Bug#580507: linux-image-2.6.32-5-openvz-amd64: CONFIG_NF_CONNTRACK_IPV6 is not set

To: 580507@bugs.debian.org
Cc: kmp+debian.reportbug@kmp.or.at
Subject: Bug#580507: linux-image-2.6.32-5-openvz-amd64: CONFIG_NF_CONNTRACK_IPV6 is not set
From: Steven Chamberlain <steven@pyro.eu.org>
Date: Tue, 14 Dec 2010 03:41:39 +0000
Message-id: <[🔎] 4D06E773.6080100@pyro.eu.org>
Reply-to: Steven Chamberlain <steven@pyro.eu.org>, 580507@bugs.debian.org

Hi,

This is still missing from current 2.6.32-5-openvz-amd64. It's enabledas a module for linux-image-2.6.32-5-amd64 though. It's not clear to mewhy it's missing from the openvz flavour.

Anyway, the lack of nf_conntrack_ipv6 doesn't prevent IPv6 from beingused in OpenVZ host/guest VEs, because net.ipv6.conf.default.forwardingstill causes the host to act as an IPv6 router for guest VEs.

The reason nf_conntrack_ipv6 is desirable is because it allows the useof '-m state --state RELATED,ESTABLISHED' in ip6tables rules (in eitherthe host VE's FORWARD table or guest VEs' INPUT tables), so that trafficto most ports can be filtered except in response to outgoingconnections. This gives IPv6 hosts an additional layer of security thatwas traditionally a side-effect of NAT in IPv4.

My suggested alternative in the meantime is to keep ports 1024-65535open, because source ports for outgoing connections will usually be inthat range. Most services will listen on ports 1-1023, which can befiltered/closed except for any services that need to be public.


Regards,
--
Steven Chamberlain
steven@pyro.eu.org

Reply to:

Prev by Date: Processed: tagging 606968
Next by Date: Bug#604480: linux-2.6: CVE-2010-4072 ff.
Previous by thread: Processed: tagging 606968
Next by thread: Bug#604480: linux-2.6: CVE-2010-4072 ff.
Index(es):
- Date
- Thread