-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 27.06.2012 09:19, Alex Efros wrote: > Hi! > <SNIP> >> # ip6tables -A INPUT -j DROP # ip6tables -A OUTPUT -j DROP # >> ip6tables -A FORWARD -j DROP There you are safe now. > > Safe, but don't working. Do you enable ipv6 USE flag just to force > people to either disable unintentionally enabled IPv6 in kernel > and/or add this ip6tables configuration? I suppose you enable ipv6 > USE flag to make it easier for people to start using IPv6. But to > use IPv6 these ip6tables rules doesn't helps - we really need docs > how to setup IPv6 firewall in secure way, written by people who not > just read IPv6 RFCs, but understood all security implications of > IPv6-specific features. Last time I tried to google for such docs > was few years ago, but I found nothing at all. >
I think firewall-config is a mystery to many people. But you're right: good documentation would be nice! Concerning the ipv6-USEFLAG: Since there may be packages with no compile-time option or packages which have one but with ebuilds that don't use it there is only one option to be safe: disable it in your kernelconfig. Just thinking "No USEFLAG equals security" is simply wrong and even adds a layer of obfuscation where you may think that you're safe while you aren't. I think it doesn't matter security-wise if ipv6 is enabled or disabled by default because you have to disable it inside the kernel to be on the safe side. WKR Hinnerk -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP6rYaAAoJEJwwOFaNFkYcwIMH/A5mNGg2EClgS4f/YTsvmuyq vQvzcrh56/zob2Qf7OHFNvTWSXcyu70nqkuuce1qg0Je/oMsGJoewz+0xSbIoX1I /S+dWHHCaUJQMZc+w8rhjh7Rvl3zBm32lja9bmBCLDfsbXiPXHfIpj/LIcOEEHsN Tn2+ntkjQIE3ehMjmO/Ke7w5XuSokP4yDzmeSZ0q7soTVWCIrMU1YB+Flyx11qnl 2g1focGTQm5n8TDjopbsppM5l4jodFeWW2eaH9Fgy2J21kQEUFqammvfbI8+nI89 J/+Idvge/0s9ToKACziY6Z6XT4CnKl0+pQhDjJjl6W3wV6ZQVRZxi+e9rkzEmUo= =O/Bt -----END PGP SIGNATURE-----
