| To: | Peter Bieringer <pb@xxxxxxxxxxxx> |
|---|---|
| Subject: | Re: Debug kernel network hook chain or why has Check Point Firewall module problems with IPv6 |
| From: | Andi Kleen <ak@xxxxxxx> |
| Date: | Mon, 22 Apr 2002 09:22:52 +0200 |
| Cc: | Maillist netdev <netdev@xxxxxxxxxxx> |
| In-reply-to: | <22830000.1019458033@localhost> |
| References: | <22830000.1019458033@localhost> |
| Sender: | owner-netdev@xxxxxxxxxxx |
| User-agent: | Mutt/1.3.22.1i |
On Mon, Apr 22, 2002 at 08:47:13AM +0200, Peter Bieringer wrote: > Looks like CP never sees (or recognizes) packets leaving the > firewalled host from a dual-stack application. Linux has no "generic" firewall hooks, only protocol specific ones. Checkpoint is probably using the v4 specific ones only. Other protocols can be received (by registering a protocol to ETH_P_ALL via SOCK_PACKET or in the kernel), but not stolen from protocol handlers. 2.2 had no working firewall chains for IPv6, 2.4 has a v6 netfilter interface. BTW the CheckPoint module seems to leak routes too at least on 2.2, there are regular reports of that. > BTW: incoming SSH traffic via IPv6 is completly unrecognized and > therefore quietly accepted. Looks like CP never sees or recognize > incoming IPv6 packets at all - same issue, if on a IPv4-netfiltererd > box the IPv6-netfilter was forgotten... Sounds like a serious CheckPoint bug. -Andi |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Debug kernel network hook chain or why has Check Point Firewall module problems with IPv6, Peter Bieringer |
|---|---|
| Next by Date: | Re: Debug kernel network hook chain or why has Check Point Firewall module problems with IPv6, Peter Bieringer |
| Previous by Thread: | Debug kernel network hook chain or why has Check Point Firewall module problems with IPv6, Peter Bieringer |
| Next by Thread: | Re: Debug kernel network hook chain or why has Check Point Firewall module problems with IPv6, Peter Bieringer |
| Indexes: | [Date] [Thread] [Top] [All Lists] |