FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 05-29-2008, 11:23 AM
Robert Moskowitz
 
Default Learning some sad things about the state of IPv6

We have kernel support for IPv6 in Centos, but not stateful firewall
support.


That requires at least the 2.6.20 kernel, which means Fedora Core 6 or
some other Linux distro.


None of the various free Linux firewalls have IPv6 support. Supposedly
FWBuilder can manage Netfilters for a Linux Kernel, but that seems to be
the extent of it.


More sad facts as I uncover them.....


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-30-2008, 03:43 AM
Christopher Chan
 
Default Learning some sad things about the state of IPv6

Robert Moskowitz wrote:
We have kernel support for IPv6 in Centos, but not stateful firewall
support.


That requires at least the 2.6.20 kernel, which means Fedora Core 6 or
some other Linux distro.


None of the various free Linux firewalls have IPv6 support. Supposedly
FWBuilder can manage Netfilters for a Linux Kernel, but that seems to be
the extent of it.


More sad facts as I uncover them.....


Just use openbsd. We cannot expect Linux to rule everything. Use what
best fits the job.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-30-2008, 03:53 AM
"Matt Shields"
 
Default Learning some sad things about the state of IPv6

On Thu, May 29, 2008 at 11:43 PM, Christopher Chan
<christopher@ias.com.hk> wrote:
> Robert Moskowitz wrote:
>>
>> We have kernel support for IPv6 in Centos, but not stateful firewall
>> support.
>>
>> That requires at least the 2.6.20 kernel, which means Fedora Core 6 or
>> some other Linux distro.
>>
>> None of the various free Linux firewalls have IPv6 support. Supposedly
>> FWBuilder can manage Netfilters for a Linux Kernel, but that seems to be the
>> extent of it.
>>
>> More sad facts as I uncover them.....
>
> Just use openbsd. We cannot expect Linux to rule everything. Use what best
> fits the job.

Not sure about FC6, but in both CentOS 4 & 5 there is an ip6tables. I
haven't used it, but I'm assuming that you can build rules just like
you do with iptables.

--
-matt
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-30-2008, 03:57 AM
"Rob Townley"
 
Default Learning some sad things about the state of IPv6

On Thu, May 29, 2008 at 10:53 PM, Matt Shields <mattboston@gmail.com> wrote:

On Thu, May 29, 2008 at 11:43 PM, Christopher Chan

<christopher@ias.com.hk> wrote:

> Robert Moskowitz wrote:

>>

>> We have kernel support for IPv6 in Centos, but not stateful firewall

>> support.

>>

>> That requires at least the 2.6.20 kernel, which means Fedora Core 6 or

>> some other Linux distro.

>>

>> None of the various free Linux firewalls have IPv6 support. *Supposedly

>> FWBuilder can manage Netfilters for a Linux Kernel, but that seems to be the

>> extent of it.

>>

>> More sad facts as I uncover them.....

>

> Just use openbsd. We cannot expect Linux to rule everything. Use what best

> fits the job.



Not sure about FC6, but in both CentOS 4 & 5 there is an ip6tables. *I

haven't used it, but I'm assuming that you can build rules just like

you do with iptables.



--

-matt

_______________________________________________

CentOS mailing list

CentOS@centos.org

http://lists.centos.org/mailman/listinfo/centos


My dd-wrt web page has a IPv6 checkbox, but don't know what it does.* i am shunning IPv6 bc securing the private side of a NAT is hard enough.* Securing IPv6 seems much much much tougher.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-30-2008, 04:13 AM
Christopher Chan
 
Default Learning some sad things about the state of IPv6

Matt Shields wrote:

On Thu, May 29, 2008 at 11:43 PM, Christopher Chan
<christopher@ias.com.hk> wrote:

Robert Moskowitz wrote:

We have kernel support for IPv6 in Centos, but not stateful firewall
support.




Not sure about FC6, but in both CentOS 4 & 5 there is an ip6tables. I
haven't used it, but I'm assuming that you can build rules just like
you do with iptables.



