On 2011-01-31 12:38, Blake Hudson wrote:
I was under the impression that the later versions of 5 (e.g. 5.5, 5.6)
had backported stateful connection tracking. Has anyone tested recently?
The command
# ip6tables -A INPUT -m state --state ESTABLISHED -j ACCEPT
works on CentOS 5.5. And there's no
Original Message
Subject: Re: Ipv6 for the content provider
From: Simon Perreault simon.perrea...@viagenie.ca
To: nanog@nanog.org
Date: Monday, January 31, 2011 11:48:34 AM
On 2011-01-31 12:38, Blake Hudson wrote:
I was under the impression that the later versions of 5 (e.g
On 1/31/2011 11:48 AM, Simon Perreault wrote:
works on CentOS 5.5. And there's no documentation for it in man
ip6tables. So it fits the backport hypothesis...
Not unexpected. The kernel also handles virtio for kvm. It's nowhere
near vanilla.
Jack
On Mon, 31 Jan 2011 11:53:22 -0600, Blake Hudson wrote
# ip6tables -A INPUT -m state --state ESTABLISHED -j ACCEPT
I guess the next question is whether or not it actually works correctly
You can open/shut ports but you can't do anything with connection state
(RELATED, ESTABLISHED, ect).
On Mon, 31 Jan 2011, Simon Perreault wrote:
The command
# ip6tables -A INPUT -m state --state ESTABLISHED -j ACCEPT
works on CentOS 5.5. And there's no documentation for it in man
ip6tables. So it fits the backport hypothesis...
While it may accept it, you may find it doesn't really work
On Monday, January 31, 2011 01:29:18 pm Randy McAnally wrote:
The solution is to manually build your own kernel from a vanilla source, along
with all the problems that entails.
There's also the RH eMRG rt kernel which is built on substantially newer
sources. You'll need to rebuild it yourself
On Fri, Jan 28, 2011 at 8:04 PM, Owen DeLong o...@delong.com wrote:
The IPv6 geo databases actually tend to be about on par with the IPv4
ones from what I have seen so far (which is admittedly limited as I don't
really use geolocation services). However, I still think it is important
for
On 1/26/11, Owen DeLong o...@delong.com wrote:
And if your servers behind the LB aren't prepared for it,
you lose a LOT of logging data, geolocation capabilities,
and some other things if you go that route.
Of course, anybody expecting a current IPv4 geolocation service to
provide accurate
The IPv6 geo databases actually tend to be about on par with the IPv4
ones from what I have seen so far (which is admittedly limited as I don't
really use geolocation services). However, I still think it is important for
people considering deploying something as you described to be aware
of the
On Jan 27, 2011, at 2:53 AM, Antonio Querubin wrote:
On Wed, 26 Jan 2011, Owen DeLong wrote:
It's actually pretty well known and it is documented in several places in
plain
sight.
Where?
A search for IPV6_V6ONLY in the FreeBSD Handbook yields nothing. You'd think
the brokenness
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello,
All the recurring threads about prefix length, security posture, ddos,
consumer CPE support have been somewhat interesting to my service
provider alter ego. Ipv6 is definitely on folks minds this year. The
threads seem a lot less trollish as
Bind and apache work with v6 out of the box, and have for years. As I
understand it, when a client requests a particular domain of yours and gets
an A and an , the client will default to the (assuming it's on a v6
network) and attempt to communicate as such. Failing that, it will fall
From: Charles N Wyble
Sent: Wednesday, January 26, 2011 10:23 AM
To: nanog@nanog.org
Subject: Ipv6 for the content provider
For the most part, I'm a data center/application administrator/content
provider kind of guy. As such, I want to provide all my web content
over
ipv6, and support
Do I just need to assign ip addresses to my servers, add records to
my DNS server and that's it? I'm running PowerDNS for DNS, Apache for
WWW. Postfix for SMTP.
It might be that simple, it might not. Depends on your application.
