Re: Disable IPv6 on OpenBSD 4.0
Hi, On Sun, 17.12.2006 at 22:09:43 +0100, Ingo Schwarze <[EMAIL PROTECTED]> wrote: > If they really force you to conform to that kind > of "security staff orders", minimize the breakage > by using pf(4) - and pf only. In particular, do > refrain from rolling your own kernel to remove IPv6. having something like 'sysctl -w net.inet.ipv[46].enable=[01]' would be nice, though. Best, --Toni++
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
> Yes, you can use anything as a transport, probably even pidgeon > carriers, but you need a receiving end to effect anything. Indeed, see RFCs 1149 and 2549... two excellent april fools on avian carriers! > So, unless > you fear that someone is able to install a trojan on your OpenBSD > server by sending it ICMP packets encapsulating something in their > payload that results in a program (so far already requiring a big > remote-root hole in the kernel) and also have it run with root > privileges, probably by expoiting some other unknown hole in OpenBSD, > then switching off ICMP is a good precaution. In all other cases, I > think that it's quite stupid. Agreed, there are some services (like these ones offered by ICMP messages) that MUST remain enabled. Worst of all, when someone blocks application layer tools like ping(1) and traceroute(1) by means of these filters he is not only restricting his ability to trace network problems but sometimes the ability to trace problems from other networks too. People should understand what services are required and what services are superfluous. Not all people needs an SMTP listening on public addresses (sendmail listens by default to the loopback interface in OpenBSD and it is required for a lot of internal services that sometimes send email), telnet or RPC enabled by default, but time synchronization services (time, daytime), SMTP on non-public interfaces (for these services sending email to system users), the auth service (for fast SMTP responses), and submission (RFC 2476) are required. No one wins stopping these services, though. Just take a look at other operating systems (I am thinking on most Linux flavours and operating systems) to see what I want to say with "superfluous services enabled by default". There is a difference between a machine running countless services by default and other strictly following recommended practices. In my humble opinion, NIST is wrong if they recommend blocking ping and traceroute. They should update that recommendation, as I feel that most problems we have here tracing network issues are a consequence of people blindly following these advices. Cheers, Igor.
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
Hi Dag, I find myself pressed to rant a bit on the myths you spread because I come across such arguments all too often, and they are, umm, unfounded. On Sun, 17.12.2006 at 20:03:08 -0800, Dag Richards <[EMAIL PROTECTED]> wrote: > Tools can be written to use icmp as a transport, obviously anything can > be used as a transport which is why we only allow traffic inbound to > servers with services running we want public. Yes, you can use anything as a transport, probably even pidgeon carriers, but you need a receiving end to effect anything. So, unless you fear that someone is able to install a trojan on your OpenBSD server by sending it ICMP packets encapsulating something in their payload that results in a program (so far already requiring a big remote-root hole in the kernel) and also have it run with root privileges, probably by expoiting some other unknown hole in OpenBSD, then switching off ICMP is a good precaution. In all other cases, I think that it's quite stupid. I trust OpenBSD to not have such holes... > Why should I allow someone to ping my dns server? Marco explained it already. I can only agree. Switching off ICMP is a measure taken by rogue and/or stupid users who don't care if the 'Net works or not. At least, they really don't want any help they might otherwise be offered in case of a problem on their side. It is named "Internet Control Message Protocol" and not "Internet Useless Junk Protocol" for a reason. > If you need to see if the server is up telnet to port 53, a traceroute > will die at the hop above the firewall, If I get no response from your port 53, I still don't know if * your line is down, * your host is down, or * your name service is down. Similar arguments go for problems due to packet loss or routing (ping and tracepath give me those) which help me assessing a problem and maybe helping out with advice. > I know which ip that is. I don't care/need others to do so. In case I should want to query your DNS service, I'll need to know the IP of your host, too, otherwise I can't query it. If you offer something useful (eg. DNS for a domain someone should want to send mail to), you can't make that IP a secret unless you don't want people using that domain. There's no security by obscurity, and hiding the IP from "clueless users" (everyone else gets it anyway) is no substitute for security-in-depth. So, please be a good netizen and switch ICMP back on, and secure your services. Thank you for listening! Best, --Toni++
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
On Monday 18 December 2006 19:29, Jon Radel wrote: > > I suppose it all comes down to such unresolvable matters such as "is > making it harder for outsiders to map your network merely security > through obscurity, which is naturally below the dignity of any right > thinking network engineer, or does it have value in today's Internet?" > Don't forget the hilarious "ping o' death" vuln in ancient versions of various operating systems. Some on-line "block ping" 'advice' probably dates from that happy era. Yeah, totally blocking ping was overkill back then too, but was the first reaction of many.
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
Dag Richards wrote: > Such a user can use http or >> better yet https as a transport as well or a floppy, usb hard drive, >> usb tump >> drive, and email (especially with an encrypted attachment so that your >> filter >> can see what it is). Hell they can print it out and carry it in their >> briefcase if they wanted. > > Thats what I do ;) > Dang, I just take the whole server. Don't even have to reload the data that way. By the way, the only little quibble I've had with this discussion is that some of the responses have been remarkably imprecise in the distinction between "icmp" and "icmp echo-requests." I find that such imprecision causes no end of trouble when specifying security policies. I, for example, am not the biggest fan of random people sending me icmp redirects, but don't block many other icmp packets. I'll also point out that opinions differ. For example, the official recommendation of the U.S. NIST (National Institute of Standards and Technology) is: "block incoming echo request (ping and Windows traceroute) block outgoing echo replies, time exceeded, and destination unreachable messages except "packet too big" messages (type 3, code 4). This item assumes that you are willing to forego the legitimate uses of ICMP echo request to block some known malicious uses." (Special Publication 800-41, p. 61.) I suppose it all comes down to such unresolvable matters such as "is making it harder for outsiders to map your network merely security through obscurity, which is naturally below the dignity of any right thinking network engineer, or does it have value in today's Internet?" :-) --Jon Radel [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
> smith wrote: Blocking icmp violates RFC rules which means in a nutshell weird things will happen on your network. Buda says : "Amen... obey RFC 1122. " RFC compliance is almost always a good reason to do something. So I have learned something I apparently should already have known. i.e. icmp helps negotiate traffic throughput when two nodes are communication over networks with various amounts of bandwidth. If you have firewall rules that allowed udp/tcp 53 and icmp to your dns server, you would not violate RFC rules. For someone to transport traffic through icmp with these rules means that they would have to root your dns server. At that point, icmp isn't your problem. Let me restate by saying if anyone on your network tries to send traffic out via icmp, icmp isn't the problem, it's the security of that computer that's the problem. We let users send out pretty much any traffic they want from their network, this "debate" was for me about what to allow _in_ to the dmz. Oh and if you're trying to prevent your users from sending out confidential information to an external source, let's face it, that's almost impossible. Yup, too true. Not trying to stop confidential info flow. Just trying to make illicit shell shipping harder. Such a user can use http or better yet https as a transport as well or a floppy, usb hard drive, usb tump drive, and email (especially with an encrypted attachment so that your filter can see what it is). Hell they can print it out and carry it in their briefcase if they wanted. Thats what I do ;)
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
* Dag Richards <[EMAIL PROTECTED]> [2006-12-18 06:10]: > I block all inbound traffic to my networks not required for operations. (most of) icmp qualifies as required for operations. especially including echo-request and -reply. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
On Sun, 17 Dec 2006 20:03:08 -0800, Dag Richards wrote > Jason Dixon wrote: > > On Dec 17, 2006, at 6:28 PM, Dag Richards wrote: > > > >> Jason Dixon wrote: > >> > >>> Your security staff is clueless. I bet they like to block icmp > >>> echo- request too. > >> > >> > >> Erm, I am don't think I am clueless, often a sign of cluelessness I > >> am sure ... However. I block inbound icmp, well actually inbound > >> anything not shown to be required for specific 'services'. > >> > >> What about this is cluelez? I ask in a tone not of belligerence, but > >> a desire to be informed by my betters. > > > > > > Why would you block icmp echo-request? What does that gain you in > > terms of security? > > > > -- > > Jason Dixon > > DixonGroup Consulting > > http://www.dixongroup.net > > > I block all inbound traffic to my networks not required for operations. > > I have a dns server I allow inbound udp / tcp 53, if its not running > other services thats all I allow. I run rules on the dns server > that block it from making outbound connections except to 53 on > servers off my network, and ntp to the time servers. > > Why would I let icmp in? I have telnet turned off on all the servers, > but I still block port 23, or actually fail to open it. > > Tools can be written to use icmp as a transport, obviously anything > can be used as a transport which is why we only allow traffic > inbound to servers with services running we want public. Why should > I allow someone to ping my dns server? > > If you need to see if the server is up telnet to port 53, a > traceroute will die at the hop above the firewall, I know which ip > that is. I don't care/need others to do so. Blocking icmp violates RFC rules which means in a nutshell weird things will happen on your network. i.e. icmp helps negotiate traffic throughput when two nodes are communication over networks with various amounts of bandwidth. If you have firewall rules that allowed udp/tcp 53 and icmp to your dns server, you would not violate RFC rules. For someone to transport traffic through icmp with these rules means that they would have to root your dns server. At that point, icmp isn't your problem. Let me restate by saying if anyone on your network tries to send traffic out via icmp, icmp isn't the problem, it's the security of that computer that's the problem. Oh and if you're trying to prevent your users from sending out confidential information to an external source, let's face it, that's almost impossible. Such a user can use http or better yet https as a transport as well or a floppy, usb hard drive, usb tump drive, and email (especially with an encrypted attachment so that your filter can see what it is). Hell they can print it out and carry it in their briefcase if they wanted.
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
Marco S Hyman wrote: > To me (and I'll be the first to > admit that this is nothing but opinion and I won't pretend that my opinion > is any better than yours) I see more harm than good in blocking icmp. > I like it when other people tell me I've screwed something up because I > can find it and fix it faster. You can add my violent agreement. Most people are actually good, at least if it takes them little effort. I can't imagine that the objective of security is to have to withdraw and hide from everything and everybody. Imagine removing the highway markers and street signs because they might help the terrorists.
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
> servers with services running we want public. Why should I allow > someone to ping my dns server? If I'm having problems resolving a host address that is supposed to be handled by your server one of the first things I'll do is see if I have general connectivity to your server. I'll ping it. If there is no answer I'll most likely assume transient net errors and put the problem off until later. So what, you say. Well, if there are real DNS problems you won't be notified. Maybe you don't care. > If you need to see if the server is up telnet to port 53, a traceroute > will die at the hop above the firewall, I know which ip that is. I don't > care/need others to do so. If I can't ping I'll assume I can't telnet. A traceroute will confirn "net connectivity" issues. Eventually, assuming I need your DNS server to work correctly, I'll attempt to get in touch. >From my perspective the only thing your blocking ICMP has done is delay third party notification of DNS issues. To me (and I'll be the first to admit that this is nothing but opinion and I won't pretend that my opinion is any better than yours) I see more harm than good in blocking icmp. I like it when other people tell me I've screwed something up because I can find it and fix it faster. As for the person who wants to dispable ipv6... I think henning@ had the best solution: use pf. A rule such as block ipv6 drop quick all at the top of your ruleset should do the trick. // marc
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
On Mon, 18 Dec 2006 00:34:20 -0500 Jason Dixon <[EMAIL PROTECTED]> wrote: > > You don't use icmp echo-request for your network operations? Do you > think you're gaining something by filtering ping on your firewall? > Amen... obey RFC 1122. 3.2.2.6 Echo Request/Reply: RFC-792 Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies. A host SHOULD also implement an application-layer interface for sending an Echo Request and receiving an Echo Reply, for diagnostic purposes. An ICMP Echo Request destined to an IP broadcast or IP multicast address MAY be silently discarded. Use something along the line of: pass in inet proto icmp all icmp-type $icmp_types keep state in pf.conf Fer instance, note the recent journal on undeadly.org about the max states DNS problem. ICMP helped there. It's nice to be able to diagnose connectivity with as many tools as possible. Travers Buda
