Re: [CentOS] Learning some sad things about the state of IPv6
Christopher Chan wrote: The OP is not saying there is no ipv6 netfilter support. He said that there is no ipv6 state netfilter module or something like that. In which case either you dont know what the OP is talking about, or he doesnt know what he asked :D -- [EMAIL PROTECTED] ~]# ip6tables -nL | wc -l 124 [EMAIL PROTECTED] ~]# hostname panic.karan.org [EMAIL PROTECTED] ~]# lsof -i | grep IPv6 | wc -l 561 [EMAIL PROTECTED] ~]# ip a l | grep net6 inet6 ::1/128 scope host inet6 fe80::20d:61ff:fe80:7ce3/64 scope link inet6 2001:4830:1600:13c::2/64 scope global inet6 fe80::4224:e704/128 scope link [EMAIL PROTECTED] ~]# uname -r 2.6.18-53.1.14.el5 --- - KNatively running ipv6 for a few years nowB -- Karanbir Singh : http://www.karan.org/ : [EMAIL PROTECTED] ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Learning some sad things about the state of IPv6
Karanbir Singh wrote: Christopher Chan wrote: The OP is not saying there is no ipv6 netfilter support. He said that there is no ipv6 state netfilter module or something like that. In which case either you dont know what the OP is talking about, or he doesnt know what he asked :D -- [EMAIL PROTECTED] ~]# ip6tables -nL | wc -l 124 [EMAIL PROTECTED] ~]# hostname panic.karan.org [EMAIL PROTECTED] ~]# lsof -i | grep IPv6 | wc -l 561 [EMAIL PROTECTED] ~]# ip a l | grep net6 inet6 ::1/128 scope host inet6 fe80::20d:61ff:fe80:7ce3/64 scope link inet6 2001:4830:1600:13c::2/64 scope global inet6 fe80::4224:e704/128 scope link [EMAIL PROTECTED] ~]# uname -r 2.6.18-53.1.14.el5 --- - KNatively running ipv6 for a few years nowB What he originally said was that this needed kernel 2.6.20 or newer. Is this one of the feature backports into the enterprise kernel that Centos inherits? -- Les Mikesell [EMAIL PROTECTED] ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Learning some sad things about the state of IPv6
On Fri, May 30, 2008 at 6:23 AM, Karanbir Singh [EMAIL PROTECTED] wrote: Christopher Chan wrote: The OP is not saying there is no ipv6 netfilter support. He said that there is no ipv6 state netfilter module or something like that. In which case either you dont know what the OP is talking about, or he doesnt know what he asked :D -- [EMAIL PROTECTED] ~]# ip6tables -nL | wc -l 124 [EMAIL PROTECTED] ~]# hostname panic.karan.org [EMAIL PROTECTED] ~]# lsof -i | grep IPv6 | wc -l 561 [EMAIL PROTECTED] ~]# ip a l | grep net6 inet6 ::1/128 scope host inet6 fe80::20d:61ff:fe80:7ce3/64 scope link inet6 2001:4830:1600:13c::2/64 scope global inet6 fe80::4224:e704/128 scope link [EMAIL PROTECTED] ~]# uname -r 2.6.18-53.1.14.el5 --- - KNatively running ipv6 for a few years nowB -- Karanbir Singh : http://www.karan.org/ : [EMAIL PROTECTED] Exactly!!! What he's complaining about is the lack of lazy-man's GUI tool to configure ip6tables. Are you absolutely sure that FWBuilder doesn't support IPv6? Because here there a release note http://www.fwbuilder.org/docs/firewall_builder_release_notes.html referring to ip6tables. -- -matt ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Learning some sad things about the state of IPv6
Matt Shields wrote: On Fri, May 30, 2008 at 6:23 AM, Karanbir Singh [EMAIL PROTECTED] wrote: Christopher Chan wrote: The OP is not saying there is no ipv6 netfilter support. He said that there is no ipv6 state netfilter module or something like that. In which case either you dont know what the OP is talking about, or he doesnt know what he asked :D Exactly!!! What he's complaining about is the lack of lazy-man's GUI tool to configure ip6tables. Not so much as complaining, but looking at easy-of-use and time allocation. I have done iptables by hand and have used a few tools. One thing I like about the tools I have found helpful is they have been good 'quick starts' for learning what to do by hand! But my source is: http://www.guug.de/veranstaltungen/ecai6-2007/slides/2007-ECAI6-Status-IPv6-Firewalling-PeterBieringer-Talk.pdf Peter, who has been involved with IPv6 for a long time, covers NetFilter on slide 8 and claims stateful support added in 2.6.20. Elsewhere I found a reference that RHel would get this end-of-year 2008, and Fedora Core 6 has it now. I looked in my /boot and saw that Centos is using 2.6.18, and I concluded from all this that I would have to work with FC6 for the next half year. Seems this conclusion is mis-informed if this NetFilter feature got backported already Are you absolutely sure that FWBuilder doesn't support IPv6? Because here there a release note http://www.fwbuilder.org/docs/firewall_builder_release_notes.html referring to ip6tables. I also saw that FWBuilder supports IPv6. But if the kernel only supports stateless, then that is all you can do with FWBuider, I would think. My one review of FWBuilder was that it was more than I needed at the time and Shorewall would handle my needs for my one VoIP firewall. Well I learned a lot using Shorewall. And Shorewall does NOT have IPv6 support, I asked on their list. So now I go and build a box and see if I got enough to get the job done. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Learning some sad things about the state of IPv6
