El 26/06/12 05:03, Alex Efros escribió: > Hi! Hi! > On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote: >>> I'm alerting users so that you can make whatever changes you like to >>> ipv6 in your /etc/make.conf. In about 24 hours I will turn on by >>> default ipv6 on all hardened profiles. >> I use ipv6 on all my servers (not that everyone does). We will have to >> enable it eventually, sooner is probably better then later I think. > Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two > different routing tables and two different firewalls. Different routing tables maybe but the firewall is still the same, the iptables based one. And with the ipv6 USE you get it. > Also, I suppose > enabling IPv6 on any server/router with non-trivial IPv4 firewall rules > may (and probably will!) result in creating new security holes until admin > will develop IPv6 firewall rules similar to existing IPv4 firewall rules. The use has little to nothing to see with this, the ipv6 is not a magic use flag that necessarily works with all packages, it only does it with those that have it. Other may just not have an option to disable ipv6. Anyway for this to happen you must (and these are all necessary conditions): * Have an ipv6 route from the attacker to the affected machine * Have ipv6 enable on the kernel. * Have an ipv6 address assigned accesible by the attacker. * Get the attacker to know said address (since bruteforcing the address space is hard to say the least). * Have anything listening on that address (depending on the attack the icmpv6 server could be it but there are other services who listen to ipv6 no matter what you do).
If one of them doesn't hold the risk is not much more than the risk some uncalled code can provide which is still not much. > And I suppose just trying to duplicate existing rules as is won't be > enough because of new IPv6-specific features, which is absent in IPv4, > and which should be additionally blocked/enabled too. This depends a lot on which rules you have. In general it is more about the address block than anything else. > If I'm right (about creating new security holes because of enabling ipv6 > USE flag) then it may be bad idea to enable it by default until we'll be > sure admin is ready for this (for example, we may check is IPv6 enabled in > kernel and is there exists IPv6 firewall rules). You are mostly wrong, the only issue I can think of is if you enabled ipv6 on the kernel in which case you are probably fucked since daemons may be listening there anyway even before the change. > BTW, is there exists (Gentoo?) guides/howtos which explain these issues > (preferably from "differences from IPv4" point of view) to average admin > who know how to setup IPv4 and know nothing about IPv6, and provide > minimum recommended configuration for IPv6 routing/firewall? I think > enabling IPv6 by default should begins from writing such docs. # ip6tables -A INPUT -j DROP # ip6tables -A OUTPUT -j DROP # ip6tables -A FORWARD -j DROP There you are safe now.
signature.asc
Description: OpenPGP digital signature
