Default ip6tables rules

Michael H. Warfield mhw at WittsEnd.com
Tue Oct 17 14:31:24 UTC 2006


On Mon, 2006-10-16 at 20:12 +0200, Dawid Gajownik wrote:
> Hi!

> 	My University got few weeks ago IPv6 addresses from RIPE so I have now 
> chance to test IPv6 protocol :-) I started searching for IPv6 enabled 
> hosts in the Internet. ping6 worked, so had traceroute6. I could not 
> connect to ftp/www sites, though. I started wireshark and noticed, that 
> apps do not finish three-way handshake (no ACK packet). Disabling 
> ip6tables service resolved the problem...

> 	Is something wrong with my box (network rawhide installation from 13 
> October) or these are normal firewall settings?

	There's a conflict in there.  The default IPv6 ip6tables rules are
using experimental features in the kernel which are not enabled and
which would break IPv4 NAT and MASQ (and who knows what) if they were
enabled.  Basically, stateful filtering is fubared and breaks the IPv6
networking if you try to use it.  They need to drop back to stateless
filtering for ip6tables before release of FC6 (unless it's slipped sooo
far back that we end up with the 2.6.20 kernel where it's expected to
work) or the whole v6 stack is blocked if you have those rules enabled.

	That's why it's rawhide.  :-)

> [root at viper ~]# service ip6tables status
> Tablica: filter
> Chain INPUT (policy ACCEPT)
> num  target     prot opt source               destination
> 1    RH-Firewall-1-INPUT  all      ::/0                 ::/0
> 
> Chain FORWARD (policy ACCEPT)
> num  target     prot opt source               destination
> 1    RH-Firewall-1-INPUT  all      ::/0                 ::/0
> 
> Chain OUTPUT (policy ACCEPT)
> num  target     prot opt source               destination
> 
> Chain RH-Firewall-1-INPUT (2 references)
> num  target     prot opt source               destination
> 1    ACCEPT     all      ::/0                 ::/0
> 2    ACCEPT     icmpv6    ::/0                 ::/0
> 3    ACCEPT     esp      ::/0                 ::/0
> 4    ACCEPT     ah       ::/0                 ::/0
> 5    ACCEPT     udp      ::/0                 ff02::fb/128       udp 
> dpt:5353
> 6    ACCEPT     udp      ::/0                 ::/0               udp dpt:631
> 7    ACCEPT     tcp      ::/0                 ::/0               tcp dpt:631
> 8    ACCEPT     all      ::/0                 ::/0               state 
> RELATED,ESTABLISHED
> 9    ACCEPT     tcp      ::/0                 ::/0               state 
> NEW tcp dpt:22
> 10   DROP       all      ::/0                 ::/0
> 
> [root at viper ~]#
> 
> BTW I noticed that Firefox does not try to use IPv6 addresses before 
> IPv4 ones O_o
> 
> Regards,
> 	Dawid
> 

	Regards,
	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-test-list/attachments/20061017/9bf62a3a/attachment.sig>


More information about the fedora-test-list mailing list