By the way, we might want to add the same configuration to vmops for XenServer.
Currently it is possible to have a tenant vm send a router advertisement on the isolated lan that is picked up by XenServer. Even though XenServer only has a bridge interface in the tenant lan that interface will be autoconfigured. A simple ping to the local all-node address (ff02::1) will tell you the mac off of the XenServer interface. As XenServer has ssh active on all interfaces you can directly connect to the ssh daemon on the XenServer. We only push a IPv4 firewall to the XenServer so the IPv6 firewall is default (ACCEPT everything). Still you only gain access to the ssh port, but that is something that should not be possible from a tenant lan. Cheers, Hugo -----Original Message----- From: Hugo Trippaers [mailto:htrippa...@schubergphilis.com] Sent: Monday, July 30, 2012 1:20 PM To: cloudstack-dev@incubator.apache.org Subject: Disable IPv6 for systemvm Hey guys, The current systemvm has IPv6 enabled including autoconfiguration. This means that if the machine is placed in an IPv6 enabled network (or somebody starts sending router advertisements) the VM's based on the system vm will autoconfigure the interface. This means a possible way to bypass the installed firewall as the IPv6 firewall is set to accept everything opposite to the IPv4 firewall which is restricted. My proposal is to include the following in sysctl.conf (at least until we properly support IPv6): # Disable IPv6 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.all.forwarding = 0 net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.all.autoconf = 0 If no objections I would like to commit this change. Cheers, Hugo
