On Tue, Mar 04, 2008 at 09:05:01PM -0500, Overholt, Warren wrote:
> Listening on all IPv6 addresses would be acceptable to me, if I can
> limit
> access to certain IPs (say with tcpwrappers).  Both postfix and ssh
> appear
> to allow binding to a specific IPv6 address, but they lead on the 
> security curve.  On the other hand bind9 seems to only allow IPv6 
> listening to be enabled or disabled, not by port/IP (although it does 
> have internal acls).
> 
>       The somewhat vague answer is to request that the clients
> connecting
> can be limited appropriately.  I am using tcpwrappers for security on
> other services in IPv6.  Limiting to the local-link address would also
> work in my configuration.  IPv6 firewalls are not as developed/tested as
> IPv4 firewalls, so I do not trust them to provide as much security for
> now.

In my experimental version, I have made approx first try to listen on an
IPv6 socket if supported, otherwise fall back to IPv4.  It seems to
work, but I don't have much of an IPv6 testbed here.  If you're able
to test it more thoroughly, please let me know.

It no longer supports the $interface parameter, since
it's not clear what address that should mean, and I don't want to add
a lot of configuration machinery to specify multiple addresses.

So tcpwrappers would be one possibility, but it seems vulnerable to
source IP address spoofing. I think it would be better to use iptables
rules for servers with multiple interfaces.  Would that work in your
environment?

-- 
Eric Cooper             e c c @ c m u . e d u



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to