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
On Dec 17, 2006, at 11:03 PM, Dag Richards wrote: Jason Dixon wrote: On Dec 17, 2006, at 6:28 PM, Dag Richards wrote: Erm, I am don't think I am clueless, often a sign of cluelessness I am sure ... However. I block inbound icmp, well actually inbound anything not shown to be required for specific 'services'. What about this is cluelez? I ask in a tone not of belligerence, but a desire to be informed by my betters. Why would you block icmp echo-request? What does that gain you in terms of security? I block all inbound traffic to my networks not required for operations. You don't use icmp echo-request for your network operations? Do you think you're gaining something by filtering ping on your firewall? -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
Jason Dixon wrote: On Dec 17, 2006, at 6:28 PM, Dag Richards wrote: Jason Dixon wrote: Your security staff is clueless. I bet they like to block icmp echo- request too. Erm, I am don't think I am clueless, often a sign of cluelessness I am sure ... However. I block inbound icmp, well actually inbound anything not shown to be required for specific 'services'. What about this is cluelez? I ask in a tone not of belligerence, but a desire to be informed by my betters. Why would you block icmp echo-request? What does that gain you in terms of security? -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net I block all inbound traffic to my networks not required for operations. I have a dns server I allow inbound udp / tcp 53, if its not running other services thats all I allow. I run rules on the dns server that block it from making outbound connections except to 53 on servers off my network, and ntp to the time servers. Why would I let icmp in? I have telnet turned off on all the servers, but I still block port 23, or actually fail to open it. Tools can be written to use icmp as a transport, obviously anything can be used as a transport which is why we only allow traffic inbound to servers with services running we want public. Why should I allow someone to ping my dns server? If you need to see if the server is up telnet to port 53, a traceroute will die at the hop above the firewall, I know which ip that is. I don't care/need others to do so.
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
On Monday 18 December 2006 07:28, Dag Richards wrote: > What about this is cluelez? I ask in a tone not of belligerence, but a > desire to be informed by my betters. Blocking icmp is a) totally pointless, and b) makes troubleshooting much more difficult. --- Lars Hansson
Re: Disable IPv6 on OpenBSD 4.0
On Monday 18 December 2006 00:31, carlopmart wrote: > Somebody knows if exists some option to put on rc.conf file like > FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on > OpenBSD 4.0? Or do I need to recompile kernel, modify sendmail.cf, etc, > etc, etc ...?? Depends on what you mean by disable. There's no option to prevent Ipv6 from being active but it's trivial to block all ipv6 traffic with pf. --- Lars Hansson
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
On Dec 17, 2006, at 6:28 PM, Dag Richards wrote: Jason Dixon wrote: Your security staff is clueless. I bet they like to block icmp echo- request too. Erm, I am don't think I am clueless, often a sign of cluelessness I am sure ... However. I block inbound icmp, well actually inbound anything not shown to be required for specific 'services'. What about this is cluelez? I ask in a tone not of belligerence, but a desire to be informed by my betters. Why would you block icmp echo-request? What does that gain you in terms of security? -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Disable IPv6 on OpenBSD 4.0
Hi! On Sun, Dec 17, 2006 at 03:56:08PM -0500, Dave Anderson wrote: >** Reply to message from Jason Dixon <[EMAIL PROTECTED]> on Sun, 17 >Dec 2006 15:17:01 -0500 >>On Dec 17, 2006, at 2:51 PM, carlopmart wrote: >>> Yes, my security staff orders to disable IPv6 protocol on all our >>> firewalls ... >>Your security staff is clueless. I bet they like to block icmp echo- >>request too. >Unfortunately, the fact that they're clueless doesn't make it possible >to ignore their demands. Fortunately, it's almost trivial to configure >PF to block all incoming and outgoing IPv6 on your external interface >(or on all of your interfaces). The question is, can you convince the >powers-that-be that doing this is sufficient? It clearly should be, >since it prevents any possibility of communicating via IPv6. Don't ask don't tell. I.e. just block quick inet6 in pf, tell them "ok, I've blocked IPv6", and as long as they don't ask *how* he blocked it, it's done. >Good luck, > Dave Kind regards, Hannah.
Re: Disable IPv6 on OpenBSD 4.0 - forking discussion to icmp echo request blockage
Jason Dixon wrote: On Dec 17, 2006, at 2:51 PM, carlopmart wrote: Philip Guenther wrote: On 12/17/06, carlopmart <[EMAIL PROTECTED]> wrote: Somebody knows if exists some option to put on rc.conf file like FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on OpenBSD 4.0? Nope. No such option exists in OpenBSD. Or do I need to recompile kernel, modify sendmail.cf, etc, etc, etc ...?? In other owrds, do I need to reconfigure all process that need ipv6 to startup?? Yeah, that's one way to end up with a system for which the developers will basically ignore you if you report a problem. Is that what you're trying to accomplish? Yes, my security staff orders to disable IPv6 protocol on all our firewalls ... Your security staff is clueless. I bet they like to block icmp echo- request too. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net Erm, I am don't think I am clueless, often a sign of cluelessness I am sure ... However. I block inbound icmp, well actually inbound anything not shown to be required for specific 'services'. What about this is cluelez? I ask in a tone not of belligerence, but a desire to be informed by my betters.
Re: Disable IPv6 on OpenBSD 4.0
Jason Dixon wrote: > On Dec 17, 2006, at 2:51 PM, carlopmart wrote: > >> Philip Guenther wrote: >>> On 12/17/06, carlopmart <[EMAIL PROTECTED]> wrote: Somebody knows if exists some option to put on rc.conf file like FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on OpenBSD 4.0? >>> >>> Nope. No such option exists in OpenBSD. >>> >>> Or do I need to recompile kernel, modify sendmail.cf, etc, etc, etc ...?? In other owrds, do I need to reconfigure all process that need ipv6 to startup?? >>> >>> Yeah, that's one way to end up with a system for which the developers >>> will basically ignore you if you report a problem. Is that what >>> you're trying to accomplish? >>> >> >> Yes, my security staff orders to disable IPv6 protocol on all our >> firewalls ... > > Your security staff is clueless. I bet they like to block icmp > echo-request too. > je, je ..:) Sure jason, but I am only a simple administrator ... > -- > Jason Dixon > DixonGroup Consulting > http://www.dixongroup.net > > > > -- CL Martinez carlopmart {at} gmail {d0t} com
Re: Disable IPv6 on OpenBSD 4.0
Dave Anderson wrote: > ** Reply to message from Jason Dixon <[EMAIL PROTECTED]> on Sun, 17 > Dec 2006 15:17:01 -0500 > >> On Dec 17, 2006, at 2:51 PM, carlopmart wrote: >> >>> Yes, my security staff orders to disable IPv6 protocol on all our >>> firewalls ... >> Your security staff is clueless. I bet they like to block icmp echo- >> request too. > > Unfortunately, the fact that they're clueless doesn't make it possible > to ignore their demands. Fortunately, it's almost trivial to configure > PF to block all incoming and outgoing IPv6 on your external interface > (or on all of your interfaces). The question is, can you convince the > powers-that-be that doing this is sufficient? It clearly should be, > since it prevents any possibility of communicating via IPv6. > > Good luck, > > Dave > I don't know Dave, but I could try it... -- CL Martinez carlopmart {at} gmail {d0t} com
Re: Disable IPv6 on OpenBSD 4.0
Jason Dixon wrote on Sun, Dec 17, 2006 at 03:17:01PM -0500: > On Dec 17, 2006, at 2:51 PM, carlopmart wrote: >> Yes, my security staff orders to disable IPv6 protocol >> on all our firewalls ... > Your security staff is clueless. > I bet they like to block icmp echo-request too. If they really force you to conform to that kind of "security staff orders", minimize the breakage by using pf(4) - and pf only. In particular, do refrain from rolling your own kernel to remove IPv6. If i remember correctly, the last time INET6 #ifdefs needed correction for -current in CVS is about a week ago. Correctness and reliability of IPv6-disabled kernels is not regarded as a high priority issue - but you might wish for maximum correctness and reliablity of your firewalls.
