> I am surprised that there is no way to disable ipv6 on Debian template.
>
> I reinstalled first the template using documentation
> https://www.qubes-os.org/doc/reinstall-template/
>
> Then I added "net.ipv6.conf.all.disable_ipv6 = 1" in /etc/sysctl.conf, I
> did reboot the Template but it didn't change the outcome, I still had ipv6
> ports opened using "netstat -antp"
>
> I even added "sudo ip6tables -P INPUT DROP" in "/rw/config/rc.local", but
> I still got those distant servers listening when I check using commands
> like "sudo lsof -i6" or "netstat -antp" on my Debian Template.

I agree that IPV6 shouldn't be used; IPV4 works, and is simpler, and thus
potentially less vulnerable (less attack surface, yadda, yaada.)  While
IPV6 isn't necessarily new, it still seems a bit "mysterious" to me.  It's
certainly more complex, and complexity is no friend of security.

Why not just disable IPV6 ("ignore") in the Network Manager (in sys-net,
displayed on the taskbar in dom0, next to the Qubes Manager icon)?

If sys-net/NetworkManager has ipv6 disabled, no VM is going to get any
IPV6 packets through.

> What is rpcbind, avahi-dae

I also agree that avahi shouldn't be enabled.  It is one of the first
things I disable in Qubes.  It's a zeroconf/Bounjour thing.  Not needed,
and more attack surface.

rpcbind is a portmapper thing, useful for NFS, and I'm not sure what else,
really.  Another thing I also disable.  (Probably like you, for security
reasons, I don't like seeing anything listening when I do a netstat.)

Also, this:

http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-industry/

I should note that due to a lot of hacking/harassment, I'm a bit more
paranoid than your typical user.

While it's probably innocent, seeing things like this enabled by default
in a system always make me a bit less trusting of such a system; has an
NSA-tampering feeling to it.  :)

(Similar to audio/pulseaudio enabled in sys-net/sys-firewall, the apparmor
extra-profiles not being included in Tails for some bizarre reason, and
the like.)

exim4, I believe, was also enabled by default in fedora-23/debian-8, which
makes little sense.  If you want a mail server, set up a mail server,
don't have them running in every VM by default.

(As I mentioned in another post, I think there's an outstanding ticket to
eliminate unnecessary systemctl services in the debian and fedora
templates.)

> and why you got this ipv6 bound to systemd on
> PID 1 ? Looks suspicious, I thought Ipv6 was disabled by default on Qubes.

I've seem people diss systemd as being unnecessary complex and obscure,
and thus a bit of a risk for security.  However, the dependency management
it provides is very powerful imho, and well worth it.

(I can't help but think the same startup dependency results couldn't have
been achieved with the "make" utility.  Probably not quite as elegantly,
but without adding another new utility.)

You say you see ipv6 bound to systemd?  Is it listening on a specific port
or anything?

Cheers

JJ

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dd0a71c1168b8a19068ad1fd4e942a44.webmail%40localhost.
For more options, visit https://groups.google.com/d/optout.

Reply via email to