It may not be obvious but the default ebtables rules (when CSP is
installed) is to drop ipv6
util.pread2(['ebtables', '-A', 'DEFAULT_EBTABLES', '-p', 'IPv6',
'-j', 'DROP'])
However, your change is a good idea as well.
On 7/30/12 4:20 AM, "Hugo Trippaers" <htrippa...@schubergphilis.com> wrote:
>Hey guys,
>
>The current systemvm has IPv6 enabled including autoconfiguration. This
>means that if the machine is placed in an IPv6 enabled network (or
>somebody starts sending router advertisements) the VM's based on the
>system vm will autoconfigure the interface. This means a possible way to
>bypass the installed firewall as the IPv6 firewall is set to accept
>everything opposite to the IPv4 firewall which is restricted.
>
>My proposal is to include the following in sysctl.conf (at least until we
>properly support IPv6):
># Disable IPv6
>net.ipv6.conf.all.disable_ipv6 = 1
>net.ipv6.conf.all.forwarding = 0
>net.ipv6.conf.all.accept_ra = 0
>net.ipv6.conf.all.accept_redirects = 0
>net.ipv6.conf.all.autoconf = 0
>
>If no objections I would like to commit this change.
>
>Cheers,
>
>Hugo
