Small office IPv6 manual with FreeBSD (Part 1)

Small office IPv6 manual with FreeBSD (Part 1)

tags:
2004-05-28 00:00

Nobuyo Hiratsuka
engineer, Orangesoft
previous 1/2 next



This two-part article series explains to you the actual process of IPv6-enabling Web server, name server and mail server, for a relatively small office network.
  • Web server
    In this article, we will use Apache2, widely used for IPv6-enabled Web servers. Apache began support of IPv6 since version 2.0. If you are currently using Apache1.x, you can upgrade it to Apache2 in this IPv6-enabling process.

  • DNS
    We will use BIND9 and set it up for IPv6 service, too. Our example network is already built for IPv4 networking, so the DNS does not have to rely on IPv6 transport for service delivery. Therefore, satisfactory service can be provided by BIND8, with its ability to handle AAAA records. It is possible for you to continue using BIND8 and offer service over IPv4, if all clients in your network are like Windows XP, which can make DNS inquiry on IPv4, and attempt IPv6 connection when AAAA records are returned. But I recommend you to move up to IPv6 for future preparation.

  • Mail server
    We will use Sendmail as an MTA. Sendmail began IPv6 support in version 8.10. I will use Sendmail 8.12.10 that comes with the OS. I will install Cyrus IMAPD for IMAP/POP3 services over IPv6 and IPv4. Cyrus IMAPD began IPv6 support in version 2. Most mail clients support IMAP4, so you may want to try using IMAP4, too.

Basic server configuration

We will use FreeBSD 5.2.1-RELEASE as server OS. We just say we have finished basic OS install. We need the following programs to run on the server.
Network configuration

Our network will have the following network configuration and IP addressing(figure 1).
  • IPv6 network
    External service segment 2001:218:44f:100::/64
    Internal segment 2001:218:44f:200::/64
  • IPv4 network
    External service segment 172.16.100.0/24
    (replace this with your appropriate global IPv4 address)
    Internal segment: use private IPv4 addressing
    Internet and external segment accesses go through NAT at the router.
  • IPv6/IPv4 dual stack router
    link-local IPv6 address for external service segment fe80::2a0:deff:fe0b:baba
  • Existing IPv4 DNS server
    Host name dns1.example.org
    IPv4 address 172.16.100.10
  • The new server to be set up
    Host name kuri.example.org
    IPv6 address 2001:218:44f:100::1025 (manually configured)
    IPv4 address 172.16.100.120
Figure 1: Our example network configuration
Figure 1: Our example network configuration


Preparing for security patches

First thing you do after the installation is to apply security patches. The process is the same with normal IPv4 installation. If you have an experience building IPv4 servers, you can skip this section and go to “IPv6 address configuration”.

All operations from now on are conducted with root previledge. If you have installed source codes during the install, /user/src/ should appear as below:

# ls /usr/src
COPYRIGHT UPDATING games libexec sys
MAINTAINERS bin gnu release tools
Makefile contrib include sbin usr.bin
Makefile.inc1 crypto kerberos5 secure usr.sbin
README etc lib share

If you have any files missing, you should insert install CD-ROM in CD-ROM drive and execute the following shell script to install the source code:

# mount /cdrom
# cd /cdrom/src
# ./install.sh all

If you want to use sysinstall to install the source code, you can select from among the following menu:

# /stand/sysinstall
Configure Do post-install configuration of FreeBSD
rightarrow Distributions Install additional distribution sets
rightarrow [X]src Sources for everything <--press space key to fill the check box
rightarrow All Select all of the below


Press [Tab] key to move the cursor to [OK] and press [Enter], to install source code under /usr/src.


Using Ports Collection

For installation of applications and tools with FreeBSD, you can use pre-compiled binary called Packages, or you use Ports Collection, in addition to use original source.

We will use Ports for installing server application we will use here. Obtain the latest Ports Collection and put it under /usr/ports.
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/ports/ports/ports.tar.gz
# zcat ports.tar.gz | ( cd /usr ; tar xvf - )

Installing GnuPG

Go to next section if you have already installed GnuPG. We will nstal of GnuPG using Ports, for signature verification for security patches.

# cd /usr/ports/security/gnupg
# make >& make.log &;tail -f make.log
# make install >& install.log & ; tail -f install.log

Do the following for logging if you use sh shell:

# make > make.log 2>&1 & ;; tail -f make.log
# make install > install.log 2>&1 & ;; tail -f install.log

Download PGP public key for FreeBSD security officer. You need to confirm the Public key URL at http://www.freebsd.org/security/ before download.
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc


Import the downloaded public key.

