Ubuntu 12.04 Precise Pangolin and IPv6 privacy addresses

The newly released Ubuntu LTS includes a very poor default configuration concerning IPv6 and privacy addresses. This feature is enabled by default, hardcoded (as it seems) in the last release of NetworkManager.

While this choice is understandable, it can’t be changed and this is unfortunate: almost no one really needs this feature and it breaks AAAA/PTR DNS mappings in well-managed networks.

How to circumvent this cleanly?

Since NetworkManager resets net/ipv6/conf/$IF/use_tempaddr during each connection attempt, sysctl alone does not suit here.

EDIT: while the fix below works, it is rather complicated. It seems that NM reads /etc/syscl.conf, but not /etc/sysctl.d/*. Therefore, you just have to comment out sysctl lines in /etc/sysctl.d/10-ipv6-privacy.conf and use them in /etc/sysctl.conf. All my thanks goes to Mathieu Trudel-Lapierre :)

I simply wrote a small executable script in /etc/network/if-up.d/no-ipv6-privacy which is called by the NetworkManager ifup plugin at each successful connection:

#!/bin/sh
sysctl -e net/ipv6/conf/wlan0/use_tempaddr=1
sysctl -e net/ipv6/conf/eth0/use_tempaddr=1

You just need to chmod +x the new script and restart NM with sudo service network-manager restart.

Want some fun with NM? On wired or wireless connection with native IPv6 connectivity, try to connect to some IPv6 enabled websites/hosts and take a look at the IPv6 routing table (ip -6 route). WTF? Every destination is present in the routing table, with a specific /128 route via the link-local address learnt by Router Advertisement… What an efficient way to fuckup a VPN setup intended to route all IP traffic through the tunnel…

You have to edit the connection profile to disable this bug: IPv6 Settings tab > Routes > Check ‘Ignore automatically obtained routes.’ and voilà!

IPv6: Test your connectivity on a remote computer via your browser

While test-ipv6.com and ipv6-test.com are great sites for testing IPv6 connectivity on your personal computer, they rely heavily on javascript code in their tests and therefore cannot be used with w3m.

This limitation is quite annoying for testing out IPv6 on your(s) server(s) while enabling IPv6 is at least as important as on any other computer.

Besides ping6, traceroute6 or other basic network tools, there is a way to effectively test IPv6 on a remote computer/server with SSH access enabled. Simply use a socks proxy, by using this command on your personal computer (not the server!):

$ ssh -ND 1080 login@server

-N Do not execute a remote command.
-D Specifies a local “dynamic” application-level port forwarding.

No remote shell session will be open since only traffic forwarding is required here. Now, edit your browser’s proxy settings and activate SOCKS 5 with host localhost port 1080. Go to test-ipv6.com and ipv6-test.com, you should see test results concerning the remote computer/server!

If you are only interested in your IPv4/IPv6 address, lv0.in/ip/ provides this information a clean fashion.

Oh and by the way: <3 IPv6

How to disable random IPv6 addresses on Windows Seven / Vista (no Privacy Extensions anymore!)

There is a lot of information about this « issue » on the web, but the following method is the only one actually effective in my case. This is very useful for setting up DNS AAAA and PTR records for IPv6 auto-configured hosts.

netsh interface ipv6 set privacy state=disabled store=active
netsh interface ipv6 set privacy state=disabled store=persistent
netsh interface ipv6 set global randomizeidentifiers=disabled store=active
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent

Enabling SNMP on SLM2008 Cisco Small Business Switch

Cisco SLM 2008 is a very efficient layer 2 manageable gigabit ethernet switch, with decent pricing and a large range of features: VLAN, (R)STP, LACP and static link aggregation, 802.1X Authentication, IGMP Snooping, you name it. Even the integrated web interface is quite well designed and not buggy.

But one (native) feature is lacking when you want to monitor per-port network traffic : SNMP.

Here is how to enable and basically configure SNMP on SLM2008 switches.

First, download this script: ename_snmp.pl (Note for Chrome/Safari users: this file may be downloaded as enable_snmp.download, I don’t know why.)

Then there are two ways of using this script :

* remotely by directly altering the switch configuration file.

* locally by first download the switch configuration file, alter it and upload it to the switch.

There is the detail about the remote way, since I used it:

* Configure everything you need in the SLM2008 web interface, especially on the « System » page.

* Open a terminal in the directory where the script was downloaded.

* chmod +x enable_snmp.pl for making the script executable.

Then:

$ ./enable_snmp.pl 
Obtaining data from Switch: 
Administrator Username: [ admin ]: 
Administrator Password: [ admin ]: 
Current Body Checksum: 
Current Header Check Byte: 
SNMP is currently: DISABLED - WILL ENABLE
Both community strings are limited to 15 characters.
New read-only community string: [ public ]: 
New read-write community string: [ private ]: 
New Body Checksum: 
New Header Check Byte: 
End - SNMP Should be enabled.

You will have to provide the right information for , , and parameters.

Finally, use the following command from an host that has network access to the switch:

$ snmpwalk -c   -v 2c

A long output should be displayed, showing every piece of information the embedded SNMP daemon on the SLM2008 can serve.

I hope this will help.

Regards.

Credits: Cisco support forum and David Holland.

DNS recursive attacks, DoS and DDoS : iptables -m recent is your friend

Got plenty of query (cache) 'isc.org/ANY/IN' denied in your bind9 logs? Like about 1 query per second from several IPs? Want to tell them to get lost? This entry may interest you then.

No extensive writing needed here, there is the essential:

$IPT -A INPUT -i $MAIN_IF -p udp --dport 53 -m recent --set

$IPT -A INPUT -i $MAIN_IF -p udp –dport 53 -m recent –update –seconds 30 –hitcount 10 -j DROP

$IPT -A INPUT -p udp –dport 53 -j ACCEPT

I put these rules before other INPUT rules, and restarted my firewall.

Now DNS access on my public IP is limited to 10 separate queries within a 30 seconds timeframe. It seems acceptable for the moment, and DNS fsckers generally get dropped within the first 15 seconds, which is correct for me. But feel free to experiment different values according to your needs.

I hope this will help :)