The OP is not saying there is no ipv6 netfilter support. He said that
there is no ipv6 state netfilter module or something like that.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-30-2008, 10:23 AM
Karanbir Singh
 
Default Learning some sad things about the state of IPv6

Christopher Chan wrote:
> The OP is not saying there is no ipv6 netfilter support. He said that
> there is no ipv6 state netfilter module or something like that.

In which case either you dont know what the OP is talking about, or he
doesnt know what he asked

------------------
[root@panic ~]# ip6tables -nL | wc -l
124
[root@panic ~]# hostname
panic.karan.org
[root@panic ~]# lsof -i | grep IPv6 | wc -l
561
[root@panic ~]# ip a l | grep net6
inet6 ::1/128 scope host
inet6 fe80::20d:61ff:fe80:7ce3/64 scope link
inet6 2001:4830:1600:13c::2/64 scope global
inet6 fe80::4224:e704/128 scope link
[root@panic ~]# uname -r
2.6.18-53.1.14.el5
-----------

- K"Natively running ipv6 for a few years now"B
--
Karanbir Singh : http://www.karan.org/ : 2522219@icq
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-30-2008, 12:49 PM
Les Mikesell
 
Default Learning some sad things about the state of IPv6

Karanbir Singh wrote:

Christopher Chan wrote:

The OP is not saying there is no ipv6 netfilter support. He said that
there is no ipv6 state netfilter module or something like that.


In which case either you dont know what the OP is talking about, or he
doesnt know what he asked

------------------
[root@panic ~]# ip6tables -nL | wc -l
124
[root@panic ~]# hostname
panic.karan.org
[root@panic ~]# lsof -i | grep IPv6 | wc -l
561
[root@panic ~]# ip a l | grep net6
inet6 ::1/128 scope host
inet6 fe80::20d:61ff:fe80:7ce3/64 scope link
inet6 2001:4830:1600:13c::2/64 scope global
inet6 fe80::4224:e704/128 scope link
[root@panic ~]# uname -r
2.6.18-53.1.14.el5
-----------

- K"Natively running ipv6 for a few years now"B


What he originally said was that this needed kernel 2.6.20 or newer. Is
this one of the feature backports into the enterprise kernel that Centos
inherits?


--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-30-2008, 12:52 PM
"Matt Shields"
 
Default Learning some sad things about the state of IPv6

On Fri, May 30, 2008 at 6:23 AM, Karanbir Singh <mail-lists@karan.org> wrote:
> Christopher Chan wrote:
>> The OP is not saying there is no ipv6 netfilter support. He said that
>> there is no ipv6 state netfilter module or something like that.
>
> In which case either you dont know what the OP is talking about, or he
> doesnt know what he asked
>
> ------------------
> [root@panic ~]# ip6tables -nL | wc -l
> 124
> [root@panic ~]# hostname
> panic.karan.org
> [root@panic ~]# lsof -i | grep IPv6 | wc -l
> 561
> [root@panic ~]# ip a l | grep net6
> inet6 ::1/128 scope host
> inet6 fe80::20d:61ff:fe80:7ce3/64 scope link
> inet6 2001:4830:1600:13c::2/64 scope global
> inet6 fe80::4224:e704/128 scope link
> [root@panic ~]# uname -r
> 2.6.18-53.1.14.el5
> -----------
>
> - K"Natively running ipv6 for a few years now"B
> --
> Karanbir Singh : http://www.karan.org/ : 2522219@icq

Exactly!!! What he's complaining about is the lack of lazy-man's GUI
tool to configure ip6tables.

Are you absolutely sure that FWBuilder doesn't support IPv6? Because
here there a release note
http://www.fwbuilder.org/docs/firewall_builder_release_notes.html
referring to ip6tables.


--
-matt
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-30-2008, 01:38 PM
Robert Moskowitz
 
Default Learning some sad things about the state of IPv6

Matt Shields wrote:

On Fri, May 30, 2008 at 6:23 AM, Karanbir Singh <mail-lists@karan.org> wrote:


Christopher Chan wrote:


The OP is not saying there is no ipv6 netfilter support. He said that
there is no ipv6 state netfilter module or something like that.


