On Sat, Jul 13, 2013 at 6:15 AM, Reindl Harald <h.rei...@thelounge.net>wrote:
> > > Am 13.07.2013 13:07, schrieb David Beveridge: > > On Sat, Jul 13, 2013 at 1:25 PM, Fernando Lozano <ferna...@lozano.eti.br> > wrote: > >> > >> If people on the users list don't agree with me, there's no point > >> submiting to developers. > >> > > Well I for one certainly don't agree with you. > > If you disable it everywhere it's too much of a pain to turn it all > > back on when you need it. > > i disagree also that it should be default disabled > *but* it should be disabled if you are on a network > with only a DHCP4 server and no DHCP6 or if you > have a static configuration without ipv6 > > currently you get a link-local address > > > IPv6 is designed to be autoconfiguring > > and *that* is a problem inside a ipv4 only LAN > > > Unless you actually have a global IPv6 address, you can only use it > > locally anyway. > > "locally" is enough > > a) nowadyas many attacks are coming from inside the LAN > > b) you may be vulnerable if a foreign device comes up with > ipv6, your firewalls only configured for ipv4 and your > server got a link-local ipv6 > > c) services and applications may see the link-local address > and think "hey i can fully operate with ipv6" which is > not true > > > F19 now has the firewall with zones home, work, public etc so it can > > do the right thing from a security standpoint. > > there are environments with "iptables-services" for very > good reasons > > > If you are worried about security you should be raising bugs against > > the firewall, not disabling IPv6 completely > > no - if you are a sane admin you do not want *anything* enabled > which does not match the big picture of the environment > > keep in mind that there are environemnts far outside the > single workstation and security is *always* the big picture > of the complete environment and the weakest piece defines > your overall security > > If an administrator or a normal user can't disable IPv6, this is a bug and needs to be fixed. I feel the question, should IPv6 be disabled by default, is aimed for casual users, not administrators. Administrators should know what they are doing. Please correct me if I am wrong, but I believe an administrator would want to do a custom install to control exactly what services are installed and would be willing to control the initial state of IPv6, also during an install. Would administrators be okay if they had an option, during Fedora install/upgrade, where they can set the state of IPv6? The more important question, would having an option, during Fedora install/upgrade, for setting the state of IPv6 help or confuse normal users? What should the suggested default be? Again, administrators know what they are doing. I'm more concerned with people who don't know what they are doing.
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
