| 1 |
Hi folks |
| 2 |
|
| 3 |
Can we get some volunteers to write-up some ipv6 notes for the |
| 4 |
gentoo/hardened docs |
| 5 |
|
| 6 |
My quick notes would look as follows: |
| 7 |
|
| 8 |
- What is ipv6, notes that it's basically a completely separate protocol |
| 9 |
and might be unexpectedly enabled. Also discussion on link local vs |
| 10 |
external ip addresses (quite a significant change from ipv4) |
| 11 |
|
| 12 |
- Conditions to use it, eg enabling use flags AND noting that the |
| 13 |
"listen" syntax is often different in the app of your choice, eg listen |
| 14 |
[::} vs listen * |
| 15 |
|
| 16 |
- Pointers on enabling external access to your machine (note I'm seeing |
| 17 |
new providers turn on ipv6 every week, this is a fairly rapidly changing |
| 18 |
situation now). ie enabling ipv6 tunnels, dhcpv6, autoconfig, etc |
| 19 |
|
| 20 |
- How to disable ipv6. Sub notes: |
| 21 |
|
| 22 |
a) iptables6 default drop (iptables -P) |
| 23 |
b) iptables6 reject |
| 24 |
# ip6tables -A INPUT -j DROP |
| 25 |
# ip6tables -A OUTPUT -j DROP |
| 26 |
# ip6tables -A FORWARD -j DROP |
| 27 |
c) sysctl |
| 28 |
d) blacklist kernel module or build kernel without support |
| 29 |
e) kernel command line option (useful when not modular kernel) |
| 30 |
"ipv6.disable=1" |
| 31 |
f) Build specific apps without support (seems pointless though?) |
| 32 |
g) Ensure specific apps only listen on ipv4 using config. Check using |
| 33 |
"netstat -l" |
| 34 |
|
| 35 |
|
| 36 |
Anyone care to kick that around for a bit, maybe pour some sauce on it? |
| 37 |
|
| 38 |
Ed |
Archives