For the DNS and Mail, it should be pretty much that
On Jan 26, 2011, at 10:39 AM, George Bonser wrote:
From: Charles N Wyble
Sent: Wednesday, January 26, 2011 10:23 AM
To: nanog@nanog.org
Subject: Ipv6 for the content provider
For the most part, I'm a data center/application administrator/content
provider kind of guy. As such, I want
On 26/01/2011 20:22, Charles N Wyble wrote:
For the most part, I'm a data center/application administrator/content
provider kind of guy. As such, I want to provide all my web content over
ipv6, and support ipv6 SMTP. What are folks doing in this regard?
Do I just need to assign ip addresses to
On Wed, 26 Jan 2011, Charles N Wyble wrote:
Do I just need to assign ip addresses to my servers, add records to
my DNS server and that's it? I'm running PowerDNS for DNS, Apache for
WWW. Postfix for SMTP.
Best to remove IP version dependencies in your configs.
If you are using
On Wed, Jan 26, 2011 at 10:22:40AM -0800, Charles N Wyble wrote:
For the most part, I'm a data center/application administrator/content
provider kind of guy. As such, I want to provide all my web content over
ipv6, and support ipv6 SMTP. What are folks doing in this regard?
Do I just need
Application level support on Linux/FreeBSD/NetBSD is 98% and rising
every day. Apache, BIND, Postfix, they all work great. The problem
is you may need config adjustment. Your Apache ListenOn's will need
IPv6 added, your Postfix local nets ACL will need your IPv6
addresses
added, and so
And if your servers behind the LB aren't prepared for it, you lose a
LOT
of logging data, geolocation capabilities, and some other things if
you
go that route.
Owen
Relying on IP address for geolocation is actually quite ridiculous
though I do realize that many people seem to believe that
On Wed, 26 Jan 2011, Antonio Querubin wrote:
Best to remove IP version dependencies in your configs.
If you are using name-based virtual hosting in Apache, convert:
Listen a.b.c.d:80 - Listen 80
Virtualhost a.b.c.d:80 - Virtualhost *:80
Use hard-coded IP addresses only where
Thus spake Jack Carrozzo (j...@crepinc.com) on Wed, Jan 26, 2011 at 01:38:48PM
-0500:
As I understand it, when a client requests a particular domain of yours and
gets
an A and an , the client will default to the (assuming it's on a v6
network) and attempt to communicate as such.
On Jan 26, 2011, at 11:10 AM, David Freedman wrote:
And if your servers behind the LB aren't prepared for it, you lose a LOT
of logging data, geolocation capabilities, and some other things if you
go that route.
Owen
I can't imagine an LB vendor who would sell a v6 to v4 vip
On Jan 26, 2011, at 11:22 AM, George Bonser wrote:
And if your servers behind the LB aren't prepared for it, you lose a
LOT
of logging data, geolocation capabilities, and some other things if
you
go that route.
Owen
Relying on IP address for geolocation is actually quite ridiculous
On Jan 26, 2011, at 11:17 AM, Antonio Querubin wrote:
On Wed, 26 Jan 2011, Charles N Wyble wrote:
Do I just need to assign ip addresses to my servers, add records to
my DNS server and that's it? I'm running PowerDNS for DNS, Apache for
WWW. Postfix for SMTP.
Best to remove IP
On Jan 26, 2011, at 11:17 AM, Francois Tigeot wrote:
On Wed, Jan 26, 2011 at 10:22:40AM -0800, Charles N Wyble wrote:
For the most part, I'm a data center/application administrator/content
provider kind of guy. As such, I want to provide all my web content over
ipv6, and support ipv6 SMTP.
On Jan 26, 2011, at 11:18 AM, George Bonser wrote:
Application level support on Linux/FreeBSD/NetBSD is 98% and rising
every day. Apache, BIND, Postfix, they all work great. The problem
is you may need config adjustment. Your Apache ListenOn's will need
IPv6 added, your Postfix local
On Wed, 26 Jan 2011 10:22:40 -0800, Charles N Wyble wrote
For the most part, I'm a data center/application
administrator/content provider kind of guy. As such, I want to
provide all my web content over ipv6, and support ipv6 SMTP. What
are folks doing in this regard?
