1 |
On 26/06/12 05:03, Alex Efros wrote: |
2 |
> If I'm right (about creating new security holes because of enabling ipv6 |
3 |
> USE flag) then it may be bad idea to enable it by default until we'll be |
4 |
> sure admin is ready for this (for example, we may check is IPv6 enabled in |
5 |
> kernel and is there exists IPv6 firewall rules). |
6 |
|
7 |
Yes, you are right. Enabling IPv6 is the same as enabling a completely |
8 |
new protocol. Configuration, routing and firewalls needs to be set up. |
9 |
|
10 |
But there is an easy way to "opt-out" which could easily be described. |
11 |
If the default kernel config builds IPv6 support as a module, you can |
12 |
easily do 'modprobe -r ipv6' and you don't have IPv6 enabled on a |
13 |
running kernel. This can also be added to the modprobe blacklist as |
14 |
well, so it's not loaded upon boot. Or for those configuring their own |
15 |
kernels, disabling the IPv6 module can be another alternative. These |
16 |
alternatives can easily be documented, IMHO. |
17 |
|
18 |
|
19 |
kind regards, |
20 |
|
21 |
David Sommerseth |