diff --git a/docs/6to4.xml b/docs/6to4.xml
index c3cfd642b..70b751e02 100644
--- a/docs/6to4.xml
+++ b/docs/6to4.xml
@@ -40,13 +40,10 @@
-
- The 6to4 tunnel feature of Shorewall only facilitates IPv6 over IPv4
- tunneling. It does not provide any IPv6 security measures.
-
-
6to4 tunneling with Shorewall can be used to connect your IPv6 network
- to another IPv6 network over an IPv4 infrastructure.
+ to another IPv6 network over an IPv4 infrastructure. It can also allow you
+ to experiment with IPv6 even if your ISP doesn't provide IPv6
+ connectivity.
More information on Linux and IPv6 can be found in the Linux IPv6 HOWTO.
@@ -54,8 +51,244 @@
url="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup
of 6to4 tunnels.
+
+ Getting your Feet Wet with IPv6, by Tom Eastep
+
+ 6to4 tunnels provide a good way to introduce yourself to IPv6.
+ Shorewall6 was developed on a network whose only IPv6 connectivity was an
+ 6to4 Tunnel. What is shown in this section requires Shorewall6 4.2.4 or
+ later.
+
+
+ Configuring IPv6
+
+ I have created an init script to make the job of
+ configuring your firewall for IPv6 easier. The script is installed in
+ /etc/init.d and configures ipv6 at boot. The script works on OpenSuSE
+ 11.0 and may need modification for other distributions. On OpenSuSE, the
+ script is installed using the command 'chkconfig --add ipv6'.
+
+ At the top of the script, you will see several variables:
+
+ SIT="sit1"
+INTERFACES="eth1"
+ADDRESS=206.124.146.180
+SLA=0
+
+
+
+ SIT - The name of the tunnel device. Usually 'sit1'
+
+
+
+ INTERFACES - local interfaces that you want to configure for
+ IPv6
+
+
+
+ ADDRESS - A static IPv4 address on your firewall that you want
+ to use for the tunnel.
+
+
+
+ The identity of the first local sub-network that you want to
+ assign to the interfaces listed in INTERFACES. Normally zero
+ (0000).
+
+
+
+ Here is the file from my firewall:
+
+ SIT="sit1"
+INTERFACES="eth0 eth2"
+ADDRESS=206.124.146.180
+SLA=1
+
+ eth0 is the interface to my local network (both wired and
+ wireless). eth2 goes to my DMZ which holds a single server.
+
+
+
+ Here is the configuration after IPv6 is configured; the part it
+ bold is configured by the /etc/init.d/ipv6 script.
+
+ gateway:~ # ip -6 addr ls
+1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
+ inet6 ::1/128 scope host
+ valid_lft forever preferred_lft forever
+2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
+ inet6 2002:ce7c:92b4:1::2/64 scope global
+ valid_lft forever preferred_lft forever
+ inet6 fe80::202:e3ff:fe08:55fa/64 scope link
+ valid_lft forever preferred_lft forever
+3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
+ inet6 fe80::202:e3ff:fe08:484c/64 scope link
+ valid_lft forever preferred_lft forever
+4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
+ inet6 2002:ce7c:92b4:2::2/64 scope global
+ valid_lft forever preferred_lft forever
+ inet6 fe80::2a0:ccff:fed2:353a/64 scope link
+ valid_lft forever preferred_lft forever
+24: sit1@NONE: <NOARP,UP,LOWER_UP> mtu 1480
+ inet6 ::206.124.146.180/128 scope global
+ valid_lft forever preferred_lft forever
+ inet6 2002:ce7c:92b4::1/128 scope global
+ valid_lft forever preferred_lft forever
+gateway:~ # ip -6 route ls
+::/96 via :: dev sit1 metric 256 expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295
+2002:ce7c:92b4::1 dev sit1 metric 256 expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295
+2002:ce7c:92b4:1::/64 dev eth0 metric 256 expires 21333315sec mtu 1500 advmss 1440 hoplimit 4294967295
+2002:ce7c:92b4:2::/64 dev eth2 metric 256 expires 21333315sec mtu 1500 advmss 1440 hoplimit 4294967295
+fe80::/64 dev eth0 metric 256 expires 20748424sec mtu 1500 advmss 1440 hoplimit 4294967295
+fe80::/64 dev eth1 metric 256 expires 20748431sec mtu 1500 advmss 1440 hoplimit 4294967295
+fe80::/64 dev eth2 metric 256 expires 20748431sec mtu 1500 advmss 1440 hoplimit 4294967295
+fe80::/64 dev sit1 metric 256 expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295
+default via ::192.88.99.1 dev sit1 metric 1 expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295
+gateway:~ #
+
+ You will notice that sit1, eth0 and eth2 each have an IPv6 address
+ beginning with 2002: -- All 6to4 IPv6 addresses have that in their most
+ significant 16 bits. The next 32-bits (ce7c:92b4) encode the IPv4
+ ADDRESS (206.124.146.180). So once you start the 6to4 tunnel, you are
+ the proud owner of 280 IPv6 addresses! In the
+ case shown here, 2002:ce7c:92b4::/48. The SLA is used to assign each
+ interface in INTERFACES, 264 addresses; in
+ the case of eth0, 2002:ce7c:92b4:1::/64.
