Re: IPtables versus Tcp_wrapper

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Thu, 04 Mar 2010 12:29:43 CST, Josh Richard said:
> Not to open the worm can, but given all this discussion about filtering,
> how many of us are currently maintaining IPv6 in production?  If so,
> please consider the V6 analog to iptables -- ip6tables which allows for
> most table manipulation.  Along that line, if you are using V6, how it
> is going?

We've been doing IPv6 for years now (literally - since 1997 or so).

And yes, we use ip6tables where appropriate (our IPv6-enabled Linux boxes).
Ends up looking a lot like our ipv4 setups (accept traffic on ports we should,
send "go away" replies to on-campus for closed ports, and silently ignore
off-campus).

One biggie - *DO NOT* drop ICMP6 traffic like a lot of people like to do
with ICMP4.  Things will work quite poorly if you do.  Trust me on this one. ;)
(And if you know enough about IPv6 to reliably drop the right types of icmp6
and not hose yourself, you understand why I say "don't drop any of it" ;)
Seriously - the minimal info leakage caused by icmp is vastly outweighed by
the number of calls your help desk will have to deal with where an IWF drops
icmp6 and can't figure out what went wrong.  And "Don't Drop icmp6" is a meme
that you can sell to an IWF, but "allow icmp6 codes 132, 135, 142, <3 or 4 more>,
and also 117 if you do XYZ" is one they'll screw up.

Attachment: _bin
Description: