Ip6tables [was: IP6tables and sendmail]
Aleksandar Milivojevic
amilivojevic at pbl.ca
Mon Nov 29 15:38:50 UTC 2004
Deron Meranda wrote:
> I use IPv6 all the time. I do have sendmail gateways configured to
> use it, DNS, etc. I haven't yet though disposed of my IPv4 stack.
> Someday...
What I had in mind was that enabling automatic loading of IPv6 by
default in 2.6 kernels, before some other things were sorted out,
probably wasn't the best possible idea. And I don't see Linux
distributins catching up with this change either. For example, you
select that you want firewall during installation, and guess what, you
get only IPv4 firewall, but IPv6 is left wide open. Not only that,
ip6tables are *not* installed by default (like iptables).
Don't get me wrong. I don't have anything against IPv6. It is simply
that IPv6 firewalling in Linux is still lacking many important features
from IPv4 version of Netfilter (connection tracking being one of the
major). This puts IPv6 on Linux slightly bellow my comfort level for
machine connected directly to the Internet. And having IPv6 on local
network only, doesn't make much sense (except for learning purpuses).
I've read somewhere that connection tracking was ported to IPv6, but
kernel patch was refused because (surprise) it was mostly duplication of
existing IPv4 code. Apperently it was decided that both IPv4 and IPv6
connection tracking should be handled by one module, and work is being
done into that direction. I hope that one day we'll also see ip6tables
merged into iptables, so that all firewalling can be done from one
place. I don't see any benefits of having them separated (other than
having me maintain two distinct firewall configurations).
For having only IPv6 stack, and getting rid of IPv4 stack. Well, people
been telling me that IPv4 is dead since mid 90s, and that IPv6 is bright
future just around the corner. Everybody will be using IPv6 before
Christmass, and IPv4 will be dead and gone. I'd give it at least 10
more years.
I agree that IPv6 is bright future, but it still isn't "just around the
corner". Major ISPs are nowhere near to support it, and for majority of
people that want to taste IPv6, the only option is handfull of
experimental free tunneling providers (not something you would call
"production ready"). Furthermore, DNS standards are still not widely
implemented, most of the Internet is still using depracated AAAA and
ip6.int, instead of preffered (and much more usable and appropriate for
IPv6 networks) A6, DNAME, and ip6.arpa.
--
Aleksandar Milivojevic <amilivojevic at pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
More information about the fedora-list
mailing list