Re: IPtables versus Tcp_wrapper

[Josh Richard <jrichar4 () D UMN EDU>]

On Thu, 2010-03-04 at 14:41 -0500, Valdis Kletnieks wrote:
> On Thu, 04 Mar 2010 12:29:43 CST, Josh Richard said:
> > Not to open the worm can, but given all this discussion about filtering,
> > how many of us are currently maintaining IPv6 in production?  If so,
> > please consider the V6 analog to iptables -- ip6tables which allows for
> > most table manipulation.  Along that line, if you are using V6, how it
> > is going?
>
> We've been doing IPv6 for years now (literally - since 1997 or so).
>
> And yes, we use ip6tables where appropriate (our IPv6-enabled Linux boxes).
> Ends up looking a lot like our ipv4 setups (accept traffic on ports we should,
> send "go away" replies to on-campus for closed ports, and silently ignore
> off-campus).
>
> One biggie - *DO NOT* drop ICMP6 traffic like a lot of people like to do
> with ICMP4.  Things will work quite poorly if you do.  Trust me on this one. ;)
> (And if you know enough about IPv6 to reliably drop the right types of icmp6
> and not hose yourself, you understand why I say "don't drop any of it" ;)
> Seriously - the minimal info leakage caused by icmp is vastly outweighed by
> the number of calls your help desk will have to deal with where an IWF drops
> icmp6 and can't figure out what went wrong.  And "Don't Drop icmp6" is a meme
> that you can sell to an IWF, but "allow icmp6 codes 132, 135, 142, <3 or 4 more>,
> and also 117 if you do XYZ" is one they'll screw up.

We have been bit by the ICMP6 issue in testing.  No SLAAC.  I agree, the
recommendation is one which can scale. 

You mentioned in a previous post you have 2 /16's.  We have 1 for 15K
drops + wireless.  It is amazing how fast you burn through V4 in that
situation.  What is your current default offering for say a new
building?  Dual stack w/NAT?  SLAAC vs. DHCPV6?

josh

Attachment: signature.asc
Description: This is a digitally signed message part