Default ip6tables rules
Jay Cliburn
jacliburn at bellsouth.net
Wed Oct 18 19:19:12 UTC 2006
On Wed, Oct 18, 2006 at 09:48:09AM -0400, Chris Lumens wrote:
> > There's a conflict in there. The default IPv6 ip6tables rules are
> > using experimental features in the kernel which are not enabled and
> > which would break IPv4 NAT and MASQ (and who knows what) if they were
> > enabled. Basically, stateful filtering is fubared and breaks the IPv6
> > networking if you try to use it. They need to drop back to stateless
> > filtering for ip6tables before release of FC6 (unless it's slipped sooo
> > far back that we end up with the 2.6.20 kernel where it's expected to
> > work) or the whole v6 stack is blocked if you have those rules enabled.
>
> I have committed a fix to s-c-securitylevel to set up stateless rules
> for what you select in the UI, and this fix has made its way into the
> FC6 trees. So this should be fixed up for the final release.
>
> In the future if you have problems with how the default firewall is set
> up, please file a bug against system-config-securitylevel and I will fix
> it. Just leaving things in email makes the big assumption that I will
> read everything, and there's way too much mail for that. Thanks.
See also https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=190590 .
This was the original complaint about IPv6 state matching rules not
working (in FC5). If possible, you should probably make the
s-c-securitylevel change there, too.
Jay
More information about the fedora-test-list
mailing list