f8:900:8cbc:5054:ff:fefb:6582.39632 > 2a01:238:423d:8800:85b3:9e6b:3019:8909.telnet: (src-B -> dst-B)
+]]>Persistente Konfiguration von “ip addrtable” ist wahrscheinlich in aktuellen Linux-Distributionen nicht unterstützt, somit wäre eine Erweiterung der Netzwerk-Init-Scripts oder rc.local notwendig. Ein Skript, welches Informationen aus /etc/gai.conf in entsprechendes “ip addrtable” umwandelt, gibt es hier: /etc/gai.conf - it ain't what you think it is
Netzwerk-Fehlersuche
Server Socket-Anbindung
diff --git a/LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.html b/LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.html
index 317d8750..89f2635d 100644
--- a/LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.html
+++ b/LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.html
@@ -62,7 +62,7 @@ ALIGN="LEFT"
>Revision 0.66wip2014-05-10 | 2014-05-13Revised by: PB | 13. Address ResolverAddress Resolver & Selection14. - 14.1. Server socket binding
- 15.1. Red Hat Linux and “clones”
- 15.2. SuSE Linux
- 16.1. Stateless auto-configuration out-of-the-box
- 16.2. Stateless auto-configuration using Router Advertisement Daemon (radvd)
- 16.3. Dynamic Host Configuration Protocol v6 (DHCPv6)
- 17.1. Common information
18.2. Preparation18.3. Usage of ip6tables18.5. Firewalling using nftables- 19.1. Node security
- 19.2. Access limitations
- 20.1. Modes of using encryption and authentication
- 20.2. Support in kernel (ESP and AH)
- 20.3. Automatic key exchange (IKE)
- 20.4. Additional informations:
- 21.1. General
- 21.2. Linux QoS using “tc”
- 23.2. Other programming languages
25.4. IPv6 Infrastructure26. Revision history / Credits / The End26.3. The EndChapter 13. Address ResolverChapter 13. Address Resolver & SelectionName to IPv4 or IPv6 address resolving is usually done using a libc resolver library. There are some issues known using the function getaddrinfo.
Additional info can be found at
More info can be found at
Address Resolver & Destination Address Selection
Name to IPv4 or IPv6 address resolving is usually done using a libc resolver library. Usually the function getaddrinfo is used for that. In case of more than one IPv6 address is returned, according to RFC 3484 / Default Address Selection for Internet Protocol version 6 a sorting should be applied, which can be optionally configured.
The “magic” is controlled by a file named /etc/gai.conf (it can be that it is empty or missing by default). Default is usually somewhere stored in documentation, see “man gai.conf” or e.g. /usr/share/doc/glibc-common/gai.conf.
For controlling sort order by configuration following are needed for testing:
$ dig +short aaaa st1.bieringer.de
+2001:4dd0:ff00:834::2
+2a01:238:423d:8800:85b3:9e6b:3019:8909 |
precedence ::1/128 50 # default
+precedence ::/0 40 # default
+precedence 2002::/16 30 # default
+precedence ::/96 20 # default
+precedence ::ffff:0:0/96 10 # default
+precedence 2001:4dd0:ff00:834::/64 80 # dst-A
+precedence 2a01:238:423d:8800::/64 90 # dst-B |
$ telnet st1.bieringer.de
+Trying 2a01:238:423d:8800:85b3:9e6b:3019:8909... (dst-B)
+...
+Trying 2001:4dd0:ff00:834::2... (dst-A)
+... |
precedence 2001:4dd0:ff00:834::/64 90 # dst-A ex 80
+precedence 2a01:238:423d:8800::/64 80 # dst-B ex 90 |
$ telnet st1.bieringer.de
+Trying 2001:4dd0:ff00:834::2... (dst-A)
+...
+Trying 2a01:238:423d:8800:85b3:9e6b:3019:8909... (dst-B)
+... |
Source Address Selection
Source address selection in Linux is done automatically by kernel and usually only using information from routing tables and try to match the same scope of address.
Source Address Selection with “ip addrlabel”
With extension of internal “ip addrlabel” a source address can be bound to a destination address (e.g. selected via mechanisms above). Binding means here: “same label” (label is a number).
# ip addrlabel
+prefix ::1/128 label 0
+prefix ::/96 label 3
+prefix ::ffff:0.0.0.0/96 label 4
+prefix 2001::/32 label 6
+prefix 2001:10::/28 label 7
+prefix 2002::/16 label 2
+prefix fc00::/7 label 5
+prefix ::/0 label 1 |
# ip -6 addr show dev eth1 | grep -w inet6 |grep -w global
+ inet6 2001:6f8:12d8:2:5054:ff:fefb:6582/64 scope global dynamic
+ inet6 2001:6f8:900:8cbc:5054:ff:fefb:6582/64 scope global dynamic |
$ telnet st1.bieringer.de
+Trying 2001:4dd0:ff00:834::2... (dst-A)
+...
+Trying 2a01:238:423d:8800:85b3:9e6b:3019:8909... (dst-B)
+... |
IP6 2001:6f8:12d8:2:5054:ff:fefb:6582.37762 > 2001:4dd0:ff00:834::2.telnet: (src-A -> dst-A)
+IP6 2001:6f8:12d8:2:5054:ff:fefb:6582.45754 > 2a01:238:423d:8800:85b3:9e6b:3019:8909.telnet: (src-A -> dst-B) |
# ip addrlabel add prefix 2001:6f8:12d8:2::/64 label 200
+# ip addrlabel add prefix 2001:6f8:900:8cbc::/64 label 300
+# ip addrlabel add prefix 2001:4dd0:ff00:834::/64 label 200
+# ip addrlabel add prefix 2a01:238:423d:8800::/64 label 300 |
# ip addrlabel
+prefix ::1/128 label 0
+prefix ::/96 label 3
+prefix ::ffff:0.0.0.0/96 label 4
+prefix 2a01:238:423d:8800::/64 label 300 # dst-B
+prefix 2001:4dd0:ff00:834::/64 label 200 # dst-A
+prefix 2001:6f8:900:8cbc::/64 label 300 # src-B
+prefix 2001:6f8:12d8:2::/64 label 200 # src-A
+prefix 2001::/32 label 6
+prefix 2001:10::/28 label 7
+prefix 2002::/16 label 2
+prefix fc00::/7 label 5
+prefix ::/0 label 1 |
$ telnet st1.bieringer.de
+Trying 2001:4dd0:ff00:834::2... (dst-A)
+...
+Trying 2a01:238:423d:8800:85b3:9e6b:3019:8909... (dst-B)
+... |
IP6 2001:6f8:12d8:2:5054:ff:fefb:6582.37765 > 2001:4dd0:ff00:834::2.telnet: (src-A -> dst-A)
+IP6 2001:6f8:900:8cbc:5054:ff:fefb:6582.39632 > 2a01:238:423d:8800:85b3:9e6b:3019:8909.telnet: (src-B -> dst-B) |
Setup of persistent “ip addrtable” is probably currently not supported by Linux distributions, so extension of network init scripts or rc.local must be used for that. A script which uses information from /etc/gai.conf and configure “ip addrtable” accordingly can be found here: /etc/gai.conf - it ain't what you think it is