244729 – ipv6 connection tracking is not used (but available) by lokkit

Bug 244729 - ipv6 connection tracking is not used (but available) by lokkit

Summary: ipv6 connection tracking is not used (but available) by lokkit

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	system-config-securitylevel
Sub Component:
Version:	7
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Thomas Woerner
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-06-18 19:38 UTC by Peter Bieringer
Modified:	2007-11-30 22:12 UTC (History)
CC List:	2 users (show)
Fixed In Version:	1.7.0-5.fc7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-08-03 02:42:12 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Peter Bieringer 2007-06-18 19:38:08 UTC

Description of problem:
While iptables load implicitly the IPv4 connection tracking (reason:
IPTABLES_MODULES="ip_conntrack_netbios_ns" in /etc/sysconfig/iptables-config),
ip6tables has no extra connection tracking modules configured and therefore, the
connection tracking (available since 2.6.21) isn't used. That's bad and can be
easily fixed.

Version-Release number of selected component (if applicable):
iptables-ipv6-1.3.7-2

How reproducible:
Always

Steps to Reproduce:
1. let system-config-firewall create the default ruleset
2. start ip6tables
  
Actual results:
No IPv6 connection tracking module is loaded.

Expected results:
IPv6 connection tracking module is loaded.

Additional info:

Easy workaround:

Put IPv6 connection tracking module into module load list:
File: /etc/sysconfig/ip6tables-config
- IP6TABLES_MODULES=""
+ IP6TABLES_MODULES="nf_conntrack_ipv6"

This can be backported to FC6 with kernel >= 2.6.21 as requirement

BTW: one should also fix lokkit to produce a proper ruleset at least for 
F7, e.g. following one:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d ff02::fb -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT 
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT

With this change, the IPv6 connection tracking module is loaded automatically now.

See also https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214117

Comment 1 Peter Bieringer 2007-07-16 09:46:41 UTC

"lokkit" in system-config-securitylevel is generating the improper ruleset.

Comment 2 Thomas Woerner 2007-08-02 09:21:35 UTC

There is no need to load the nf_conntrack_ipv6 module by hand it is done
automatically as soon as the functionality is used.

There will be a new version of system-config-securitylevel which is generating
proper ipv6 firewall rules.

Comment 3 Fedora Update System 2007-08-03 02:42:00 UTC

system-config-securitylevel-1.7.0-5.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.