Exactly!!! What he's complaining about is the lack of lazy-man's GUI tool to configure ip6tables. I may be ethnic Chinese but I grew in Sierra Leone and English is what I use from day to day and I cannot read Chinese characters...or do not recognise enough to claim literacy anyway. Are you absolutely sure that FWBuilder doesn't support IPv6? Because here there a release note http://www.fwbuilder.org/docs/firewall_builder_release_notes.html referring to ip6tables. When did I or the OP say there was absolutely no ipv6 support? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Learning some sad things about the state of IPv6
We have kernel support for IPv6 in Centos, but not stateful firewall support. That requires at least the 2.6.20 kernel, which means Fedora Core 6 or some other Linux distro. None of the various free Linux firewalls have IPv6 support. Supposedly FWBuilder can manage Netfilters for a Linux Kernel, but that seems to be the extent of it. More sad facts as I uncover them. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Learning some sad things about the state of IPv6
Robert Moskowitz wrote: We have kernel support for IPv6 in Centos, but not stateful firewall support. That requires at least the 2.6.20 kernel, which means Fedora Core 6 or some other Linux distro. None of the various free Linux firewalls have IPv6 support. Supposedly FWBuilder can manage Netfilters for a Linux Kernel, but that seems to be the extent of it. More sad facts as I uncover them. Just use openbsd. We cannot expect Linux to rule everything. Use what best fits the job. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Learning some sad things about the state of IPv6
On Thu, May 29, 2008 at 11:43 PM, Christopher Chan [EMAIL PROTECTED] wrote: Robert Moskowitz wrote: We have kernel support for IPv6 in Centos, but not stateful firewall support. That requires at least the 2.6.20 kernel, which means Fedora Core 6 or some other Linux distro. None of the various free Linux firewalls have IPv6 support. Supposedly FWBuilder can manage Netfilters for a Linux Kernel, but that seems to be the extent of it. More sad facts as I uncover them. Just use openbsd. We cannot expect Linux to rule everything. Use what best fits the job. Not sure about FC6, but in both CentOS 4 5 there is an ip6tables. I haven't used it, but I'm assuming that you can build rules just like you do with iptables. -- -matt ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Learning some sad things about the state of IPv6
On Thu, May 29, 2008 at 10:53 PM, Matt Shields [EMAIL PROTECTED] wrote: On Thu, May 29, 2008 at 11:43 PM, Christopher Chan [EMAIL PROTECTED] wrote: Robert Moskowitz wrote: We have kernel support for IPv6 in Centos, but not stateful firewall support. That requires at least the 2.6.20 kernel, which means Fedora Core 6 or some other Linux distro. None of the various free Linux firewalls have IPv6 support. Supposedly FWBuilder can manage Netfilters for a Linux Kernel, but that seems to be the extent of it. More sad facts as I uncover them. Just use openbsd. We cannot expect Linux to rule everything. Use what best fits the job. Not sure about FC6, but in both CentOS 4 5 there is an ip6tables. I haven't used it, but I'm assuming that you can build rules just like you do with iptables. -- -matt ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos My dd-wrt web page has a IPv6 checkbox, but don't know what it does. i am shunning IPv6 bc securing the private side of a NAT is hard enough. Securing IPv6 seems much much much tougher. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Learning some sad things about the state of IPv6
Matt Shields wrote: On Thu, May 29, 2008 at 11:43 PM, Christopher Chan [EMAIL PROTECTED] wrote: Robert Moskowitz wrote: We have kernel support for IPv6 in Centos, but not stateful firewall support. Not sure about FC6, but in both CentOS 4 5 there is an ip6tables. I haven't used it, but I'm assuming that you can build rules just like you do with iptables. The OP is not saying there is no ipv6 netfilter support. He said that there is no ipv6 state netfilter module or something like that. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos