Linux has some strange default IPv6 behavior. Here are a few things I noticed…
You can bind to a port on an IPv4 address while all of your tools will report that the port is on IPv6. For example, if your host is
198.51.100.1, you can bind to
::FFFF:198.51.100.1 and all state-checking tools like
lsof will report the listener as on an IPv6-port. You can do this in netcat with
nc -6 -l ::FFFF:126.96.36.199.
Linux appears not to have a concept of default IPv6 rules with default ACCEPT everything. Instead, running
ip6tables-save will simply return a blank output without an error code. In a small deployment you can catch this, but in a mass deployment scenario it becomes quite problematic.
By default, binding to all IPv6 addresses will also bind to all IPv4-addresses. This can be changed by setting the sysctl
1. This seems like a very poor default.