How to make a website IPv6 ready?

As I understand it, making a website IPv6 ready should involve:

1) Enabling IPv6 on the Linode so the server has an IPv6 address

2) Configuring the DNS records so they have AAAA records that point to this address

3) Configuring Apache (or other web server) to listen on the IPv6 address as well

Is that all there is to it? Are there any other considerations that must be made before having a website run on IPv4/IPv6?

Thanks

9 Replies

That's pretty much it, aside from the obligatory steps 1b, 2b, and 3b: test it to make sure it works. I'd also do #3 before #2, to avoid breaking things!

Also, some applications have little quirks where they expect IP addresses to match a particular regex or be only 32 bits. It being 2012 and all, these should all be taken care of by now, but we still have stuff that depends on .htaccess. That's why testing is key.

Thanks hoopycat. I just converted one of my websites to run on dual-stacked IPv4/IPv6. Was pretty painless. :D

Total work time, 20 minutes (15 of which were spent waiting on the DNS to be updated).

Might want to throw in a few IP6TABLES rules so that your box isn't wide open and flapping in the breeze.

> Might want to throw in a few IP6TABLES rules so that your box isn't wide open and flapping in the breeze.

Strangely enough, I never use iptables or any other firewall for that matter. I've never been convinced of the importance of a firewall when I'm the one who has opened the ports that are open.

Maybe you can convince me of the importance? :wink:

Good question - made me think.

For me (and YMMV) it's because I'm lazy. Instead of taking the time to completely (or as completely as possible) lock down the OS and Apps, I take the easier route and just lock down access except for the bare minimum needed for my public facing apps.

That means I don't have to comb thru my system and remove every little app/utility/library/etc that I don't absolutely need, but may be an attack vector. Instead, I concentrate completely on the security of a handful of apps that I do need the public to have access to.

So, for me, it saves time.

Of course there are many smart people that would agree with you, that firewalls are a waste of time (see Singer's "Life Without Firewalls" published way back in 2003, but still applicable in today's tech world). I'm betting they're just not as lazy as I am.

I guess the snarky answer would be "It can't hurt and it might help".

@vonskippy:

I guess the snarky answer would be "It can't hurt and it might help".

I can't disagree with that statement.

But for me, it's a philosophical issue. I think the idea of a software firewall (for what most people use it for) is silly. If a port isn't open then no connection can be made unless the attacker has a really really cool exploit.

I only have port 80 and port 22 open, with Fail2Ban ready and waiting for failed SSH login attempts. (It's killed someone since today too :twisted: ). Maybe even port knocking could be set up on port 22 for added security.

In my case, the only advantage I can readily see to using a firewall is that a RST packet won't be sent when an attempted connection to a closed port is made. But as I write I have realised another advantage. A firewall can help if you have services that run at startup that open ports, and you stop them manually, and the system either reboots and they start again or they start again magically (which I've seen happen on Ubuntu). But with some diligence from the administrator this shouldn't be a problem either. But since realising that no one is perfect and mistakes can be made, lapses in memory, tired sysadmin, or even random bugs in the system, might as well use the firewall and forget about it.

EDIT: If you have requirements to allow/deny traffic from certain sources, then a firewall would definitely be helpful.

Mind you, I think hardware firewalls on networks are very useful since they can control the connections between networks.

@nehalem:

Strangely enough, I never use iptables or any other firewall for that matter. I've never been convinced of the importance of a firewall when I'm the one who has opened the ports that are open.

Maybe you can convince me of the importance? :wink:

Except with a firewall you can lock-down SSH service to only a few known and trusted IPs, reducing even more the chance for hack-attack.

It's amazing and reassuring to see a bit of IPv6 traffic in my logs presumably from clients preferring IPv6. I guess the "new" Internet is well on its way. :P

@nehalem:

> Might want to throw in a few IP6TABLES rules so that your box isn't wide open and flapping in the breeze.

Strangely enough, I never use iptables or any other firewall for that matter. I've never been convinced of the importance of a firewall when I'm the one who has opened the ports that are open.

Maybe you can convince me of the importance? :wink:
As far as I can see, the only advantage of a firewall on a linode is that if someone can break into your machine (broken php script, software vuln, whatever) then they may not have root access; a firewall would stop them putting a server on your machine 'cos even if they listen on port 12345 the firewall won't allow connections.

Otherwise, run "netstat -anp | grep -w LISTEN" and ensure you can account for every port you're listening on, what the software is, and what it's doing. On my linode, for example, I see named, smtpd, httpd. Similarly for udp sockets ("grep -w udp").

If you're running software that you don't need then disable it, remove it. It's more secure and it frees up memory :-)

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct