1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On 27.06.2012 09:19, Alex Efros wrote: |
5 |
> Hi! |
6 |
> |
7 |
<SNIP> |
8 |
>> # ip6tables -A INPUT -j DROP # ip6tables -A OUTPUT -j DROP # |
9 |
>> ip6tables -A FORWARD -j DROP There you are safe now. |
10 |
> |
11 |
> Safe, but don't working. Do you enable ipv6 USE flag just to force |
12 |
> people to either disable unintentionally enabled IPv6 in kernel |
13 |
> and/or add this ip6tables configuration? I suppose you enable ipv6 |
14 |
> USE flag to make it easier for people to start using IPv6. But to |
15 |
> use IPv6 these ip6tables rules doesn't helps - we really need docs |
16 |
> how to setup IPv6 firewall in secure way, written by people who not |
17 |
> just read IPv6 RFCs, but understood all security implications of |
18 |
> IPv6-specific features. Last time I tried to google for such docs |
19 |
> was few years ago, but I found nothing at all. |
20 |
> |
21 |
|
22 |
I think firewall-config is a mystery to many people. But you're right: |
23 |
good documentation would be nice! |
24 |
|
25 |
Concerning the ipv6-USEFLAG: Since there may be packages with no |
26 |
compile-time option or packages which have one but with ebuilds that |
27 |
don't use it there is only one option to be safe: disable it in your |
28 |
kernelconfig. |
29 |
|
30 |
Just thinking "No USEFLAG equals security" is simply wrong and even |
31 |
adds a layer of obfuscation where you may think that you're safe while |
32 |
you aren't. |
33 |
|
34 |
I think it doesn't matter security-wise if ipv6 is enabled or disabled |
35 |
by default because you have to disable it inside the kernel to be on |
36 |
the safe side. |
37 |
|
38 |
WKR |
39 |
Hinnerk |
40 |
-----BEGIN PGP SIGNATURE----- |
41 |
Version: GnuPG v2.0.19 (GNU/Linux) |
42 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
43 |
|
44 |
iQEcBAEBAgAGBQJP6rYaAAoJEJwwOFaNFkYcwIMH/A5mNGg2EClgS4f/YTsvmuyq |
45 |
vQvzcrh56/zob2Qf7OHFNvTWSXcyu70nqkuuce1qg0Je/oMsGJoewz+0xSbIoX1I |
46 |
/S+dWHHCaUJQMZc+w8rhjh7Rvl3zBm32lja9bmBCLDfsbXiPXHfIpj/LIcOEEHsN |
47 |
Tn2+ntkjQIE3ehMjmO/Ke7w5XuSokP4yDzmeSZ0q7soTVWCIrMU1YB+Flyx11qnl |
48 |
2g1focGTQm5n8TDjopbsppM5l4jodFeWW2eaH9Fgy2J21kQEUFqammvfbI8+nI89 |
49 |
J/+Idvge/0s9ToKACziY6Z6XT4CnKl0+pQhDjJjl6W3wV6ZQVRZxi+e9rkzEmUo= |
50 |
=O/Bt |
51 |
-----END PGP SIGNATURE----- |