RE: [squid-users] Strange 503 on https sites [ipv6 edition]

From: Jenny Lee <bodycare_5_at_live.com>
Date: Tue, 28 Jun 2011 02:08:22 +0000

> Ouch! Add these at least:
> $IPT6 -A INPUT -j REJECT
> $IPT6 -A OUTPUT -j REJECT
> $IPT6 -A FORWARD -j REJECT
>
>
> > $IPT6 -P INPUT DROP
> > $IPT6 -P OUTPUT DROP
> > $IPT6 -P FORWARD DROP
> > fi
> >
>
> And *that* is exactly the type of false "disable" I was talking about.
>
> Squid and other software will attempt to open an IPv6 socket(). As long
> as the IPv6 modules are loaded in the kernel that will *succeed*. At
> first glance this is fine, IPv4 can still come and go through that
> socket.
>
> - In TCP they might then try to bind() to an IPv6, that *succeeds*.
> [bingo! IPv6 enabled and working. Squid will use it.]
> Then try to connect() to an IPv6. That also "succeeds" (partially).
> But the firewall DROP prevents the SYN packet ever going anywhere. Up to
> *15 minutes* later TCP will timeout.
>
> - In UDP things get even stranger. It expects no response, so send()
> to both IPv4 and IPv6 will *succeed*.
>
> Does the DNS error "No Servers responding;;" sound all too familiar?
> then you or a transit network is most likely using DROP somewhere on
> UDP, TCP or ICMP.

Unlikely to happen. Because we inserted ipv6 disable mechanisms to 50 different places. And that was the last line just in case nothing worked.

If it came to that part, it is a mute point if it is dropped or rejected. We have bigger problems.

From a client point, or in testing, I agree with you. REJECT should be used to inform failing clients. Otherwise DROPs will cause lenghty delays.

But on internet-facing production systems, DROP should be used.

- Less network traffic when there are attacks
- More secure
- Immune to spoofing and reflection scans on other systems
- Immune to probes

But as I mentioned, my rules should be considered in the whole context of disabling ipv6, whereas the OP's issue might very well be these very DROP rules that I advocate.

My intention was to post useful info to those who are trying to disable ipv6 on RHEL rather than find a solution to OP's squid problems which is your expertise.

I surely will be bothering you with bugs and mistakes about ipv6 once I compile squid with it... But I don't expect that to be before 2020 or until I am left as the last person on earth who is not supporting ipv6.

Jenny

PS: I have never seen these "IPV6 DROPPED" entries over the years in logs.
Received on Tue Jun 28 2011 - 02:08:28 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 28 2011 - 12:00:02 MDT