[Fli4l_dev] fli4l und ipv6
Ulrich Hupe
Ulrich.Hupe at t-online.de
Mo Mai 26 16:26:26 CEST 2025
Hier die damalige conf:
Wie gesagt , es ist der einfachste Fall und auch 3 Jahre her.
Wenn ich auf deutsche Glasfaser umgestellt hätte, hätte ich auch ein
Problem damit.
Da der Provider ja auch alles übersetzten muß: ipv6 auf ipv4
Der weiß dann auch, wo man surft etc...
Ulrich
##-----------------------------------------------------------------------------
## fli4l 3.10.19 - configuration for package "ipv6"
##
## P L E A S E R E A D T H E D O C U M E N T A T I O N !
##
## B I T T E U N B E D I N G T D I E D O K U M E N T A T I O N L E
S E N !
##
##-----------------------------------------------------------------------------
## Creation: Christoph Schulz
## Last Update: $Id: ipv6.txt 48875 2017-08-25 06:27:59Z florian $
##
## Copyright (c) 2001-2016 - Frank Meyer, fli4l-Team <team at fli4l.de>
##
## This program is free software; you can redistribute it and/or modify
## it under the terms of the GNU General Public License as published by
## the Free Software Foundation; either version 2 of the License, or
## (at your option) any later version.
##-----------------------------------------------------------------------------
#------------------------------------------------------------------------------
# IPv6 general settings
#------------------------------------------------------------------------------
OPT_IPV6='yes' # set to 'yes' to activate IPv6 support
#HOSTNAME_IP6='IPV6_NET_1_IPADDR'
# optional, can be used to explicitly set
# the router's IPv6 address; if left empty,
# this setting is taken from the first
# configured /64 IPv6 subnet (see below)
#------------------------------------------------------------------------------
# IPv6 networks
#------------------------------------------------------------------------------
IPV6_NET_N='1' # number of IPv6 subnets to configure;
# at least one subnet is necessary to
# create a local IPv6 network!
IPV6_NET_1='2022:1a:2b:154::1/64' # The router address and net mask
within
# this subnet. If this subnet is associated
# with a tunnel (see IPV6_NET_%_TUNNEL
# below), use an address WITHOUT the subnet
# prefix (which is possibly not known yet
# as it may be dynamically assigned while
# configuring the tunnel); when the
# associated tunnel is set up, its prefix
# will be combined with the address
# specified here to yield a complete
# address.
#
# NOTE that the net mask must be equal to
# 64 if you want to use stateless IPv6
# autoconfiguration!
#
# In this example, a /48 subnet prefix is
# assumed which is extended by the subnet
# '1' and the host part '0:0:0:1'. So with
# e.g. '2001:db8:13bc/48' as subnet prefix,
# the complete address and mask becomes
# '2001:db8:13bc:1::1/64'.
IPV6_NET_1_TUNNEL='' # the index of the associated tunnel; if
# left empty, no tunnel is associated, so
# the address specification above is taken
# "as is" and is not completed by any
# prefix
IPV6_NET_1_DEV='eth1' # interface this subnet is bound to
IPV6_NET_1_ADVERTISE='yes' # should the subnet prefix be advertised
# automatically via RA in order to enable
# stateless autoconfiguration?
IPV6_NET_1_ADVERTISE_DNS='no' # should the DNS service be advertised
# within this subnet via RA?
IPV6_NET_1_DHCP='no' # should domain and DNS server be available
# via DHCPv6 in this subnet?
#------------------------------------------------------------------------------
# IPv6 tunnels (see documentation for details!)
#------------------------------------------------------------------------------
IPV6_TUNNEL_N='0' # number of tunnels to set up
IPV6_TUNNEL_1_TYPE='he' # tunnel type
IPV6_TUNNEL_1_LOCALV4='dynamic' # IPv4 address of the local tunnel
endpoint;
# use 'dynamic' for a dial-up connection
IPV6_TUNNEL_1_DEFAULT='yes' # should this tunnel be used for routing
# IPv6 traffic to/from the Internet?
# NOTE that at most one tunnel can be the
# default one!
#IPV6_TUNNEL_1_DEV='6in4' # (optional) name of the interface to
# create for this tunnel; if left empty,
# a uniqe name is generated automatically
#IPV6_TUNNEL_1_MTU='1280' # (optional) MTU size in bytes for this
# tunnel; the default value of 1280 is
# recommended by many tunnel providers
#------------------------------------------------------------------------------
# when tunnel type is 'static'
#------------------------------------------------------------------------------
#IPV6_TUNNEL_1_REMOTEV4='203.0.113.188'
# IPv4 address of the remote tunnel
endpoint
#IPV6_TUNNEL_1_LOCALV6='2001:db8:900:530::2/64'
# IPv6 address and mask of the local
# tunnel endpoint
#IPV6_TUNNEL_1_REMOTEV6='2001:db8:900:530::1'
# IPv6 address of the remote tunnel
endpoint
#IPV6_TUNNEL_1_PREFIX='2001:db8:13bc::/48'
# the associated subnet prefix
#------------------------------------------------------------------------------
# when tunnel type is 'he'
#------------------------------------------------------------------------------
#IPV6_TUNNEL_1_REMOTEV4='203.0.113.188'
# IPv4 address of the remote tunnel
endpoint
#IPV6_TUNNEL_1_LOCALV6='2001:db8:900:530::2/64'
# IPv6 address and mask of the
# local tunnel endpoint
#IPV6_TUNNEL_1_REMOTEV6='2001:db8:900:530::1'
# IPv6 address of the remote tunnel
endpoint
#IPV6_TUNNEL_1_PREFIX='2001:db8:13bc/48'
# assigned /48 subnet prefix;
# leave empty if you don't have one yet
#IPV6_TUNNEL_1_USERID='userid' # HE user id (found on the main page
after login)
#IPV6_TUNNEL_1_PASSWORD='password'
# HE password
#IPV6_TUNNEL_1_TUNNELID='123456'
