From: Andre Tomt <andre@tomt.net>
To: Quantum Scientific <Info@quantum-sci.com>
Cc: netdev@oss.sgi.com
Subject: Re: Kernel 2.6 IPV6 Busted
Date: Tue, 01 Mar 2005 22:50:25 +0100 [thread overview]
Message-ID: <4224E3A1.5090003@tomt.net> (raw)
In-Reply-To: <200502271220.06560.Info@quantum-sci.com>
Quantum Scientific wrote:
> On Sunday 27 February 2005 11:40, Andre Tomt wrote:
>>You seem to be fixed on the idea that a ipv6 stack has to have stateful
>>firewalling, or else its utter crap, correct? :-)
>
>
> No, I'll try to say this clearer.
>
> The stack works fine in. And out. But for a useful virtual circuit you must
> have something like connection tracking.
>
> Remember what my issue is:
> - I have a very tight firewall,
> - I ping6 out,
> - The firewall blocks the reply back, because the connection is stateless!
Never, ever, filter ICMP. Or at least be extremely careful doing so. You
may end up breaking things like PMTU and error notification mechanisms.
> - Same with http, etc.
>
> This means that I have to open for incoming, virtually every port I send
> outgoing to, or else I do not get any replies. This is what I call
> non-functional, because one does not open incoming ports, for the most part.
>
> Why are you not having this problem?
Because I tend to use the oldskool way of doing it when there is not
other option, by matching on SYN. It's a bit trickier with UDP, but
doable for most UDP based protocols.
Also on a per-system basis I tend to prefer to secure services rather
than firewall them; by for example just shutting them off/uninstalling
them if not used, binding to localhost, use tcpwrappers.. that sort of
thing.
Don't get me wrong; I'd *love* to see connection tracking integrated
with ipv6 netfilter. It would simplify some of my setups greatly. But it
would also be out of the question on a lot of my other setups; as
connection tracking is a *severe* bottleneck when faced with any real
amounts of load.
It's not The universal solution, and the lack of it is not *that* bad.
>>Connection tracking is on the way, currently a implementation exists in
>>the netfilter.org patch-o-matic svn.
>
>
> Is this reasonably solid? Does this operate on Layer 3, rather than Layer 2?
It operates like the IPv4 state matches. Solid? Well, I guess testers
are welcome :)
next prev parent reply other threads:[~2005-03-01 21:50 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-27 15:28 Kernel 2.6 IPV6 Busted Quantum Scientific
2005-02-27 16:10 ` YOSHIFUJI Hideaki / 吉藤英明
2005-02-27 16:29 ` Quantum Scientific
2005-02-27 17:28 ` YOSHIFUJI Hideaki / 吉藤英明
2005-02-27 18:08 ` Quantum Scientific
2005-03-15 5:00 ` Horms
2005-02-27 17:40 ` Andre Tomt
2005-02-27 18:20 ` Quantum Scientific
2005-02-27 18:59 ` Jeff Garzik
2005-02-27 19:10 ` Quantum Scientific
2005-02-27 19:58 ` Jeff Garzik
2005-02-27 20:10 ` Quantum Scientific
2005-02-27 21:35 ` David S. Miller
2005-03-01 10:07 ` Denis Vlasenko
2005-03-01 13:50 ` Quantum Scientific
2005-03-01 16:26 ` Jeff Garzik
2005-03-01 20:46 ` Tomasz Torcz
2005-03-01 23:55 ` Quantum Scientific
2005-03-02 14:02 ` Denis Vlasenko
2005-03-02 19:12 ` Jeff Garzik
2005-03-01 21:50 ` Andre Tomt [this message]
2005-03-01 23:59 ` Quantum Scientific
2005-02-27 18:12 ` Jeff Garzik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4224E3A1.5090003@tomt.net \
--to=andre@tomt.net \
--cc=Info@quantum-sci.com \
--cc=netdev@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).