Hurricane Electric's IPv6 Tunnel Broker Forums

So by default, at least on the more recent versions of Fedora, CentOS, Ubuntu and FreeBSD that I've configured, most services seem ready out of the box for IPv6, mostly in a dual-stack default way.

OpenSSH: sshd_config
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
Should already be set, which makes it listen on any address configured, IPv4 or IPv6. So if you only want it available on 1 IP, set it there.

Postfix: main.cf
inet_interfaces = all
inet_protocols = all
Since I run dual-stack, the second line makes it use both IPv4 & IPv6. First line I have that way by default, but would make sense if you've terminated a tunnel on your mail server and need that interface included.

Apache: httpd.conf
Listen 80
This again has been dual-stack happy since by default it is configured to just listen on port 80 regardless of the IP. You can of course do the whole virtual-hosting, and configure like:
<VirtualHost x.x.x.x:80 [A:B:C:D::F]:80>
Where x.x.x.x is your IPv4 address and A:B:C:D::F your IPv6.

Dovecot: dovecot.conf
listen = [*]
listen = [::]
Again I run dual-stack so I want both configured. You can always lock it down to single IPs.


If anyone has more examples, please share!


<bind-address>::</bind-address>


will listen on all ipv4/6 interfaces by default
Optionally specific addresses can be assigned, ipv4/6

in your sendmail.mc (or $HOSTNAME.mc fbsd 7.x) put the following:


dnl Enable for both IPv4 and IPv6 (optional)
DAEMON_OPTIONS(`Name=IPv4, Family=inet, Addr=xxx.xxx.xxx.xxx')dnl
DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Addr=200x:xxxx:xxxx:xxxx::xxxx')dnl


rebuild sendmail.cf, backup old sendmail.cf, cp new one over, restart sendmail, lsof -itcp:25 or netstat to confirm listening on specified IPs.

NOTE: slackware linux does not enable ipv6 in sendmail, requires building from scratch. I have no experience with sendmail on other linux distros, so I don't know what support they ship sendmail with.

BIND(9):

Here are some examples from working in-production personal stuff. These are just how I've always configured my zones from some ancient bind zone-file generating script long lost and not forgotten.

named.conf; reverse zone for /64:
zone "9.0.0.0.1.0.0.0.0.7.4.0.1.0.0.2.ip6.arpa" {
type master;
file "/etc/bind/reverse-2001-470-1-9_64.IP6.ARPA";
allow-transfer {
};
};


reverse-2001-470-1-9_64.IP6.ARPA:
$TTL 300
@ IN SOA 9.0.0.0.1.0.0.0.0.7.4.0.1.0.0.2.ip6.arpa. broquea.deus-exmachina.net. (
200810210 ; Serial number (YYYYMMdd)
24h ; Refresh time
30m ; Retry time
2d ; Expire time
3d ; Default TTL (bind 8 ignores this, bind 9 needs it)
)

                                ; Name server entries
                                IN     NS     ns1.deus-exmachina.net.
; IPv6 PTR entries

; Subnet #1
$ORIGIN 9.0.0.0.1.0.0.0.0.7.4.0.1.0.0.2.ip6.arpa.

a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0         IN      PTR     master.deus-exmachina.net.
b.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0         IN      PTR     deus-exmachina.net.
c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0         IN      PTR     ns1.deus-exmachina.net.
6.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0         IN      PTR     onion-cafe.com.


Zonefile for one of my domains, showing AAAA examples:
$TTL 300
onion-cafe.com. IN    SOA   ns1.deus-exmachina.net. broquea.deus-exmachina.net. (
                  200810220   ;serial
                  8H       ;refresh
                  2H         ;retry
                  1W         ;expire
                  1D )

IN NS ns1.deus-exmachina.net.
IN NS ns2.deus-exmachina.net.
IN MX 1 mail.onion-cafe.com.
IN A 72.52.116.26
IN AAAA    2001:470:1:9::26
mail IN A 72.52.116.26
IN AAAA 2001:470:1:9::26
www IN A 72.52.116.26
IN AAAA 2001:470:1:9::26


This is not the secret message.

/etc/proftpd/proftpd.conf
UseIPv6 on
(usually set by default)

/etc/ircd-hybrid/ircd.conflisten {
        host = "0.0.0.0"; # Bind to all IPv4
        host = "::"; # Bind to all IPv6
        port = 6665 .. 6669; # Use Ports 6665 to 6669
};

This enables privacy extensions on ubuntu (8.10), maybe some others too.
Add to the bottom of /etc/sysctl.conf (note the reference to the interface in the second statement)

# Fix to create temporary addresses (privacy extensions)
net.ipv6.conf.eth0.use_tempaddr=2
net.ipv6.conf.all.use_tempaddr=2
net.ipv6.conf.default.use_tempaddr=2

Quote from: broquea on November 20, 2008, 10:46:16 PM
Dovecot: dovecot.conf

Code Select Expand

listen = [*]
listen = [::]

I tried this and couldn't get it to work. Looking at http://wiki.dovecot.org/MainConfig it tells me to use both one line:

listen=*,[::]


Hiawatha does not bind to IPv6 addresses by default.

Binding {
    Interface = ::1
    Port = 80
}

Whereas you do not need to bind an interface for IPv4.

Binding {
    Port = 80
}

The author welcomes bug reports.

