On Tue, Mar 04, 2008 at 09:05:01PM -0500, Overholt, Warren wrote: > Listening on all IPv6 addresses would be acceptable to me, if I can > limit > access to certain IPs (say with tcpwrappers). Both postfix and ssh > appear > to allow binding to a specific IPv6 address, but they lead on the > security curve. On the other hand bind9 seems to only allow IPv6 > listening to be enabled or disabled, not by port/IP (although it does > have internal acls). > > The somewhat vague answer is to request that the clients > connecting > can be limited appropriately. I am using tcpwrappers for security on > other services in IPv6. Limiting to the local-link address would also > work in my configuration. IPv6 firewalls are not as developed/tested as > IPv4 firewalls, so I do not trust them to provide as much security for > now.
In my experimental version, I have made approx first try to listen on an IPv6 socket if supported, otherwise fall back to IPv4. It seems to work, but I don't have much of an IPv6 testbed here. If you're able to test it more thoroughly, please let me know. It no longer supports the $interface parameter, since it's not clear what address that should mean, and I don't want to add a lot of configuration machinery to specify multiple addresses. So tcpwrappers would be one possibility, but it seems vulnerable to source IP address spoofing. I think it would be better to use iptables rules for servers with multiple interfaces. Would that work in your environment? -- Eric Cooper e c c @ c m u . e d u -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

