Default ip6tables rules
Michael H. Warfield
mhw at WittsEnd.com
Tue Oct 17 14:31:24 UTC 2006
On Mon, 2006-10-16 at 20:12 +0200, Dawid Gajownik wrote:
> Hi!
> My University got few weeks ago IPv6 addresses from RIPE so I have now
> chance to test IPv6 protocol :-) I started searching for IPv6 enabled
> hosts in the Internet. ping6 worked, so had traceroute6. I could not
> connect to ftp/www sites, though. I started wireshark and noticed, that
> apps do not finish three-way handshake (no ACK packet). Disabling
> ip6tables service resolved the problem...
> Is something wrong with my box (network rawhide installation from 13
> October) or these are normal firewall settings?
There's a conflict in there. The default IPv6 ip6tables rules are
using experimental features in the kernel which are not enabled and
which would break IPv4 NAT and MASQ (and who knows what) if they were
enabled. Basically, stateful filtering is fubared and breaks the IPv6
networking if you try to use it. They need to drop back to stateless
filtering for ip6tables before release of FC6 (unless it's slipped sooo
far back that we end up with the 2.6.20 kernel where it's expected to
work) or the whole v6 stack is blocked if you have those rules enabled.
That's why it's rawhide. :-)
> [root at viper ~]# service ip6tables status
> Tablica: filter
> Chain INPUT (policy ACCEPT)
> num target prot opt source destination
> 1 RH-Firewall-1-INPUT all ::/0 ::/0
>
> Chain FORWARD (policy ACCEPT)
> num target prot opt source destination
> 1 RH-Firewall-1-INPUT all ::/0 ::/0
>
> Chain OUTPUT (policy ACCEPT)
> num target prot opt source destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> num target prot opt source destination
> 1 ACCEPT all ::/0 ::/0
> 2 ACCEPT icmpv6 ::/0 ::/0
> 3 ACCEPT esp ::/0 ::/0
> 4 ACCEPT ah ::/0 ::/0
> 5 ACCEPT udp ::/0 ff02::fb/128 udp
> dpt:5353
> 6 ACCEPT udp ::/0 ::/0 udp dpt:631
> 7 ACCEPT tcp ::/0 ::/0 tcp dpt:631
> 8 ACCEPT all ::/0 ::/0 state
> RELATED,ESTABLISHED
> 9 ACCEPT tcp ::/0 ::/0 state
> NEW tcp dpt:22
> 10 DROP all ::/0 ::/0
>
> [root at viper ~]#
>
> BTW I noticed that Firefox does not try to use IPv6 addresses before
> IPv4 ones O_o
>
> Regards,
> Dawid
>
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-test-list/attachments/20061017/9bf62a3a/attachment.sig>
More information about the fedora-test-list
mailing list