+
+ I run radvd on
+ the firewall to automatically assign IPv6 addresses to hosts connected
+ to eth0 and eth1. Here is my /etc/radvd.conf
+ file:
+
+ interface eth0 {
+ AdvSendAdvert on;
+ MinRtrAdvInterval 3;
+ MaxRtrAdvInterval 10;
+ prefix 2002:ce7c:92b4:1::/64 {
+ AdvOnLink on;
+ AdvAutonomous on;
+ AdvRouterAddr off;
+ };
+
+ RDNSS 2002:ce7c:92b4:2:2a0:ccff:fedb:31c4 {
+ AdvRDNSSOpen on;
+ AdvRDNSSPreference 2;
+ };
+};
+
+interface eth2 {
+ AdvSendAdvert on;
+ MinRtrAdvInterval 3;
+ MaxRtrAdvInterval 10;
+ prefix 2002:ce7c:92b4:2::/64 {
+ AdvOnLink on;
+ AdvAutonomous on;
+ AdvRouterAddr off;
+ };
+
+ RDNSS 2002:ce7c:92b4:2:2a0:ccff:fedb:31c4 {
+ AdvRDNSSOpen on;
+ AdvRDNSSPreference 2;
+ };
+};
+
+ Here is the automatic IPv6 configuration on my server attached to
+ eth2:
+
+ webadmin@lists:~/ftpsite/contrib/IPv6> /sbin/ip -6 addr ls
+1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436
+ inet6 ::1/128 scope host
+ valid_lft forever preferred_lft forever
+2: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
+ inet6 2002:ce7c:92b4:2:2a0:ccff:fedb:31c4/64 scope global dynamic
+ valid_lft 2591995sec preferred_lft 604795sec
+ inet6 fe80::2a0:ccff:fedb:31c4/64 scope link
+ valid_lft forever preferred_lft forever
+webadmin@lists:~/ftpsite/contrib/IPv6> /sbin/ip -6 route ls
+2002:ce7c:92b4:2::/64 dev eth2 proto kernel metric 256 expires 2592161sec mtu 1500 advmss 1440 hoplimit 4294967295
+fe80::/64 dev eth2 metric 256 expires 20746963sec mtu 1500 advmss 1440 hoplimit 4294967295
+fe80::/64 dev ifb0 metric 256 expires 20746985sec mtu 1500 advmss 1440 hoplimit 4294967295
+default via fe80::2a0:ccff:fed2:353a dev eth2 proto kernel metric 1024 expires 29sec mtu 1500 advmss 1440 hoplimit 64
+webadmin@lists:~/ftpsite/contrib/IPv6>
+
+ You will note that the public IPv6 address of eth2 was formed by
+ concatenating the prefix for eth2 shown in radvd.conf (2002:ce7c:92b4:2)
+ and the lower 64 bits of the link level address of eth2
+ (2a0:ccff:fedb:31c4). The default route is described using the link
+ level address of eth2 on the firewall (fe80::2a0:ccff:fed2:353a).
+
+
+
+ Configuring Shorewall
+
+ We need to add an entry in /etc/shorewall/tunnels:
+
+ #TYPE ZONE GATEWAY GATEWAY
+# ZONE
+6to4 net
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+
+
+
+
+ Configuring Shorewall6
+
+ The Shorewall6 configuration on my firewall is a very basic
+ three-interface one.
+
+ /etc/shorewall6/zones:
+
+ #ZONE TYPE OPTIONS IN OUT
+# OPTIONS OPTIONS
+fw firewall
+net ipv6
+loc ipv6
+dmz ipv6
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+
+ /etc/shorewall6/interfaces:
+
+ #ZONE INTERFACE BROADCAST OPTIONS
+net sit1 detect tcpflags,forward=1,nosmurfs
+loc eth0 detect tcpflags,forward=1
+dmz eth2 detect tcpflags,forward=1
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+
+
+ /etc/shorewall6/policy:
+
+ #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
+net all DROP info
+loc net ACCEPT
+dmz net ACCEPT
+all all REJECT info
+
+ /etc/shorewall6/rules:
+
+ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
+# PORT PORT(S) DEST LIMIT GROUP
+#
+# Accept DNS connections from the firewall to the network
+#
+DNS/ACCEPT $FW net
+#
+# Accept SSH connections from the local network for administration
+#
+SSH/ACCEPT loc $FW
+#
+# Allow Ping everywhere
+#
+Ping/ACCEPT all all
+
+#
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+
+
+
+
- Connecting two IPv6 Networks
+ Connecting two IPv6 Networks, by Eric de Thouars
Suppose that we have the following situation:
@@ -63,9 +296,9 @@
We want systems in the 2002:100:333::/64 subnetwork to be able to
communicate with the systems in the 2002:488:999::/64 network. This is
- accomplished through use of the /etc/shorewall/tunnels
- file and the ip
utility for network interface and routing
- configuration.
+ accomplished through use of the
+ /etc/shorewall/tunnels file and the ip
+ utility for network interface and routing configuration.
Unlike GRE and IPIP tunneling, the
/etc/shorewall/policy,
diff --git a/docs/images/Network2008b.dia b/docs/images/Network2008b.dia
new file mode 100644
index 000000000..fa6fd75e4
Binary files /dev/null and b/docs/images/Network2008b.dia differ
diff --git a/docs/images/Network2008b.dia~ b/docs/images/Network2008b.dia~
new file mode 100644
index 000000000..10e39e439
Binary files /dev/null and b/docs/images/Network2008b.dia~ differ
diff --git a/docs/images/Network2008b.png b/docs/images/Network2008b.png
new file mode 100644
index 000000000..e31de7e3f
Binary files /dev/null and b/docs/images/Network2008b.png differ