As I understand it, making a website IPv6 ready should involve:

1) Enabling IPv6 on the Linode so the server has an IPv6 address
2) Configuring the DNS records so they have AAAA records that point to this address
3) Configuring Apache (or other web server) to listen on the IPv6 address as well

Is that all there is to it? Are there any other considerations that must be made before having a website run on IPv4/IPv6?

Thanks

_________________
If all else fails, reboot...
PHP Tutorials and MySQL Tutorials

That's pretty much it, aside from the obligatory steps 1b, 2b, and 3b: test it to make sure it works. I'd also do #3 before #2, to avoid breaking things!

Also, some applications have little quirks where they expect IP addresses to match a particular regex or be only 32 bits. It being 2012 and all, these should all be taken care of by now, but we still have stuff that depends on .htaccess. That's why testing is key.

_________________

/* TODO: need to add signature to posts */

Thanks hoopycat. I just converted one of my websites to run on dual-stacked IPv4/IPv6. Was pretty painless.

Total work time, 20 minutes (15 of which were spent waiting on the DNS to be updated).

_________________
If all else fails, reboot...

PHP Tutorials and MySQL Tutorials

Might want to throw in a few IP6TABLES rules so that your box isn't wide open and flapping in the breeze.

Strangely enough, I never use iptables or any other firewall for that matter. I've never been convinced of the importance of a firewall when I'm the one who has opened the ports that are open.

Maybe you can convince me of the importance?

_________________
If all else fails, reboot...

PHP Tutorials and MySQL Tutorials

Good question - made me think.

For me (and YMMV) it's because I'm lazy. Instead of taking the time to completely (or as completely as possible) lock down the OS and Apps, I take the easier route and just lock down access except for the bare minimum needed for my public facing apps.

That means I don't have to comb thru my system and remove every little app/utility/library/etc that I don't absolutely need, but may be an attack vector. Instead, I concentrate completely on the security of a handful of apps that I do need the public to have access to.

So, for me, it saves time.

Of course there are many smart people that would agree with you, that firewalls are a waste of time (see Singer's "Life Without Firewalls" published way back in 2003, but still applicable in today's tech world). I'm betting they're just not as lazy as I am.

I guess the snarky answer would be "It can't hurt and it might help".

I can't disagree with that statement.

But for me, it's a philosophical issue. I think the idea of a software firewall (for what most people use it for) is silly. If a port isn't open then no connection can be made unless the attacker has a really really cool exploit.

I only have port 80 and port 22 open, with Fail2Ban ready and waiting for failed SSH login attempts. (It's killed someone since today too ). Maybe even port knocking could be set up on port 22 for added security.

In my case, the only advantage I can readily see to using a firewall is that a RST packet won't be sent when an attempted connection to a closed port is made. But as I write I have realised another advantage. A firewall can help if you have services that run at startup that open ports, and you stop them manually, and the system either reboots and they start again or they start again magically (which I've seen happen on Ubuntu). But with some diligence from the administrator this shouldn't be a problem either. But since realising that no one is perfect and mistakes can be made, lapses in memory, tired sysadmin, or even random bugs in the system, might as well use the firewall and forget about it.

EDIT: If you have requirements to allow/deny traffic from certain sources, then a firewall would definitely be helpful.

Mind you, I think hardware firewalls on networks are very useful since they can control the connections between networks.

_________________
If all else fails, reboot...

PHP Tutorials and MySQL Tutorials

Except with a firewall you can lock-down SSH service to only a few known and trusted IPs, reducing even more the chance for hack-attack.

It's amazing and reassuring to see a bit of IPv6 traffic in my logs presumably from clients preferring IPv6. I guess the "new" Internet is well on its way.

_________________
If all else fails, reboot...

PHP Tutorials and MySQL Tutorials

As far as I can see, the only advantage of a firewall on a linode is that if someone _can_ break into your machine (broken php script, software vuln, whatever) then they may not have root access; a firewall would stop them putting a _server_ on your machine 'cos even if they listen on port 12345 the firewall won't allow connections.

Otherwise, run "netstat -anp | grep -w LISTEN" and ensure you can account for every port you're listening on, what the software is, and what it's doing. On my linode, for example, I see named, smtpd, httpd. Similarly for udp sockets ("grep -w udp").

If you're running software that you don't need then disable it, remove it. It's more secure _and_ it frees up memory

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)