Description of problem: While iptables load implicitly the IPv4 connection tracking (reason: IPTABLES_MODULES="ip_conntrack_netbios_ns" in /etc/sysconfig/iptables-config), ip6tables has no extra connection tracking modules configured and therefore, the connection tracking (available since 2.6.21) isn't used. That's bad and can be easily fixed. Version-Release number of selected component (if applicable): iptables-ipv6-1.3.7-2 How reproducible: Always Steps to Reproduce: 1. let system-config-firewall create the default ruleset 2. start ip6tables Actual results: No IPv6 connection tracking module is loaded. Expected results: IPv6 connection tracking module is loaded. Additional info: Easy workaround: Put IPv6 connection tracking module into module load list: File: /etc/sysconfig/ip6tables-config - IP6TABLES_MODULES="" + IP6TABLES_MODULES="nf_conntrack_ipv6" This can be backported to FC6 with kernel >= 2.6.21 as requirement BTW: one should also fix lokkit to produce a proper ruleset at least for F7, e.g. following one: # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d ff02::fb -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited COMMIT With this change, the IPv6 connection tracking module is loaded automatically now. See also https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214117
"lokkit" in system-config-securitylevel is generating the improper ruleset.
There is no need to load the nf_conntrack_ipv6 module by hand it is done automatically as soon as the functionality is used. There will be a new version of system-config-securitylevel which is generating proper ipv6 firewall rules.
system-config-securitylevel-1.7.0-5.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.