The only issue I've
Thus spake Randy McAnally (r...@fast-serv.com) on Wed, Jan 26, 2011 at
04:50:22PM -0500:
On Wed, 26 Jan 2011 10:22:40 -0800, Charles N Wyble wrote
For the most part, I'm a data center/application
administrator/content provider kind of guy. As such, I want to
provide all my web content
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/26/2011 01:50 PM, Randy McAnally wrote:
On Wed, 26 Jan 2011 10:22:40 -0800, Charles N Wyble wrote
For the most part, I'm a data center/application
administrator/content provider kind of guy. As such, I want to
provide all my web content
On Wed, 26 Jan 2011 13:56:05 -0800, Charles N Wyble wrote
The only issue I've faced is RHEL/CentOS doesn't have stateful connection
tracking for IPv6 - so ip6tables is practically worthless.
H. Interesting. I wonder if this is specific to the RedHat
kernel?
I've worked around it by
On Wed, 26 Jan 2011 13:56:05 PST, Charles N Wyble said:
The only issue I've faced is RHEL/CentOS doesn't have stateful connection
tracking for IPv6 - so ip6tables is practically worthless.
H. Interesting. I wonder if this is specific to the RedHat kernel?
Or a problem with v6
On Wed, 26 Jan 2011, Owen DeLong wrote:
Listen a.b.c.d:80 - Listen 80
Virtualhost a.b.c.d:80 - Virtualhost *:80
That only works if you have only one address on the machine and.
Actually it works fine on machines with multiple IP addresses for both
FreeBSD and CentOS. And IPv6
On Wednesday, January 26, 2011 05:01:31 pm Randy McAnally wrote:
I've worked around it by compiling custom (newer) Kernels on systems that need
it. Apparently support was added some time around 2.6.20, but of course RHEL5
is still in the dark ages of 2.6.18.
RHEL has the eMRG kernel available
On Wed, 26 Jan 2011, Owen DeLong wrote:
It would be nice if BSD would correct their IPV6_V6ONLY behavior instead
of putting up an alleged security red herring. I'm not sure why Micr0$0ft
suffers
from this braindeath.
Or at the very least document this in plain site in the IPv6 section of
On Wed, 26 Jan 2011, Randy McAnally wrote:
The only issue I've faced is RHEL/CentOS doesn't have stateful connection
tracking for IPv6 - so ip6tables is practically worthless.
As long as you're willing to run your iptables through a modification
filter to generate the corresponding ip6tables
On Wed, 26 Jan 2011 12:56:01 -1000, Antonio Querubin said:
On Wed, 26 Jan 2011, Owen DeLong wrote:
Listen a.b.c.d:80 - Listen 80
Virtualhost a.b.c.d:80 - Virtualhost *:80
That only works if you have only one address on the machine and.
Actually it works fine on machines
Additionally for DNS don't forget to add IPv6 glue for the nameservers
for your zones to the parent zones.
For named in particular listen-on-v6 needs to be specified as it
is not on by default e.g. listen-on-v6 { any; };. Named will ask
questions over IPv6 by default even if it isn't listening
On Jan 26, 2011, at 2:59 PM, Antonio Querubin wrote:
On Wed, 26 Jan 2011, Owen DeLong wrote:
It would be nice if BSD would correct their IPV6_V6ONLY behavior instead
of putting up an alleged security red herring. I'm not sure why Micr0$0ft
suffers
from this braindeath.
Or at the very
On Jan 26, 2011, at 3:13 PM, valdis.kletni...@vt.edu wrote:
On Wed, 26 Jan 2011 12:56:01 -1000, Antonio Querubin said:
On Wed, 26 Jan 2011, Owen DeLong wrote:
Listen a.b.c.d:80 - Listen 80
Virtualhost a.b.c.d:80 - Virtualhost *:80
That only works if you have only one address
On Wed, 26 Jan 2011, Owen DeLong wrote:
It's actually pretty well known and it is documented in several places in plain
sight.
Where?
A search for IPV6_V6ONLY in the FreeBSD Handbook yields nothing. You'd
think the brokenness would at least be mentioned in the handbook.
A similar search
41 matches
Mail list logo
