| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
On 27.06.2012 09:19, Alex Efros wrote: |
| 5 |
> Hi! |
| 6 |
> |
| 7 |
<SNIP> |
| 8 |
>> # ip6tables -A INPUT -j DROP # ip6tables -A OUTPUT -j DROP # |
| 9 |
>> ip6tables -A FORWARD -j DROP There you are safe now. |
| 10 |
> |
| 11 |
> Safe, but don't working. Do you enable ipv6 USE flag just to force |
| 12 |
> people to either disable unintentionally enabled IPv6 in kernel |
| 13 |
> and/or add this ip6tables configuration? I suppose you enable ipv6 |
| 14 |
> USE flag to make it easier for people to start using IPv6. But to |
| 15 |
> use IPv6 these ip6tables rules doesn't helps - we really need docs |
| 16 |
> how to setup IPv6 firewall in secure way, written by people who not |
| 17 |
> just read IPv6 RFCs, but understood all security implications of |
| 18 |
> IPv6-specific features. Last time I tried to google for such docs |
| 19 |
> was few years ago, but I found nothing at all. |
| 20 |
> |
| 21 |
|
| 22 |
I think firewall-config is a mystery to many people. But you're right: |
| 23 |
good documentation would be nice! |
| 24 |
|
| 25 |
Concerning the ipv6-USEFLAG: Since there may be packages with no |
| 26 |
compile-time option or packages which have one but with ebuilds that |
| 27 |
don't use it there is only one option to be safe: disable it in your |
| 28 |
kernelconfig. |
| 29 |
|
| 30 |
Just thinking "No USEFLAG equals security" is simply wrong and even |
| 31 |
adds a layer of obfuscation where you may think that you're safe while |
| 32 |
you aren't. |
| 33 |
|
| 34 |
I think it doesn't matter security-wise if ipv6 is enabled or disabled |
| 35 |
by default because you have to disable it inside the kernel to be on |
| 36 |
the safe side. |
| 37 |
|
| 38 |
WKR |
| 39 |
Hinnerk |
| 40 |
-----BEGIN PGP SIGNATURE----- |
| 41 |
Version: GnuPG v2.0.19 (GNU/Linux) |
| 42 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
| 43 |
|
| 44 |
iQEcBAEBAgAGBQJP6rYaAAoJEJwwOFaNFkYcwIMH/A5mNGg2EClgS4f/YTsvmuyq |
| 45 |
vQvzcrh56/zob2Qf7OHFNvTWSXcyu70nqkuuce1qg0Je/oMsGJoewz+0xSbIoX1I |
| 46 |
/S+dWHHCaUJQMZc+w8rhjh7Rvl3zBm32lja9bmBCLDfsbXiPXHfIpj/LIcOEEHsN |
| 47 |
Tn2+ntkjQIE3ehMjmO/Ke7w5XuSokP4yDzmeSZ0q7soTVWCIrMU1YB+Flyx11qnl |
| 48 |
2g1focGTQm5n8TDjopbsppM5l4jodFeWW2eaH9Fgy2J21kQEUFqammvfbI8+nI89 |
| 49 |
J/+Idvge/0s9ToKACziY6Z6XT4CnKl0+pQhDjJjl6W3wV6ZQVRZxi+e9rkzEmUo= |
| 50 |
=O/Bt |
| 51 |
-----END PGP SIGNATURE----- |
Archives