Package: arno-iptables-firewall Version: 1.9.2.k-2 Severity: normal Tags: upstream ipv6
Although the version of arno-iptables-firewall contains preliminary ipv6 support, it is turned off by default, and it doesn't appear thta it can be enabled at the same time as ipv4 support is enabled. Running arno-iptables-firewall on a default squeeze install leaves the following firewall policy in place for IPv6 packets: r...@ermintrude:/home/tim# ip6tables -L -v Chain INPUT (policy ACCEPT 18163 packets, 3581K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 17501 packets, 3428K bytes) pkts bytes target prot opt in out source destination As IPv6 is enabled by default in Debian, this leaves hosts vulnerable to attacks via IPv6. e.g. without any IPv6 infrastructure in place it leaves machines open to the local LAN via the IPv6 automatic link-local IP addresses: r...@ermintrude:/home/tim# ping6 -c 2 -I eth0 ff02::1 PING ff02::1(ff02::1) from fe80::201:3ff:fe48:4f1e ethInet: 56 data bytes 64 bytes from fe80::201:3ff:fe48:4f1e: icmp_seq=1 ttl=64 time=0.020 ms 64 bytes from fe80::2e0:81ff:fe74:9783: icmp_seq=1 ttl=64 time=0.302 ms (DUP!) 64 bytes from fe80::240:48ff:feb1:175e: icmp_seq=1 ttl=64 time=0.414 ms (DUP!) 64 bytes from fe80::20c:29ff:fef8:aa3: icmp_seq=1 ttl=64 time=0.528 ms (DUP!) 64 bytes from fe80::20c:29ff:fecb:3cac: icmp_seq=1 ttl=64 time=0.642 ms (DUP!) [...] r...@ermintrude:/home/tim# nmap -PN -6 fe80::240:48ff:feb1:175e%eth0 Starting Nmap 5.00 ( http://nmap.org ) at 2010-08-25 10:57 BST Interesting ports on fe80::240:48ff:feb1:175e: Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 179/tcp open bgp [...] but with fully routable IPv6 in place (as may well become commonplace during the lifetime of newly installed machines), attacks against machines would be possible from the Internet at large. Whilst not intrinsically a problem with arno-iptables-firewall, it is at the very least probably not what the user was expecting, and it would very useful if the user was alerted to this current behaviour (i.e. arno-iptables-firewall will not block any inbound IPv6 traffic, even when tight controls on IPv4 exist), along with information on how to block or disable IPv6, if that's what they wish to do (in the absense of useful IPv6 support by the package). Thanks, Tim. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-openvz-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages arno-iptables-firewall depends on: ii debconf 1.5.35 Debian configuration management sy ii gawk 1:3.1.7.dfsg-5 GNU awk, a pattern scanning and pr ii iproute 20100519-3 networking and traffic control too ii iptables 1.4.8-3 administration tools for packet fi Versions of packages arno-iptables-firewall recommends: ii dnsutils 1:9.7.1.dfsg.P2-2 Clients provided with BIND ii lynx 2.8.8dev.4-2 Text-mode WWW Browser (transitiona arno-iptables-firewall suggests no packages. -- Configuration Files: /etc/arno-iptables-firewall/custom-rules changed [not included] /etc/arno-iptables-firewall/firewall.conf changed [not included] -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org