On 11/01/11 21:12, Blake Hudson wrote: > > > -------- Original Message -------- > Subject: [CentOS] IPv6, HE tunnel and ip6tables problems > From: Stephen Harris <lists at spuddy.org> > To: CentOS mailing list <centos at centos.org> > Date: Tuesday, January 11, 2011 1:09:25 PM >> CentOS 5.5, fully patched. >> >> I have a HE tunnel (tunnelbroker.net) IPv6 tunnel. This works pretty >> well and is simple to setup. Everything works fine. >> >> Until I try to set up an ip6tables firewall. >> > ... >> It might be that I need to compile a generic kernel; apparently > >> 2.6.20 fixes a number of ip6tables issues; CentOS 5 is based on 2.6.18. >> >> Maybe CentOS 6 (*nudge nudge*) will work :-) >> >> I'm not sure I want to leave my home network on IPv6 without a firewall; >> not sure I trust all the machines I have on local network to be safe >> from remote probes! >> >> I wonder if anyone has any suggestions... >> >> Thanks! >> > > I have been waiting for RHEL6/CentOS6 because, as I understand it, > CentOS5 does not have a statefull IP6 firewall - e.g. incoming traffic > would have to have a default ACCEPT policy or only specific applications > allowed (based on source port) on a case by case basis. Perhaps this is > the issue you are running into. However, I would think you'd receive an > error attempting to set "--state ESTABLISHED,RELATED" within iptables if > this were the case. That matches what I've heard and experienced as well. I heard something that backporting the changes from the 2.6.20-something kernel down to 2.6.18 where statefull IPv6 filtering arrived, was too big or too risky to the stability. I don't know the details, just something I caught on IRC or so. > I would be delighted if someone could share their experiences with ip6 > and CentOS5, especially from a security or service provider standpoint. My experiences is that IPv6 in CentOS5 works very well, but is not optimal due to lack of stateful firewalling. However, I'm certain that is solved in CentOS6/RHEL6. kind regards, David Sommerseth