Re: Disable IPv6 on OpenBSD 4.0
* carlopmart <[EMAIL PROTECTED]> [2006-12-17 21:14]: > Yes, my security staff orders to disable IPv6 protocol on all our firewalls > ... block quick inet6 -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Disable IPv6 on OpenBSD 4.0
** Reply to message from Jason Dixon <[EMAIL PROTECTED]> on Sun, 17 Dec 2006 15:17:01 -0500 >On Dec 17, 2006, at 2:51 PM, carlopmart wrote: > >> Yes, my security staff orders to disable IPv6 protocol on all our >> firewalls ... > >Your security staff is clueless. I bet they like to block icmp echo- >request too. Unfortunately, the fact that they're clueless doesn't make it possible to ignore their demands. Fortunately, it's almost trivial to configure PF to block all incoming and outgoing IPv6 on your external interface (or on all of your interfaces). The question is, can you convince the powers-that-be that doing this is sufficient? It clearly should be, since it prevents any possibility of communicating via IPv6. Good luck, Dave -- Dave Anderson <[EMAIL PROTECTED]>
Re: Disable IPv6 on OpenBSD 4.0
On Dec 17, 2006, at 2:51 PM, carlopmart wrote: Philip Guenther wrote: On 12/17/06, carlopmart <[EMAIL PROTECTED]> wrote: Somebody knows if exists some option to put on rc.conf file like FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on OpenBSD 4.0? Nope. No such option exists in OpenBSD. Or do I need to recompile kernel, modify sendmail.cf, etc, etc, etc ...?? In other owrds, do I need to reconfigure all process that need ipv6 to startup?? Yeah, that's one way to end up with a system for which the developers will basically ignore you if you report a problem. Is that what you're trying to accomplish? Yes, my security staff orders to disable IPv6 protocol on all our firewalls ... Your security staff is clueless. I bet they like to block icmp echo- request too. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Disable IPv6 on OpenBSD 4.0
Philip Guenther wrote: > On 12/17/06, carlopmart <[EMAIL PROTECTED]> wrote: >> Somebody knows if exists some option to put on rc.conf file like >> FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on >> OpenBSD 4.0? > > Nope. No such option exists in OpenBSD. > > >> Or do I need to recompile kernel, modify sendmail.cf, etc, >> etc, etc ...?? In other owrds, do I need to reconfigure all process that >> need ipv6 to startup?? > > Yeah, that's one way to end up with a system for which the developers > will basically ignore you if you report a problem. Is that what > you're trying to accomplish? > Yes, my security staff orders to disable IPv6 protocol on all our firewalls ... > > Philip Guenther > -- CL Martinez carlopmart {at} gmail {d0t} com
Re: Disable IPv6 on OpenBSD 4.0
** Reply to message from carlopmart <[EMAIL PROTECTED]> on Sun, 17 Dec 2006 17:31:03 +0100 > Somebody knows if exists some option to put on rc.conf file like >FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on >OpenBSD 4.0? Or do I need to recompile kernel, modify sendmail.cf, etc, >etc, etc ...?? In other owrds, do I need to reconfigure all process that >need ipv6 to startup?? Why do you think you need to do this? That is, what problem is the presence of IPv6 support causing you? If you just don't want to deal with the possibility of IPv6 traffic, you could easily configure PF to block all IPv6. Dave -- Dave Anderson <[EMAIL PROTECTED]>
Re: Disable IPv6 on OpenBSD 4.0
On 12/17/06, carlopmart <[EMAIL PROTECTED]> wrote: Somebody knows if exists some option to put on rc.conf file like FreeBSD does with ipv6_enable="NO" option to disable IPv6 support on OpenBSD 4.0? Nope. No such option exists in OpenBSD. Or do I need to recompile kernel, modify sendmail.cf, etc, etc, etc ...?? In other owrds, do I need to reconfigure all process that need ipv6 to startup?? Yeah, that's one way to end up with a system for which the developers will basically ignore you if you report a problem. Is that what you're trying to accomplish? Philip Guenther