Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Matthew Thode <prometheanfire@g.o>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] ipv6 on by default for hardened profile
Date: Tue, 26 Jun 2012 06:02:46
Message-Id: 4FE939D4.3080403@gentoo.org
In Reply to: Re: [gentoo-hardened] ipv6 on by default for hardened profile by Alex Efros
1 On 06/25/2012 10:03 PM, Alex Efros wrote:
2 > Hi!
3 >
4 > On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote:
5 >>> I'm alerting users so that you can make whatever changes you like to
6 >>> ipv6 in your /etc/make.conf. In about 24 hours I will turn on by
7 >>> default ipv6 on all hardened profiles.
8 >> I use ipv6 on all my servers (not that everyone does). We will have to
9 >> enable it eventually, sooner is probably better then later I think.
10 >
11 > Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two
12 > different routing tables and two different firewalls. Also, I suppose
13 > enabling IPv6 on any server/router with non-trivial IPv4 firewall rules
14 > may (and probably will!) result in creating new security holes until admin
15 > will develop IPv6 firewall rules similar to existing IPv4 firewall rules.
16 > And I suppose just trying to duplicate existing rules as is won't be
17 > enough because of new IPv6-specific features, which is absent in IPv4,
18 > and which should be additionally blocked/enabled too.
19 >
20 > If I'm right (about creating new security holes because of enabling ipv6
21 > USE flag) then it may be bad idea to enable it by default until we'll be
22 > sure admin is ready for this (for example, we may check is IPv6 enabled in
23 > kernel and is there exists IPv6 firewall rules).
24 >
25 > BTW, is there exists (Gentoo?) guides/howtos which explain these issues
26 > (preferably from "differences from IPv4" point of view) to average admin
27 > who know how to setup IPv4 and know nothing about IPv6, and provide
28 > minimum recommended configuration for IPv6 routing/firewall? I think
29 > enabling IPv6 by default should begins from writing such docs.
30 >
31 You do run into these issues, I think we need to do a news thing for the
32 hardened profiles if we go ahead and enable it.
33
34 --
35 -- Matthew Thode (prometheanfire)

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups