Educause Security Discussion mailing list archives
Re: IPtables versus Tcp_wrapper
From: Josh Richard <jrichar4 () D UMN EDU>
Date: Thu, 4 Mar 2010 14:09:51 -0600
On Thu, 2010-03-04 at 14:41 -0500, Valdis Kletnieks wrote:
On Thu, 04 Mar 2010 12:29:43 CST, Josh Richard said:Not to open the worm can, but given all this discussion about filtering, how many of us are currently maintaining IPv6 in production? If so, please consider the V6 analog to iptables -- ip6tables which allows for most table manipulation. Along that line, if you are using V6, how it is going?We've been doing IPv6 for years now (literally - since 1997 or so). And yes, we use ip6tables where appropriate (our IPv6-enabled Linux boxes). Ends up looking a lot like our ipv4 setups (accept traffic on ports we should, send "go away" replies to on-campus for closed ports, and silently ignore off-campus). One biggie - *DO NOT* drop ICMP6 traffic like a lot of people like to do with ICMP4. Things will work quite poorly if you do. Trust me on this one. ;) (And if you know enough about IPv6 to reliably drop the right types of icmp6 and not hose yourself, you understand why I say "don't drop any of it" ;) Seriously - the minimal info leakage caused by icmp is vastly outweighed by the number of calls your help desk will have to deal with where an IWF drops icmp6 and can't figure out what went wrong. And "Don't Drop icmp6" is a meme that you can sell to an IWF, but "allow icmp6 codes 132, 135, 142, <3 or 4 more>, and also 117 if you do XYZ" is one they'll screw up.
We have been bit by the ICMP6 issue in testing. No SLAAC. I agree, the recommendation is one which can scale. You mentioned in a previous post you have 2 /16's. We have 1 for 15K drops + wireless. It is amazing how fast you burn through V4 in that situation. What is your current default offering for say a new building? Dual stack w/NAT? SLAAC vs. DHCPV6? josh
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- IPtables versus Tcp_wrapper Griese, Steven A. (Mar 03)
- <Possible follow-ups>
- Re: IPtables versus Tcp_wrapper Adam Garside (Mar 03)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 03)
- Re: IPtables versus Tcp_wrapper Kevin Wilcox (Mar 03)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 03)
- Re: IPtables versus Tcp_wrapper Adam Garside (Mar 03)
- Re: IPtables versus Tcp_wrapper Kevin Wilcox (Mar 04)
- Re: IPtables versus Tcp_wrapper Valdis Kletnieks (Mar 04)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 04)
- Re: IPtables versus Tcp_wrapper Valdis Kletnieks (Mar 04)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 04)