Hugo Leisink <hugo@hiawatha-webserver.org> - http://www.hiawatha-webserver.org/

Allen4names

To make ejabberd listen on ipv4 and ipv6 interfaces add inet6 option.
...
{listen,
 [
   {5222, ejabberd_c2s, [
     inet6,
     {access, c2s},
     {shaper, c2s_shaper},
     ...

For nginx (also dual-stack configuration):
server {
    listen [::]:80;
    ...

Note on the Apache config - since IPv6 addresses are readily available, I'm doing virtual hosts a wee bit differently.
Example domain.net.conf in my /etc/httpd/conf.d directory:


NameVirtualHost [2600:3c00::xx:yyyy]:80

<VirtualHost nnn.nnn.nnn.nnn:80>
ServerName www.domain.tld
DocumentRoot "/srv/domains/domain.tld/www"
ErrorLog logs/www.domain.tld.error_log
CustomLog logs/www.domain.tld.access_log combined
</VirtualHost>

<VirtualHost [2600:3c00::xx:yyyy]:80>
ServerName www.domain.tld
DocumentRoot "/srv/domains/domain.tld/www"
ErrorLog logs/www.domain.tld.error_log
CustomLog logs/www.domain.tld.access_log combined
</VirtualHost>

<VirtualHost nnn.nnn.nnn.nnn:80>
ServerName domain.tld
RewriteEngine On
RewriteRule ^(.*)$ http://www.domain.tld$1 [R]
</VirtualHost>

<VirtualHost [2600:3c00::xx:yyyy]:80>
ServerName domain.tld
RewriteEngine On
RewriteRule ^(.*)$ http://www.domain.tld$1 [R]
</VirtualHost>

<Directory "/srv/domains/domain.tld/www">
  Options FollowSymLinks
  AllowOverride All
</Directory>

<Directory "/srv/domains/domain.tld/www/junk">
  Options FollowSymLinks Indexes
  AllowOverride All
</Directory>


I probably could (and should) combine the top two into 1 and bottom two into 1.

IPv4 address is used for several domains.
IPv6 is used only for the specific domain.tld and www.domain.tld - which is why the domain specific conf file is where the NameVirtualHost for the IPv6 goes (and is actually only needed for the mod_rewrite when the non www domain is requested)

Using a unique IP for each domain.tld in IPv6 lets me use that same unique IPv6 for each domain on port 443.

I know most if not every browser that supports IPv6 also supports NSI but since NSI isn't really needed for IPv6 - I don't want to rely on the NSI support being there, so if I ever want/need to add an SSL host to that domain, it's good to already have a unique IPv6 for it.

IPv4 users - well, they might get an SSL cert mis-match, as I do not wish to be greedy with IPv4 address.

Only potential issue I see is I may need to issue kernel directive to increase number of IPv6 addresses (I think default max is 16 on RHEL/CentOS 6, I'll have to check. Increasing it isn't hard though)

Quote from: DOMBlogger on September 15, 2011, 07:54:35 AM
Note on the Apache config - since IPv6 addresses are readily available, I'm doing virtual hosts a wee bit differently.
Example domain.net.conf in my /etc/httpd/conf.d directory:

Code Select Expand


NameVirtualHost [2600:3c00::xx:yyyy]:80

<VirtualHost nnn.nnn.nnn.nnn:80>
ServerName www.domain.tld
DocumentRoot "/srv/domains/domain.tld/www"
ErrorLog logs/www.domain.tld.error_log
CustomLog logs/www.domain.tld.access_log combined
</VirtualHost>

<VirtualHost [2600:3c00::xx:yyyy]:80>
ServerName www.domain.tld
DocumentRoot "/srv/domains/domain.tld/www"
ErrorLog logs/www.domain.tld.error_log
CustomLog logs/www.domain.tld.access_log combined
</VirtualHost>

<VirtualHost nnn.nnn.nnn.nnn:80>
ServerName domain.tld
RewriteEngine On
RewriteRule ^(.*)$ http://www.domain.tld$1 [R]
</VirtualHost>

<VirtualHost [2600:3c00::xx:yyyy]:80>
ServerName domain.tld
RewriteEngine On
RewriteRule ^(.*)$ http://www.domain.tld$1 [R]
</VirtualHost>

<Directory "/srv/domains/domain.tld/www">
  Options FollowSymLinks
  AllowOverride All
</Directory>

<Directory "/srv/domains/domain.tld/www/junk">
  Options FollowSymLinks Indexes
  AllowOverride All
</Directory>


I probably could (and should) combine the top two into 1 and bottom two into 1.

IPv4 address is used for several domains.
IPv6 is used only for the specific domain.tld and www.domain.tld - which is why the domain specific conf file is where the NameVirtualHost for the IPv6 goes (and is actually only needed for the mod_rewrite when the non www domain is requested)

Using a unique IP for each domain.tld in IPv6 lets me use that same unique IPv6 for each domain on port 443.

I know most if not every browser that supports IPv6 also supports NSI but since NSI isn't really needed for IPv6 - I don't want to rely on the NSI support being there, so if I ever want/need to add an SSL host to that domain, it's good to already have a unique IPv6 for it.

IPv4 users - well, they might get an SSL cert mis-match, as I do not wish to be greedy with IPv4 address.

Only potential issue I see is I may need to issue kernel directive to increase number of IPv6 addresses (I think default max is 16 on RHEL/CentOS 6, I'll have to check. Increasing it isn't hard though)