-------- Original Message -------- Subject: Re: Ipv6 for the content provider From: Valdis.Kletnieks@vt.edu To: Charles N Wyble <charles@knownelement.com> Cc: nanog@nanog.org Date: Wednesday, January 26, 2011 4:09:07 PM
On Wed, 26 Jan 2011 13:56:05 PST, Charles N Wyble said:
The only issue I've faced is RHEL/CentOS doesn't have stateful connection tracking for IPv6 - so ip6tables is practically worthless.
Hmmmm. Interesting. I wonder if this is specific to the RedHat kernel? Or a problem with v6 support on Linux in general? (Linux kernels are trying to stick to a release-every-3-months schedule).
RHEL/CentOS 5 is using a 2.6.18 kernel. The needed support for stateful IPv6 landed in 2.6.21 or so (so almost a year after RHEL 5 did its feature freeze). RHEL 6 is apparently a 2.6.32 kernel so it should be there. Cutting edge kernel is currently 2.6.38-rc2.
I was under the impression that the later versions of 5 (e.g. 5.5, 5.6) had backported stateful connection tracking. Has anyone tested recently? We mainly use IPtables on end-servers to limit access to a few key applications (like SSH) to trusted subnets, the rest of the applications (SMTP, IMAP, HTTP, etc) are initiated from outside sources so there's no state to being with. In these setups stateful tracking is not a must, but I would still like to have it in case a rogue listener/service is started. We have many RH5 servers deployed, and moving to 6 for this feature alone seems a little much. What I would really like to see is better DoS protection in the form of tracking total number of connections (per host and per application) and new connection rate limits (per host and globally to an application). The last time I tested these features via the optional module, the module was not configurable to the scale we needed nor was it reliable at smaller scales. Perhaps I will test both of these again in RH5 and report back.