Jump to content
funtoo forums

networking in containers needs a more sincere approach.

Recommended Posts

This is mostly a thread to endorse firewall and ipv6 as defacto elements of the container offering from Funtoo.  Among the reasons it should be considered:



1.  An internet presence without a firewall encourages abuse and is a poor practice that contributes to the harm of the internet and its users. 

2.  Firewalls can and should be used as a learning tool to help grow the understanding of Funtoo and Linux in general.  learning firewall implementation makes for a better user.

3.  iptables provides a wealth of other neat tools to help users learn basics and advanced concepts of networking such as masquerade and DPI. 

4.  the consequences of a breech far outweigh the repercussions of expanded conntrack overhead, whatever it may be.  a compromised container can put funtoo in RBL territory and reputation system blacklists.  our users deserve firewalls and freedom from the 'one rotten egg' type of bans on subnets enforced by google and cisco.

5.  its FUN to play in iptables http://shortround.net/2010/09/24/making-an-image-flip-proxy/



1.  "Do IT" --S. LeBouf.

2.  ARIN insisted we have our collective ducks in a row in 2012.   Its had meaningful support in the kernel since 2006.  its support at the carrier level is ubiquitous.  most ISP's offer a v6 address, if not a subnet, for the user.

3.  nearly every hosting provider on earth supplies a v6 subnet to their customer.   If we continue treating IPv6 as an option and subject to interest, we tacitly imply a shortcoming in Funtoo. 

4.  ipv6 ipsec extensions are the security we need in 2016. modular headers, ndp, stateless and stateful configuration and host based routing isnt something thats going away.

5.  even your cellphone uses IPv6.  if you're a T-Mobile subscriber your stack to the tower is almost entirely v6.

6.  its fun to play with new things.  ipv6 load balancing is super neat.  developing new software that uses ipv6 means your container will have to support ipv6.


for containers to be competitive, attractive and useful, it means they have to support things that every other container supports.

Share this post

Link to post
Share on other sites

We currently offer iptables support and have for a long time.

For IPv6, our datacenter doesn't have native IPv6 but we will likely set up a tunnel soon to provide IPv6 addressing. That's kind of a bummer. It is more than offset by our datacenter powering our servers using solar power, and passively cooling them (no AC needed) for over half of the year, giving our tiny datacenter an efficiency that rivals Facebook and Google's build-outs.

As for new technology, we are now using ZFS RAID-Z, Intel Optane to accelerate our IO, have 40 core (80 cores hyperthreaded) systems, and are now using LXD and kernel 4.14.12-2 (migrating away from OpenVZ and RHEL6 kernels.) And we also document our setups so others can do the same. (Docs for our 2nd generation infrastructure are in the works.)

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now