On Wed, Dec 26, 2007 at 11:03:59PM -0500, Roberto C. Sánchez wrote: > Sam, > > I was looking into this and I cannot reproduce it. Here is what I see > on a freshly booted machine running Shorewall 4.0.6 with > DISABLE_IPV6=yes: > > ip6tables --list > Chain INPUT (policy DROP) > target prot opt source destination > ACCEPT 0 anywhere anywhere > > Chain FORWARD (policy DROP) > target prot opt source destination > > Chain OUTPUT (policy DROP) > target prot opt source destination > ACCEPT 0 anywhere anywhere > > So, I am left scratching my head. The policies are now DROP instead of > accept. However, the source/destination are anywhere. Of course, a > shorewall dump does not show anything called anywhere. So, I am not > sure if this some ip6tables shorthand or if it is bogus. If the former, > I am inclined to think that it is wide-open on IPv6. If the latter, I > am inclined to think that nothing is going to get through. > > The kicker is that a 'shorewall restart' does not change anything. > Sam,
I have a bit more information on this. Basically, the problem is related to a bug reported in redhat [0]. It turns out that shorewall loads nf_nat_h323, which loads nf_conntrack_h323, which loads ipv6. According to that last message posted in the redhat bugzilla, the problem was fixed by the netfilter team upstream. Based on that, I do not think that this bug is really a bug in shorewall. Thus, I am inclined to close it. If you have an objection, please let me know. If I do not receive an objection in the near future, I will go ahead and close this bug. Regards, -Roberto [0] https://bugzilla.redhat.com/show_bug.cgi?id=375581 [1] http://marc.info/?l=netfilter-devel&m=119676981314842&w=4 -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
signature.asc
Description: Digital signature
