Bug#611031: [gogoc] Add an option to not touch radvd/forwarding in router mode
Gogogc is by default to set host_type=host, to only route IPv6 traffic to and from the local host, without forwarding any traffic to a LAN. If one doesn't want gogoc to act as a router, one shouldn't put gogoc into router mode. And when one uses gogoc in router mode, one probably want to restart radvd with a new configuration file. Is it possibly to add a /etc/radvd.cond.d/, like other tools (like sudo with /etc/sudoes.d/ and apt with /etc/apt/sources.list.d/)? That would solve this problem. What could be done is also to put a comment in /etc/gogoc/gogoc.conf above host_type so that if one edit gogoc.conf to act as a router (host_type=router), one is warned by that line to also set up a firewall for IPv6. Information about what happens when put in router mode could also be added in /usr/share/doc/gogoc/Debian.README. That a firewall with forward rules is needed when in router mode. Maybe a suggestion of tools to use? Shorewall6 and Ufw would be my suggestions. Ufw do have support upstream for handling FORWARD rules. So, please add some/all of those suggestions and close this bug. Yours Anders Jackson On Tue, 25 Jan 2011 13:49:47 +1100 Craig Small wrote: > On Tue, Jan 25, 2011 at 03:41:46AM +0500, Roman Mamedov wrote: > > My conclusion is that the 'linux.sh' script currently does way too much > > automation, assuming it 'knows better' what the user wants. And among this, > > it > > does things which are plain dangerous, not warning about them. > Generally speaking it does know better. Yes, I do agree on this. At least in its use case. If one knows better than gogoc, one can use /etc/network/interfaces. > > I suggest adding a configuration file option to set whether or not linux.sh > > should control RADVD and configure forwarding, and have that option off by > > default. > I wouldn't turn it off by default, people should know what a router is. > By default the config sets you up as a host, which shouldn't be doing > anything. > > I will look into editing the linux.sh so you can disable certain things. That could be a solution, but a more intrusive one. > - Craig > Yours, Anders Jackson smime.p7s Description: S/MIME cryptographic signature
Bug#611031: [gogoc] Add an option to not touch radvd/forwarding in router mode
On Tue, Jan 25, 2011 at 03:41:46AM +0500, Roman Mamedov wrote: > My conclusion is that the 'linux.sh' script currently does way too much > automation, assuming it 'knows better' what the user wants. And among this, it > does things which are plain dangerous, not warning about them. Generally speaking it does know better. > I suggest adding a configuration file option to set whether or not linux.sh > should control RADVD and configure forwarding, and have that option off by > default. I wouldn't turn it off by default, people should know what a router is. By default the config sets you up as a host, which shouldn't be doing anything. I will look into editing the linux.sh so you can disable certain things. - Craig -- Craig Small VK2XLZhttp://www.enc.com.au/ csmall at : enc.com.au Debian GNU/Linux http://www.debian.org/ csmall at : debian.org GPG fingerprint: 1C1B D893 1418 2AF4 45EE 95CB C76C E5AC 12CA DFA5 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#611031: [gogoc] Add an option to not touch radvd/forwarding in router mode
Package: gogoc Version: 1:1.2-2 Severity: wishlist Hello! From what I can see, the gogo client currently when put in a 'router' mode in the linux.sh template tries to generate a radvd.conf, then kill and restart radvd at will. I consider this to be an obnoxious and unnecessary intrusion into proper operation of another unrelated package - I might have had my own radvd setup, of which the tunnel provided by gogoc is only a small part. It also silently enables forwarding, not warning the user that they might also want to set up ip6tables. So the internal network becomes completely exposed without proper firewalling rules on the gateway in place. My conclusion is that the 'linux.sh' script currently does way too much automation, assuming it 'knows better' what the user wants. And among this, it does things which are plain dangerous, not warning about them. I suggest adding a configuration file option to set whether or not linux.sh should control RADVD and configure forwarding, and have that option off by default. -- With respect, Roman signature.asc Description: PGP signature