[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Default ip6tables rules



On Wed, 2006-10-18 at 09:48 -0400, Chris Lumens wrote:
> > 	There's a conflict in there.  The default IPv6 ip6tables rules are
> > using experimental features in the kernel which are not enabled and
> > which would break IPv4 NAT and MASQ (and who knows what) if they were
> > enabled.  Basically, stateful filtering is fubared and breaks the IPv6
> > networking if you try to use it.  They need to drop back to stateless
> > filtering for ip6tables before release of FC6 (unless it's slipped sooo
> > far back that we end up with the 2.6.20 kernel where it's expected to
> > work) or the whole v6 stack is blocked if you have those rules enabled.

> I have committed a fix to s-c-securitylevel to set up stateless rules
> for what you select in the UI, and this fix has made its way into the
> FC6 trees.  So this should be fixed up for the final release.

> In the future if you have problems with how the default firewall is set
> up, please file a bug against system-config-securitylevel and I will fix
> it.  Just leaving things in email makes the big assumption that I will
> read everything, and there's way too much mail for that.  Thanks.

	Sorry.  Problem was that it was filed in bugzilla a while back but,
initially, under iptables and then redirected to the kernel guys who
threw their hands up saying, "well, it's experimental and not enabled".
Bug is still open, AFAIK.

	https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=209945

	I guess the finger pointing stopped at that point and everyone dropped
the ball.  It wasn't clear (to me at least) that should have been
against s-c-securitylevel, or that I needed to file another bugzilla
filing, and there's been discussion on the lists and in bugzilla about
it.  Caught me by surprise when the fix was announced and the package
the fix was announced in.

	From the last message in Bugzilla on that bug:


> Noted, and thank you for the amplifying information.  At least we now know:
> 
> a) why IPv6 netfilter state matching doesn't work on as-delivered Fedora;
> b) what we need to do to make IPv6 netfilter state matching work;
> c) what some of the side effects are.
> 
> Prior to now, all we had was an apparent nonfunctioning IPv6 stack when 
> the default Fedora ip6tables rules were activated.
> 
> Jay 

	What wasn't said there was where those default rules lived and who
should own the immediate problem.

> - Chris

	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw WittsEnd com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]