catalyst

Our blog is now accessible via the IPv6 Internet. While I've had the network IPv6 enabled for few months now, I've finally taken the plunge and changed Dynamic DNS providers, which means I can make our addresses available via DNS.

I used DynDNS for many years, but unfortunately they don't support AAAA records. I'm now using FreeDNS. They allow a domain name to have a static AAAA record and then dynamic updating of an A record. Which is exactly what I need!

Firewalling IPv6 on Linux seems to be a vaguely documented topic, and most of that documentation seems to be out of date as it is a fast moving target. I've spent a bit of time over the last couple of days working on improving my firewalling situation and thought I should write up what I've found.

After a bit of digging I found that while IPv6 connection tracking was merged in 2.6.16, the configuration options are somewhat hidden. Up until yesterday I was running 2.6.19.x on my firewall and I discovered that while ip6tables allowed me to configure a stateful firewall, it wasn't actually doing anything!

I looked around for the required nf_conntrack_ipv6 module and couldn't find it. I looked in my running kernels config and couldn't find it. In fact I couldn't find any option for enabling IPv6 connection tracking at all. After some digging (grep'ing the Kconfig files helps) I found that I needed to change over to the new (experimental) Layer 3 Independent Connection tracking support.

The catch here is that if you have the old school Connection tracking (CONFIG_IP_NF_CONNTRACK) enabled you'll never see the new independent method (CONFIG_NF_CONNTRACK) in menuconfig. Which is why I'd never seen it before. So I disabled CONFIG_IP_NF_CONNTRACK (in IP: Netfilter Configuration), enabled (the now visible) CONFIG_NF_CONNTRACK (in Core Netfilter Configuration) went into both the IP and IPv6 Netfilter Configuration menus and selected support for the connection tracking option.

Compiled, installed and rebooted. Suddenly I had IPv6 connection tracking working. w00t! But no IPv4 NAT. Damn. It turns out that IPv4 NAT support was only ported to the new Layer 3 Independent Connection stuff in 2.6.20.

So I downloaded 2.6.20.3, jumped into the IP: Netfilter Configuration menu and found "Full NAT". That's what I want. Compiled, installed and rebooted.

Now I have my old IPv4 NAT working, and a full stateful IPv6 firewall (with no NAT!).

Oh, if you are using IPv6 stateful firewalling with Linux then you want to upgrade to 2.6.20.3, it fixes an issue with incorrectly classifying IPv6 fragments as ESTABLISHED and letting them through. Oops. Also, 2.6.20 moves the config options around again...

At Linux.conf.au 2007 there was an organised GPG key signing session, where lots of people performed the GPG KeySigning dance. Afterwards quite a few (but less) people hung around in the foyer for the to perform the CAcert assurance dance.

I assured a few people, then joined a queue to be assured by one of the CAcert super assurers (and continued to assure people while waiting in the queue). This assurance bumped me up to the maximum number of points allowed for normal people. W00t!

I wasn't the only person from Catalyst to use this trick to get maximum points. As a result we now have 3 people able to allocate 35 points each. We also have a number of other people who can allocate less points than that. So if you're in the Wellington region and are interested in CAcert, drop by our offices (with suitable ID) and we can get you bootstrapped so you can start assuring people as well.