[CentOS] IPv6 under Centos?

Tue Mar 10 19:13:36 UTC 2009
Louis Lagendijk <louis at lagendijk.xs4all.nl>

On Tue, 2009-03-10 at 10:25 -0400, Robert Moskowitz wrote:
> Timothy Murphy wrote:
> > I wonder if anyone is running IPv6 under Centos-5.2?
> >   
> YES!!! On some systems it is strictly IPv6. IPv4 only on lo loopback.
Running IPv4 + IPv6 here....But see below...
> > Particularly with shorewall?
> >   
> NO!!!
yes, but see below.
> > I see that shorewall6 is specifically designed for updating shorewall
> > to IPv6, as described in <http://www.shorewall.net/IPv6Support.html>.
> >
> > Unfortunately, this explicity requires kernel 2.6.25 or later,
> > and iptables 1.4.0 or later,
> > both of which are later than any versions I've seen on a Centos repository.
> >   
> Tom was rather explicit about why we will NOT see Shorewall6 with Centos 
> and the 2.6.18 kernel:
> "2.6.18 doesn't support stateful IPv6 firewalling at all!"
> I think that says it. You want stateful IPv6 firewalling, then you will 
> get a newer kernel which means most likely Centos 6.0...
> > I'm wondering how safe it would be to install Fedora versions
> > of the required kernel and iptables?
> >   
> I seem to recall kernel discussions here on this list and why this is a 
> VERY bad idea.
It is definitively NOT recommended.If it breaks you get to keep all the
pieces.... That being said, I really wanted to have some ipv6 firewall
on my Centos box. At first I thought of running a Fedora VM in Xen. I
ran into some issues with my Sun quad fast ethernet card. So in the end
I compiled an RPM from the stock kernel and  compiled some RPMs myself
from Fedora RPMs:
I am not sure that this is the complete list of kernel dependent rpms
that are needed. It can be done when you compile your own stuff, but is
definitely NOT recommended. If you want to go this route you will need a
pretty good background on compiling your own RPMs etc.

Running Fedora kernels is still more tricky: there are way too many
dependencies. Don't even try!!!!

> > Or is there any alternative to shorewall that is IPv6 compatible?
> > I don't really want to run iptables directly, unless forced to do so,
> > as I have found shorewall very reliable and simple to configure.
> >   
> What I am working on is a FC9 system with shorewall6, then doing a 
> ip6tables -L and copying those rules that do not require stateful 
> firewalling...
If you do not use a kernel that has statefull ipv6 firealling I would
recommend 6wall. This is a pretty old shorewall-shell derived package
that does ipv6 fire walling. The syntax should be familiar to old
shorewall users. It does however not offer macros or actions. 
And you will have to write rules for incoming and outgoing traffic
separately. Something like:
ACCEPT          all             all             tcp     domain
ACCEPT          all             all             tcp     -       domain

It is still probably easier to use 6wall than porting just the
shorewall6 generated ip6tables rules. 

I am personally considering  going back to running the firewall in a
Fedora VM now that I have a managed vlan capable swith. Simply being
able to update using yum is so much easier and more reliable.