[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Default ip6tables rules



On Mon, 2006-10-16 at 20:12 +0200, Dawid Gajownik wrote:
> Hi!

> 	My University got few weeks ago IPv6 addresses from RIPE so I have now 
> chance to test IPv6 protocol :-) I started searching for IPv6 enabled 
> hosts in the Internet. ping6 worked, so had traceroute6. I could not 
> connect to ftp/www sites, though. I started wireshark and noticed, that 
> apps do not finish three-way handshake (no ACK packet). Disabling 
> ip6tables service resolved the problem...

> 	Is something wrong with my box (network rawhide installation from 13 
> October) or these are normal firewall settings?

	There's a conflict in there.  The default IPv6 ip6tables rules are
using experimental features in the kernel which are not enabled and
which would break IPv4 NAT and MASQ (and who knows what) if they were
enabled.  Basically, stateful filtering is fubared and breaks the IPv6
networking if you try to use it.  They need to drop back to stateless
filtering for ip6tables before release of FC6 (unless it's slipped sooo
far back that we end up with the 2.6.20 kernel where it's expected to
work) or the whole v6 stack is blocked if you have those rules enabled.

	That's why it's rawhide.  :-)

> [root viper ~]# service ip6tables status
> Tablica: filter
> Chain INPUT (policy ACCEPT)
> num  target     prot opt source               destination
> 1    RH-Firewall-1-INPUT  all      ::/0                 ::/0
> 
> Chain FORWARD (policy ACCEPT)
> num  target     prot opt source               destination
> 1    RH-Firewall-1-INPUT  all      ::/0                 ::/0
> 
> Chain OUTPUT (policy ACCEPT)
> num  target     prot opt source               destination
> 
> Chain RH-Firewall-1-INPUT (2 references)
> num  target     prot opt source               destination
> 1    ACCEPT     all      ::/0                 ::/0
> 2    ACCEPT     icmpv6    ::/0                 ::/0
> 3    ACCEPT     esp      ::/0                 ::/0
> 4    ACCEPT     ah       ::/0                 ::/0
> 5    ACCEPT     udp      ::/0                 ff02::fb/128       udp 
> dpt:5353
> 6    ACCEPT     udp      ::/0                 ::/0               udp dpt:631
> 7    ACCEPT     tcp      ::/0                 ::/0               tcp dpt:631
> 8    ACCEPT     all      ::/0                 ::/0               state 
> RELATED,ESTABLISHED
> 9    ACCEPT     tcp      ::/0                 ::/0               state 
> NEW tcp dpt:22
> 10   DROP       all      ::/0                 ::/0
> 
> [root viper ~]#
> 
> BTW I noticed that Firefox does not try to use IPv6 addresses before 
> IPv4 ones O_o
> 
> Regards,
> 	Dawid
> 

	Regards,
	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw WittsEnd com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]