Ip6tables [was: IP6tables and sendmail]

Aleksandar Milivojevic amilivojevic at pbl.ca
Mon Nov 29 15:38:50 UTC 2004 

Deron Meranda wrote:
> I use IPv6 all the time.  I do have sendmail gateways configured to
> use it, DNS, etc.  I haven't yet though disposed of my IPv4 stack. 
> Someday...

What I had in mind was that enabling automatic loading of IPv6 by 
default in 2.6 kernels, before some other things were sorted out, 
probably wasn't the best possible idea.  And I don't see Linux 
distributins catching up with this change either.  For example, you 
select that you want firewall during installation, and guess what, you 
get only IPv4 firewall, but IPv6 is left wide open.  Not only that, 
ip6tables are *not* installed by default (like iptables).

Don't get me wrong.  I don't have anything against IPv6.  It is simply 
that IPv6 firewalling in Linux is still lacking many important features 
from IPv4 version of Netfilter (connection tracking being one of the 
major).  This puts IPv6 on Linux slightly bellow my comfort level for 
machine connected directly to the Internet.  And having IPv6 on local 
network only, doesn't make much sense (except for learning purpuses).

I've read somewhere that connection tracking was ported to IPv6, but 
kernel patch was refused because (surprise) it was mostly duplication of 
existing IPv4 code.  Apperently it was decided that both IPv4 and IPv6 
connection tracking should be handled by one module, and work is being 
done into that direction.  I hope that one day we'll also see ip6tables 
merged into iptables, so that all firewalling can be done from one 
place.  I don't see any benefits of having them separated (other than 
having me maintain two distinct firewall configurations).

For having only IPv6 stack, and getting rid of IPv4 stack.  Well, people 
been telling me that IPv4 is dead since mid 90s, and that IPv6 is bright 
future just around the corner.  Everybody will be using IPv6 before 
Christmass, and IPv4 will be dead and gone.  I'd give it at least 10 
more years.

I agree that IPv6 is bright future, but it still isn't "just around the 
corner".  Major ISPs are nowhere near to support it, and for majority of 
people that want to taste IPv6, the only option is handfull of 
experimental free tunneling providers (not something you would call 
"production ready").  Furthermore, DNS standards are still not widely 
implemented, most of the Internet is still using depracated AAAA and 
ip6.int, instead of preffered (and much more usable and appropriate for 
IPv6 networks) A6, DNAME, and ip6.arpa.

-- 
Aleksandar Milivojevic <amilivojevic at pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

More information about the fedora-list mailing list