# gpg --import public_key.asc


Applying the security patches

Check the latest security recommendations at http://www.freebsd.org/security/ and download patches.

As of the end of April, 2004, the following four security recommendations are issued after FreeBSD 5.2.1-RELEASE we have installed for this project.
  • FreeBSD-SA-04:07.cvs
  • FreeBSD-SA-04:06.ipv6
  • FreeBSD-SA-04:05.openssl
  • FreeBSD-SA-04:04.tcp
Each security recommendation includes links to patch files and installation instruction. Download the patches. You should check PGP signature to confirm that the contents have not been changed.

Download patch files (xxxx.patch) an signature files (xxxx.patch.asc) in the same directory and check the signature as follows:

# gpg xxxx.patch.asc

You will see “Good Signature” message like the following if you have succeeded in confirmation of FreeBSD-SA-04:06.ipv6 patch signature, for example.
# gpg ipv6.patch.asc
gpg: Signature made Mon Mar 29 22:27:15 2004 JST using DSA key ID CA6CDFB2
gpg: Good signature from "FreeBSD Security Officer <security-officer@FreeBSD.org>"
You will see “BAD signature” message if only one bit of the patch file is changed. you should download the patch file again later after a certain interval or after checking to see other people are experiencing the same situation.
# gpg nise.patch.asc
gpg: Signature made Mon Mar 29 22:27:15 2004 JST using DSA key ID CA6CDFB2
gpg: BAD signature from "FreeBSD Security Officer <security-officer@FreeBSD.org>"
After the signature confirmation, apply the patches to the source code.

# cd /usr/src
# patch < tcp52.patch
# patch < openssl.patch
# patch < ipv6.patch
# patch < cvs.patch

After all patches, reconstruct the kernel and userland. and restart. Reconstruction procedure is the following. /usr/src/Makefile describes the same procedure.

# make clean
# make buildworld
# make buildkernel
# make installkernel
# reboot

After restart, execute mergemaster and update configuration files.

# mergemaster -p
# make installworld
# mergemaster
# reboot

IPv6 address configuration

If the server has not been assigned IPv6 address, configure the address now. Network configuration and OS daemon (service) can be controlled at /etc/rc.conf.

Default setting is in /etc/defaults/rc.conf. If you have any configuration you want to change, copy necessary lines from /etc/defaults/rc.conf and add them to /etc/rc.conf. To enable IPv6 and configure address, add the following lines. This time, we will build servers, so we will use assign a fixed address that is easy to input and use.


ipv6_enable="YES"
ipv6_defaultrouter="fe80::2a0:deff:fe0b:baba%fxp0"
ipv6_ifconfig_fxp0="2001:218:44f:100::1025 prefixlen 64"
Add the following lines to /etc/hosts.

2001:218:44f:100::1025 kuri.example.org kuri

IPv6 is enabled upon restart. Confirm this with ifconfig.
 
# ifconfig -a
fxp0:flags=8843‹UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST›mtu 1500
        inet 172.16.100.120 netmask 0xffffff00 broadcast 172.16.100.255
        inet6 fe80::20c:6eff:fe78:bea%fxp0 prefixlen 64 scopeid 0x1
        inet6 2001:218:44f:100::1025 prefixlen 64
        ether 00:0c:6e:78:0b:ea
        media: Ethernet autoselect (100baseTX ‹full-duplex›)
        status: active
lo0: flags=8049‹UP,LOOPBACK,RUNNING,MULTICAST› mtu 16384
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2

hosts.allow setting

TCP/IP daemon wrapper (TCP Wrapper) restrict access to active daemons (services). Its default configuration allows connection from anywhere. Change /etc/hosts.allow like below, to deny access from anyone other than those allowed explicitly: 
ALL : 172.16.100.0/255.255.255.0 : allow
ALL : localhost 127.0.0.1 [::1] : allow
ALL : [fe80::%fxp0]/10 : allow
ALL : [2001:218:44f:100::]/64 : allow
ALL : [2001:218:44f:200::]/64 : allow
sendmail : ALL : allow
ALL : ALL \
        : severity auth.info \
        : twist /bin/echo "You are not welcome to use %d from %h."


previous 1/2 next

この記事のトラックバックURL

http://www.ipv6style.jp/trackback/592
Ads by Google