|To:||Quantum Scientific <Info@xxxxxxxxxxxxxxx>|
|Subject:||Re: Kernel 2.6 IPV6 Busted|
|From:||Andre Tomt <andre@xxxxxxxx>|
|Date:||Tue, 01 Mar 2005 22:50:25 +0100|
|References:||<200502270928.44402.Info@Quantum-Sci.com> <422205F7.email@example.com> <200502271220.06560.Info@quantum-sci.com>|
|User-agent:||Mozilla Thunderbird 1.0 (Windows/20041206)|
Quantum Scientific wrote:
On Sunday 27 February 2005 11:40, Andre Tomt wrote:You seem to be fixed on the idea that a ipv6 stack has to have stateful firewalling, or else its utter crap, correct? :-)
Never, ever, filter ICMP. Or at least be extremely careful doing so. You may end up breaking things like PMTU and error notification mechanisms.
- Same with http, etc.
Because I tend to use the oldskool way of doing it when there is not other option, by matching on SYN. It's a bit trickier with UDP, but doable for most UDP based protocols.
Also on a per-system basis I tend to prefer to secure services rather than firewall them; by for example just shutting them off/uninstalling them if not used, binding to localhost, use tcpwrappers.. that sort of thing.
Don't get me wrong; I'd *love* to see connection tracking integrated with ipv6 netfilter. It would simplify some of my setups greatly. But it would also be out of the question on a lot of my other setups; as connection tracking is a *severe* bottleneck when faced with any real amounts of load.
It's not The universal solution, and the lack of it is not *that* bad.
Connection tracking is on the way, currently a implementation exists in the netfilter.org patch-o-matic svn.
It operates like the IPv4 state matches. Solid? Well, I guess testers are welcome :)
|<Prev in Thread]||Current Thread||[Next in Thread>|
|Previous by Date:||Re: (usagi-users 03226) Re: support of IPv6 by NFS, Elliott Mitchell|
|Next by Date:||Re: RFC new ethtool command, Andy Fleming|
|Previous by Thread:||Re: Kernel 2.6 IPV6 Busted, Jeff Garzik|
|Next by Thread:||Re: Kernel 2.6 IPV6 Busted, Quantum Scientific|
|Indexes:||[Date] [Thread] [Top] [All Lists]|