In which case either you dont know what the OP is talking about, or he
doesnt know what he asked



Exactly!!! What he's complaining about is the lack of lazy-man's GUI
tool to configure ip6tables.


Not so much as complaining, but looking at easy-of-use and time allocation.

I have done iptables by hand and have used a few tools. One thing I like
about the tools I have found helpful is they have been good 'quick
starts' for learning what to do by hand!


But my source is:
http://www.guug.de/veranstaltungen/ecai6-2007/slides/2007-ECAI6-Status-IPv6-Firewalling-PeterBieringer-Talk.pdf


Peter, who has been involved with IPv6 for a long time, covers NetFilter
on slide 8 and claims stateful support added in 2.6.20. Elsewhere I
found a reference that RHel would get this end-of-year 2008, and Fedora
Core 6 has it now. I looked in my /boot and saw that Centos is using
2.6.18, and I concluded from all this that I would have to work with FC6
for the next half year. Seems this conclusion is mis-informed if this
NetFilter feature got backported already....

Are you absolutely sure that FWBuilder doesn't support IPv6? Because
here there a release note
http://www.fwbuilder.org/docs/firewall_builder_release_notes.html
referring to ip6tables.

I also saw that FWBuilder supports IPv6. But if the kernel only supports
stateless, then that is all you can do with FWBuider, I would think. My
one review of FWBuilder was that it was more than I needed at the time
and Shorewall would handle my needs for my one VoIP firewall. Well I
learned a lot using Shorewall. And Shorewall does NOT have IPv6 support,
I asked on their list.


So now I go and build a box and see if I got enough to get the job done.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-30-2008, 06:13 PM
Scott Silva
 
Default Learning some sad things about the state of IPv6

on 5-30-2008 6:38 AM Robert Moskowitz spake the following:

Matt Shields wrote:
On Fri, May 30, 2008 at 6:23 AM, Karanbir Singh
<mail-lists@karan.org> wrote:


Christopher Chan wrote:


The OP is not saying there is no ipv6 netfilter support. He said that
there is no ipv6 state netfilter module or something like that.


In which case either you dont know what the OP is talking about, or he
doesnt know what he asked



Exactly!!! What he's complaining about is the lack of lazy-man's GUI
tool to configure ip6tables.


Not so much as complaining, but looking at easy-of-use and time allocation.

I have done iptables by hand and have used a few tools. One thing I like
about the tools I have found helpful is they have been good 'quick
starts' for learning what to do by hand!


But my source is:
http://www.guug.de/veranstaltungen/ecai6-2007/slides/2007-ECAI6-Status-IPv6-Firewalling-PeterBieringer-Talk.pdf



Peter, who has been involved with IPv6 for a long time, covers NetFilter
on slide 8 and claims stateful support added in 2.6.20. Elsewhere I
found a reference that RHel would get this end-of-year 2008, and Fedora
Core 6 has it now. I looked in my /boot and saw that Centos is using
2.6.18, and I concluded from all this that I would have to work with FC6
for the next half year. Seems this conclusion is mis-informed if this
NetFilter feature got backported already....

Are you absolutely sure that FWBuilder doesn't support IPv6? Because
here there a release note
http://www.fwbuilder.org/docs/firewall_builder_release_notes.html
referring to ip6tables.

I also saw that FWBuilder supports IPv6. But if the kernel only supports
stateless, then that is all you can do with FWBuider, I would think. My
one review of FWBuilder was that it was more than I needed at the time
and Shorewall would handle my needs for my one VoIP firewall. Well I
learned a lot using Shorewall. And Shorewall does NOT have IPv6 support,
I asked on their list.


So now I go and build a box and see if I got enough to get the job done.
There is one thing to remember about Enterprise RedHat; you can't just assume
what is in it by package version numbers alone. You have to read changelogs,
and sometimes the patches themselves. Or just try it and see if it works or not.


--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 06:44 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org