Hi!
On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote:
> > I'm alerting users so that you can make whatever changes you like to
> > ipv6 in your /etc/make.conf. In about 24 hours I will turn on by
> > default ipv6 on all hardened profiles.
> I use ipv6 on all my servers (not that everyone does). We will have to
> enable it eventually, sooner is probably better then later I think.
Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two
different routing tables and two different firewalls. Also, I suppose
enabling IPv6 on any server/router with non-trivial IPv4 firewall rules
may (and probably will!) result in creating new security holes until admin
will develop IPv6 firewall rules similar to existing IPv4 firewall rules.
And I suppose just trying to duplicate existing rules as is won't be
enough because of new IPv6-specific features, which is absent in IPv4,
and which should be additionally blocked/enabled too.
If I'm right (about creating new security holes because of enabling ipv6
USE flag) then it may be bad idea to enable it by default until we'll be
sure admin is ready for this (for example, we may check is IPv6 enabled in
kernel and is there exists IPv6 firewall rules).
BTW, is there exists (Gentoo?) guides/howtos which explain these issues
(preferably from "differences from IPv4" point of view) to average admin
who know how to setup IPv4 and know nothing about IPv6, and provide
minimum recommended configuration for IPv6 routing/firewall? I think
enabling IPv6 by default should begins from writing such docs.
--
WBR, Alex.
