Bug#580507: linux-image-2.6.32-5-openvz-amd64: CONFIG_NF_CONNTRACK_IPV6 is not set
This is still missing from current 2.6.32-5-openvz-amd64. It's enabled
as a module for linux-image-2.6.32-5-amd64 though. It's not clear to me
why it's missing from the openvz flavour.
Anyway, the lack of nf_conntrack_ipv6 doesn't prevent IPv6 from being
used in OpenVZ host/guest VEs, because net.ipv6.conf.default.forwarding
still causes the host to act as an IPv6 router for guest VEs.
The reason nf_conntrack_ipv6 is desirable is because it allows the use
of '-m state --state RELATED,ESTABLISHED' in ip6tables rules (in either
the host VE's FORWARD table or guest VEs' INPUT tables), so that traffic
to most ports can be filtered except in response to outgoing
connections. This gives IPv6 hosts an additional layer of security that
was traditionally a side-effect of NAT in IPv4.
My suggested alternative in the meantime is to keep ports 1024-65535
open, because source ports for outgoing connections will usually be in
that range. Most services will listen on ports 1-1023, which can be
filtered/closed except for any services that need to be public.
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org