Might want to tweak the "setup ip6tables" logic to check first to see if any
rules were in place?
On Jul 30, 2012, at 7:44 AM, Hugo Trippaers wrote:
Hey Chip,
Interesting, which version are you using?
My box:
Linux XXXXXX 2.6.32.12-0.7.1.xs6.0.2.542.170665xen #1 SMP Tue Jan 17 15:14:24
EST 2012 i686 i686 i386 GNU/Linux
[root@XXXXX ~]# cat /etc/redhat-release
XenServer release 6.0.2-53456p (xenenterprise)
[root@XXXXX ~]# ls /proc/sys/net/ipv6/conf/all/autoconf
/proc/sys/net/ipv6/conf/all/autoconf
[root@XXXXX ~]# cat /proc/sys/net/ipv6/conf/all/autoconf
1
Btw I plan to add this to setupxenserver.sh:
# setup ip6tables
if [ -x "/sbin/ip6tables" ] ; then
/sbin/ip6tables -P INPUT DROP
/sbin/ip6tables -P OUTPUT DROP
/sbin/ip6tables -P FORWARD DROP
if [ -x "/etc/init.d/ip6tables" ] ; then
/etc/init.d/ip6tables save
fi
fi
# disable IPv6
if [ -d "/proc/sys/net/ipv6/conf/all" ] ; then
/sbin/sysctl -w net.ipv6.conf.all.forwarding=0
/sbin/sysctl -w net.ipv6.conf.all.accept_ra=0
/sbin/sysctl -w net.ipv6.conf.all.accept_redirects=0
/sbin/sysctl -w net.ipv6.conf.all.autoconf=0
/sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1
fi
Cheers,
Hugo
-----Original Message-----
From: Chip Childers [mailto:[email protected]]
Sent: Monday, July 30, 2012 4:06 PM
To:
<[email protected]<mailto:[email protected]>>
Subject: Re: Disable IPv6 for systemvm
The latest Xen Server install seems to have IPv6 disabled (just checked in my
lab). Is it enabled in XCP?
(I may be showing my Xen ignorance here)
- chip
On Jul 30, 2012, at 9:24 AM, Hugo Trippaers
<[email protected]<mailto:[email protected]>> wrote:
Hey Chip,
Yeah, I want help :-)
I just committed the sysctl.conf changes for the systemvm. This morning i
applied them to my test environment and they do the job.
We could add the actual sysctl command to the vmops next to adding the IPv6
ip6tables statements I think.
Cheers,
Hugo
-----Original Message-----
From: Chip Childers [mailto:[email protected]]
Sent: Monday, July 30, 2012 3:13 PM
To:
[email protected]<mailto:[email protected]>
Subject: Re: Disable IPv6 for systemvm
On Mon, Jul 30, 2012 at 7:32 AM, Hugo Trippaers
<[email protected]<mailto:[email protected]>> wrote:
By the way, we might want to add the same configuration to vmops for XenServer.
Currently it is possible to have a tenant vm send a router advertisement on the
isolated lan that is picked up by XenServer. Even though XenServer only has a
bridge interface in the tenant lan that interface will be autoconfigured. A
simple ping to the local all-node address (ff02::1) will tell you the mac off
of the XenServer interface. As XenServer has ssh active on all interfaces you
can directly connect to the ssh daemon on the XenServer. We only push a IPv4
firewall to the XenServer so the IPv6 firewall is default (ACCEPT everything).
Still you only gain access to the ssh port, but that is something that should
not be possible from a tenant lan.
Cheers,
Hugo
As a provider, this one is even more concerning. Unless someone has an
objection, I'd agree with your solution. We can remove a DENY rule in the
future, after IPv6 support is added properly / completely.
If you want help working up the fix for this, please let me know!
-chip
Stratosec<http://stratosec.co> - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>
