-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 06/26/2012 08:33 PM, Francisco Blas Izquierdo Riera (klondike) wrote: > El 26/06/12 05:03, Alex Efros escribió: >> Hi! > Hi! >> On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote: >>>> I'm alerting users so that you can make whatever changes you >>>> like to ipv6 in your /etc/make.conf. In about 24 hours I >>>> will turn on by default ipv6 on all hardened profiles. >>> I use ipv6 on all my servers (not that everyone does). We will >>> have to enable it eventually, sooner is probably better then >>> later I think. >> Correct me if I'm wrong, but enabling IPv6 mean needs in >> supporting two different routing tables and two different >> firewalls. > Different routing tables maybe but the firewall is still the same, > the iptables based one. And with the ipv6 USE you get it. >> Also, I suppose enabling IPv6 on any server/router with >> non-trivial IPv4 firewall rules may (and probably will!) result >> in creating new security holes until admin will develop IPv6 >> firewall rules similar to existing IPv4 firewall rules. > The use has little to nothing to see with this, the ipv6 is not a > magic use flag that necessarily works with all packages, it only > does it with those that have it. Other may just not have an option > to disable ipv6. Anyway for this to happen you must (and these are > all necessary conditions): * Have an ipv6 route from the attacker > to the affected machine * Have ipv6 enable on the kernel. * Have an > ipv6 address assigned accesible by the attacker. * Get the attacker > to know said address (since bruteforcing the address space is hard > to say the least). * Have anything listening on that address > (depending on the attack the icmpv6 server could be it but there > are other services who listen to ipv6 no matter what you do). > > If one of them doesn't hold the risk is not much more than the risk > some uncalled code can provide which is still not much. >> And I suppose just trying to duplicate existing rules as is won't >> be enough because of new IPv6-specific features, which is absent >> in IPv4, and which should be additionally blocked/enabled too. > This depends a lot on which rules you have. In general it is more > about the address block than anything else. >> If I'm right (about creating new security holes because of >> enabling ipv6 USE flag) then it may be bad idea to enable it by >> default until we'll be sure admin is ready for this (for example, >> we may check is IPv6 enabled in kernel and is there exists IPv6 >> firewall rules). > You are mostly wrong, the only issue I can think of is if you > enabled ipv6 on the kernel in which case you are probably fucked > since daemons may be listening there anyway even before the > change. >> BTW, is there exists (Gentoo?) guides/howtos which explain these >> issues (preferably from "differences from IPv4" point of view) to >> average admin who know how to setup IPv4 and know nothing about >> IPv6, and provide minimum recommended configuration for IPv6 >> routing/firewall? I think enabling IPv6 by default should begins >> from writing such docs. > # ip6tables -A INPUT -j DROP # ip6tables -A OUTPUT -j DROP # > ip6tables -A FORWARD -j DROP There you are safe now. > This is almost what I wrote to send to the list, but decided to wait a day and sleep on it. But mine had more pepper in it.
- - Aaron - -- Mr. Aaron W. Swenson Gentoo Linux Developer Email : titanof...@gentoo.org GnuPG FP : 2C00 7719 4F85 FB07 A49C 0E31 5713 AA03 D1BB FDA0 GnuPG ID : D1BBFDA0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAk/rAj0ACgkQVxOqA9G7/aBlCQD7B0xh96+iVtth0QU/EZeThp9F uAiCVAj5OCRW6XgJVIcBAKIDIvU6U172nKz1UC3hUtvDdSNPZYFDysY1EpmDJqTG =ND1t -----END PGP SIGNATURE-----
