Educause Security Discussion mailing list archives
Re: IPtables versus Tcp_wrapper
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Thu, 4 Mar 2010 14:41:01 -0500
On Thu, 04 Mar 2010 12:29:43 CST, Josh Richard said:
Not to open the worm can, but given all this discussion about filtering, how many of us are currently maintaining IPv6 in production? If so, please consider the V6 analog to iptables -- ip6tables which allows for most table manipulation. Along that line, if you are using V6, how it is going?
We've been doing IPv6 for years now (literally - since 1997 or so). And yes, we use ip6tables where appropriate (our IPv6-enabled Linux boxes). Ends up looking a lot like our ipv4 setups (accept traffic on ports we should, send "go away" replies to on-campus for closed ports, and silently ignore off-campus). One biggie - *DO NOT* drop ICMP6 traffic like a lot of people like to do with ICMP4. Things will work quite poorly if you do. Trust me on this one. ;) (And if you know enough about IPv6 to reliably drop the right types of icmp6 and not hose yourself, you understand why I say "don't drop any of it" ;) Seriously - the minimal info leakage caused by icmp is vastly outweighed by the number of calls your help desk will have to deal with where an IWF drops icmp6 and can't figure out what went wrong. And "Don't Drop icmp6" is a meme that you can sell to an IWF, but "allow icmp6 codes 132, 135, 142, <3 or 4 more>, and also 117 if you do XYZ" is one they'll screw up.
Attachment:
_bin
Description:
Current thread:
- IPtables versus Tcp_wrapper Griese, Steven A. (Mar 03)
- <Possible follow-ups>
- Re: IPtables versus Tcp_wrapper Adam Garside (Mar 03)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 03)
- Re: IPtables versus Tcp_wrapper Kevin Wilcox (Mar 03)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 03)
- Re: IPtables versus Tcp_wrapper Adam Garside (Mar 03)
- Re: IPtables versus Tcp_wrapper Kevin Wilcox (Mar 04)
- Re: IPtables versus Tcp_wrapper Valdis Kletnieks (Mar 04)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 04)
- Re: IPtables versus Tcp_wrapper Valdis Kletnieks (Mar 04)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 04)