# tunnel ID
#------------------------------------------------------------------------------
# Additional IPv6 routes (don't use this for default routes!)
#------------------------------------------------------------------------------
IPV6_ROUTE_N='0' # number of routes
IPV6_ROUTE_1='2001:db8:13bc:2::/64 2001:db8:900:530::1'
# example route
#------------------------------------------------------------------------------
# Packet filter configuration
#------------------------------------------------------------------------------
# INPUT chain
#------------------------------------------------------------------------------
PF6_INPUT_POLICY='REJECT' # be nice and use reject as policy
PF6_INPUT_ACCEPT_DEF='yes' # use default rule set
PF6_INPUT_LOG='yes' # don't log anything
PF6_INPUT_LOG_LIMIT='3/minute:5'
# log 3 events per minute; allow a burst
# of 5 events
PF6_INPUT_REJ_LIMIT='1/second:5'
# reject 1 connection per second; allow
a burst
# of 5 events; otherwise drop packet
PF6_INPUT_UDP_REJ_LIMIT='1/second:5'
# reject 1 udp packet per second; allow
a burst
# of 5 events; otherwise drop packet
PF6_INPUT_N='0' # number of INPUT rules
PF6_INPUT_1='[2022:1a:2b:154::0/10] ACCEPT'
# allow all hosts in the local network to
# access the router
PF6_INPUT_2='IPV6_NET_1 ACCEPT' # allow all hosts in the first subnet to
access
# the router
PF6_INPUT_3='tmpl:samba DROP NOLOG'
# drop (or reject) samba access
PF6_INPUT_3_COMMENT='no samba traffic allowed'
# without logging, otherwise the log
file will
# be filled with useless entries
#------------------------------------------------------------------------------
# FORWARD chain
#------------------------------------------------------------------------------
PF6_FORWARD_POLICY='REJECT' # be nice and use reject as policy
PF6_FORWARD_ACCEPT_DEF='yes' # use default rule set
PF6_FORWARD_LOG='yes' # don't log anything
PF6_FORWARD_LOG_LIMIT='3/minute:5'
# log 3 events per minute; allow a burst of
# 5 events
PF6_FORWARD_REJ_LIMIT='1/second:5'
# reject 1 connection per second; allow
a burst
# of 5 events; otherwise drop packet
PF6_FORWARD_UDP_REJ_LIMIT='1/second:5'
# reject 1 udp packet per second; allow
a burst
# of 5 events; otherwise drop packet
PF6_FORWARD_N='2' # number of FORWARD rules
PF6_FORWARD_1='tmpl:samba DROP' # drop samba traffic if it tries to
leave the
# subnet
PF6_FORWARD_2='IPV6_NET_1 ACCEPT'
# accept everything else
#------------------------------------------------------------------------------
# OUTPUT chain
#------------------------------------------------------------------------------
PF6_OUTPUT_POLICY='ACCEPT' # default policy for outgoing packets
PF6_OUTPUT_ACCEPT_DEF='yes' # use default rule set
PF6_OUTPUT_LOG='yes' # don't log anything
PF6_OUTPUT_LOG_LIMIT='3/minute:5'
# log 3 events per minute; allow a burst of
# 5 events
PF6_OUTPUT_REJ_LIMIT='1/second:5'
# reject 1 connection per second; allow
a burst
# of 5 events; otherwise drop packet
PF6_OUTPUT_UDP_REJ_LIMIT='1/second:5'
# reject 1 udp packet per second; allow
a burst
# of 5 events; otherwise drop packet
PF6_OUTPUT_N='0' # number of OUTPUT rules
#------------------------------------------------------------------------------
# POSTROUTING chain
#------------------------------------------------------------------------------
PF6_POSTROUTING_N='1'
PF6_POSTROUTING_1='IPV6_NET_1 MASQUERADE'
# masquerade traffic leaving the subnet
#------------------------------------------------------------------------------
# PREROUTING chain
#------------------------------------------------------------------------------
PF6_PREROUTING_N='0'
PF6_PREROUTING_1='tmpl:ssh [2001:db8::1] DNAT:@client2'
# forward ssh connections coming from
# [2001:db8::1] to client2
#------------------------------------------------------------------------------
# PREROUTING_CT chain
#------------------------------------------------------------------------------
PF6_PREROUTING_CT_N='0'
PF6_PREROUTING_CT_1='tmpl:ftp any IPV6_NET_1 HELPER:ftp BIDIRECTIONAL'
# associate FTP conntrack helper for active
# FTP forwarded into or out of the LAN
#------------------------------------------------------------------------------
# OUTPUT_CT chain
#------------------------------------------------------------------------------
PF6_OUTPUT_CT_N='0'
PF6_OUTPUT_CT_1='tmpl:ftp HELPER:ftp'
# associate FTP conntrack helper for
outgoing
# active FTP on the router
# (this rule is added automatically by
# the tools package if OPT_FTP='yes'
# and FTP_PF_ENABLE_ACTIVE='yes')
#------------------------------------------------------------------------------
# USER chain
#------------------------------------------------------------------------------
PF6_USR_CHAIN_N='0' # number of user-defined tables
Mehr Informationen über die Mailingliste Fli4l_dev