1 |
Hi folks |
2 |
|
3 |
Can we get some volunteers to write-up some ipv6 notes for the |
4 |
gentoo/hardened docs |
5 |
|
6 |
My quick notes would look as follows: |
7 |
|
8 |
- What is ipv6, notes that it's basically a completely separate protocol |
9 |
and might be unexpectedly enabled. Also discussion on link local vs |
10 |
external ip addresses (quite a significant change from ipv4) |
11 |
|
12 |
- Conditions to use it, eg enabling use flags AND noting that the |
13 |
"listen" syntax is often different in the app of your choice, eg listen |
14 |
[::} vs listen * |
15 |
|
16 |
- Pointers on enabling external access to your machine (note I'm seeing |
17 |
new providers turn on ipv6 every week, this is a fairly rapidly changing |
18 |
situation now). ie enabling ipv6 tunnels, dhcpv6, autoconfig, etc |
19 |
|
20 |
- How to disable ipv6. Sub notes: |
21 |
|
22 |
a) iptables6 default drop (iptables -P) |
23 |
b) iptables6 reject |
24 |
# ip6tables -A INPUT -j DROP |
25 |
# ip6tables -A OUTPUT -j DROP |
26 |
# ip6tables -A FORWARD -j DROP |
27 |
c) sysctl |
28 |
d) blacklist kernel module or build kernel without support |
29 |
e) kernel command line option (useful when not modular kernel) |
30 |
"ipv6.disable=1" |
31 |
f) Build specific apps without support (seems pointless though?) |
32 |
g) Ensure specific apps only listen on ipv4 using config. Check using |
33 |
"netstat -l" |
34 |
|
35 |
|
36 |
Anyone care to kick that around for a bit, maybe pour some sauce on it? |
37 |
|
38 |
Ed |