Em 13-07-2015 17:42, Daniel Melameth escreveu:
I’d love it if someone would be open to spending the time to do a “PHD” write up on getting OpenBSD base usable as a stateless IPv6 router/firewall with Comcast. While I agree that write ups like these should be unnecessary, and man pages should have all the relevant information needed for someone to do this without hand holding, IPv6 is still “new,” has a lot of moving parts and still isn’t widely used. For one, I didn’t know all of this could be done without DHCPv6 so I’m very interested in doing this at home.
Well,
I prepared myself studying IPv6 years ago using tunnel brokers like sixxs. You can find a lot of relevant information on the man pages, but, since a man page is better to be simple and clean, some things need RFC's digging and/or source code. I will take some time in the near future to try to port a NDP proxy to OpenBSD. I'm currently using a bridge firewall between my CPE and the client machines. While this works, the machines get the DNS servers from the CPE, and not from my firewall, which is far from optimal. But I can at least filter on the packets as they pass through my bridge. Better to have the clients talk directly to the CPE,which, by the way, comes from factory with no firewall enabled. Any connection from outside gets routed to the clients. Better enable firewall on your clients too. You never know when you will connect to an IPv6 enabled network that routes every incoming connection. I know, I know, end to end connectivity, etc. But people aren't prepared to this. The CPE routers today do not allow incoming connections, because we have to use NAT. So it would never know where to forward the packets to, unless you tell it to. But, with IPv6 end to end, there will be a lot of people that will be caught off guard, specially because almost every OS (except OpenBSD) will automatically configure IPv6 if present.
Cheers, Giancarlo Razzolini
