> I am surprised that there is no way to disable ipv6 on Debian template. > > I reinstalled first the template using documentation > https://www.qubes-os.org/doc/reinstall-template/ > > Then I added "net.ipv6.conf.all.disable_ipv6 = 1" in /etc/sysctl.conf, I > did reboot the Template but it didn't change the outcome, I still had ipv6 > ports opened using "netstat -antp" > > I even added "sudo ip6tables -P INPUT DROP" in "/rw/config/rc.local", but > I still got those distant servers listening when I check using commands > like "sudo lsof -i6" or "netstat -antp" on my Debian Template.
I agree that IPV6 shouldn't be used; IPV4 works, and is simpler, and thus potentially less vulnerable (less attack surface, yadda, yaada.) While IPV6 isn't necessarily new, it still seems a bit "mysterious" to me. It's certainly more complex, and complexity is no friend of security. Why not just disable IPV6 ("ignore") in the Network Manager (in sys-net, displayed on the taskbar in dom0, next to the Qubes Manager icon)? If sys-net/NetworkManager has ipv6 disabled, no VM is going to get any IPV6 packets through. > What is rpcbind, avahi-dae I also agree that avahi shouldn't be enabled. It is one of the first things I disable in Qubes. It's a zeroconf/Bounjour thing. Not needed, and more attack surface. rpcbind is a portmapper thing, useful for NFS, and I'm not sure what else, really. Another thing I also disable. (Probably like you, for security reasons, I don't like seeing anything listening when I do a netstat.) Also, this: http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-industry/ I should note that due to a lot of hacking/harassment, I'm a bit more paranoid than your typical user. While it's probably innocent, seeing things like this enabled by default in a system always make me a bit less trusting of such a system; has an NSA-tampering feeling to it. :) (Similar to audio/pulseaudio enabled in sys-net/sys-firewall, the apparmor extra-profiles not being included in Tails for some bizarre reason, and the like.) exim4, I believe, was also enabled by default in fedora-23/debian-8, which makes little sense. If you want a mail server, set up a mail server, don't have them running in every VM by default. (As I mentioned in another post, I think there's an outstanding ticket to eliminate unnecessary systemctl services in the debian and fedora templates.) > and why you got this ipv6 bound to systemd on > PID 1 ? Looks suspicious, I thought Ipv6 was disabled by default on Qubes. I've seem people diss systemd as being unnecessary complex and obscure, and thus a bit of a risk for security. However, the dependency management it provides is very powerful imho, and well worth it. (I can't help but think the same startup dependency results couldn't have been achieved with the "make" utility. Probably not quite as elegantly, but without adding another new utility.) You say you see ipv6 bound to systemd? Is it listening on a specific port or anything? Cheers JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to firstname.lastname@example.org. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/dd0a71c1168b8a19068ad1fd4e942a44.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.