FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 03-10-2009, 12:41 PM
Timothy Murphy
 
Default IPv6 under Centos?

I wonder if anyone is running IPv6 under Centos-5.2?
Particularly with shorewall?

I see that shorewall6 is specifically designed for updating shorewall
to IPv6, as described in <http://www.shorewall.net/IPv6Support.html>.

Unfortunately, this explicity requires kernel 2.6.25 or later,
and iptables 1.4.0 or later,
both of which are later than any versions I've seen on a Centos repository.

I'm wondering how safe it would be to install Fedora versions
of the required kernel and iptables?

Or is there any alternative to shorewall that is IPv6 compatible?
I don't really want to run iptables directly, unless forced to do so,
as I have found shorewall very reliable and simple to configure.


--
Timothy Murphy
e-mail: gayleard /at/ eircom.net
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 03-10-2009, 01:25 PM
Robert Moskowitz
 
Default IPv6 under Centos?

Timothy Murphy wrote:
> I wonder if anyone is running IPv6 under Centos-5.2?
>

YES!!! On some systems it is strictly IPv6. IPv4 only on lo loopback.

> Particularly with shorewall?
>

NO!!!

> I see that shorewall6 is specifically designed for updating shorewall
> to IPv6, as described in <http://www.shorewall.net/IPv6Support.html>.
>
> Unfortunately, this explicity requires kernel 2.6.25 or later,
> and iptables 1.4.0 or later,
> both of which are later than any versions I've seen on a Centos repository.
>

Tom was rather explicit about why we will NOT see Shorewall6 with Centos
and the 2.6.18 kernel:

"2.6.18 doesn't support stateful IPv6 firewalling at all!"


I think that says it. You want stateful IPv6 firewalling, then you will
get a newer kernel which means most likely Centos 6.0...
> I'm wondering how safe it would be to install Fedora versions
> of the required kernel and iptables?
>

I seem to recall kernel discussions here on this list and why this is a
VERY bad idea.

> Or is there any alternative to shorewall that is IPv6 compatible?
> I don't really want to run iptables directly, unless forced to do so,
> as I have found shorewall very reliable and simple to configure.
>

What I am working on is a FC9 system with shorewall6, then doing a
ip6tables -L and copying those rules that do not require stateful
firewalling...


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 03-10-2009, 02:04 PM
Timothy Murphy
 
Default IPv6 under Centos?

Robert Moskowitz wrote:

>> I wonder if anyone is running IPv6 under Centos-5.2?

> What I am working on is a FC9 system with shorewall6, then doing a
> ip6tables -L and copying those rules that do not require stateful
> firewalling...

Thanks again for enlightening me.
You have obviously thought longer and far better than me on the subject.
Please let me - maybe everyone - know if and when you have a solution.

I'm really only playing with IPv6 to see how it works,
and can easily put off my learning until Centos-6 comes out.


--
Timothy Murphy
e-mail: gayleard /at/ eircom.net
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 03-10-2009, 06:13 PM
Louis Lagendijk
 
Default IPv6 under Centos?

On Tue, 2009-03-10 at 10:25 -0400, Robert Moskowitz wrote:
> Timothy Murphy wrote:
> > I wonder if anyone is running IPv6 under Centos-5.2?
> >
>
> YES!!! On some systems it is strictly IPv6. IPv4 only on lo loopback.
>
Running IPv4 + IPv6 here....But see below...
> > Particularly with shorewall?
> >
>
> NO!!!
yes, but see below.
>
> > I see that shorewall6 is specifically designed for updating shorewall
> > to IPv6, as described in <http://www.shorewall.net/IPv6Support.html>.
> >
> > Unfortunately, this explicity requires kernel 2.6.25 or later,
> > and iptables 1.4.0 or later,
> > both of which are later than any versions I've seen on a Centos repository.
> >
>
> Tom was rather explicit about why we will NOT see Shorewall6 with Centos
> and the 2.6.18 kernel:
>
> "2.6.18 doesn't support stateful IPv6 firewalling at all!"
>
>
> I think that says it. You want stateful IPv6 firewalling, then you will
> get a newer kernel which means most likely Centos 6.0...
> > I'm wondering how safe it would be to install Fedora versions
> > of the required kernel and iptables?
> >
>
> I seem to recall kernel discussions here on this list and why this is a
> VERY bad idea.
>
It is definitively NOT recommended.If it breaks you get to keep all the
pieces.... That being said, I really wanted to have some ipv6 firewall
on my Centos box. At first I thought of running a Fedora VM in Xen. I
ran into some issues with my Sun quad fast ethernet card. So in the end
I compiled an RPM from the stock kernel and compiled some RPMs myself
from Fedora RPMs:
iptables
iptables-ipv6
lmsensors
I am not sure that this is the complete list of kernel dependent rpms
that are needed. It can be done when you compile your own stuff, but is
definitely NOT recommended. If you want to go this route you will need a
pretty good background on compiling your own RPMs etc.

Running Fedora kernels is still more tricky: there are way too many
dependencies. Don't even try!!!!

> > Or is there any alternative to shorewall that is IPv6 compatible?
> > I don't really want to run iptables directly, unless forced to do so,
> > as I have found shorewall very reliable and simple to configure.
> >
>
> What I am working on is a FC9 system with shorewall6, then doing a
> ip6tables -L and copying those rules that do not require stateful
> firewalling...
>
If you do not use a kernel that has statefull ipv6 firealling I would
recommend 6wall. This is a pretty old shorewall-shell derived package
that does ipv6 fire walling. The syntax should be familiar to old
shorewall users. It does however not offer macros or actions.
And you will have to write rules for incoming and outgoing traffic
separately. Something like:
ACCEPT all all tcp domain
ACCEPT all all tcp - domain


It is still probably easier to use 6wall than porting just the
shorewall6 generated ip6tables rules.

I am personally considering going back to running the firewall in a
Fedora VM now that I have a managed vlan capable swith. Simply being
able to update using yum is so much easier and more reliable.

Louis

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 10:47 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org