[ARMedslack] IPv6 Default behaviour
dowelld at netscape.net
dowelld at netscape.net
Thu Jun 27 08:31:05 UTC 2013
-----Original Message-----
From: Gregg Levine <gregg.drwho8 at gmail.com>
To: Slackware ARM port <armedslack at lists.armedslack.org>
Sent: Thu, Jun 27, 2013 1:46 am
Subject: Re: [ARMedslack] IPv6 Default behaviour
On Wed, Jun 26, 2013 at 8:34 PM, <dowelld at netscape.net> wrote:
> Has anyone got any idea about how to trun of the default behaviour of having
> every interface automatically assigned an IPv6 address when it comes up?
>
> So far I've hunted around and around the interwebs, and pushed "0" into all
> sorts of files in /proc/sys/net/ipv6/conf/*/* all to no avail. The moment I
> bring an interface up an inet6 LLA address is automatically assigned to it.
>
> I'm starting to wonder if Linux is an OS I really want to have anywhere near
> a computer of mine when it seems the designers of it decided it'd be a good
> idea to (by default) automatically open up a connectable address on every
> single nertwork interface, of every single device, without any consideration
> for whether an interface was protected or not.
>
> I mean I've seen many utterly ridiculous decisions in my time in this
> industry, but I never thought I'd see one which left nearly every single
> linux system (all those where ip6tables hasn't been explicitly invoked
> anyway) vulnerable to attack (even if only from another system on the local
> network). Utter madness, with seemingly no way to disable it.
>
> Any ideas/suggestions welcomed.
>
>
> Thanks
> Dave
Hello!
And did you try using the rmmod command on the ipv6 module? And to
prevent it being loaded all the time then add it to the blacklist for
modules. Also check to see where its being loaded. In all actuality
IPv6 happens to be practically right around the corner, we actually
ran out of IPv4 addresses about three to six years previously.
-----
Gregg C Levine gregg.drwho8 at gmail.com
"This signature fought the Time Wars, time and again."
_______________________________________________
ARMedslack mailing list
ARMedslack at lists.armedslack.org
http://lists.armedslack.org/mailman/listinfo/armedslack
Hi Gregg,
I don't want to disable IPv6, in fact I'm trying to implement it in an appliance. I just want it implemented securely. Assigning an EUI64 address to the interface automatically in the kernel is just plain daft... and IMHO dangerous.
For example, thanks to the kernel team, every single Slackware system (and who knows how many other distributions) are by default connectable and therefore attackable upon install. Got an unpatched apache/ssh/email server running on your system, that's nice I'll just connect to it on the unprotected IPv6 interface which you probably don't even know exists (most normal people won't know it exists). What kind of madness is that... it's the latest kind. As implemented on every single linux system worldwide, good eh?
What was wrong with the simple idea that interfaces are configured in userland? You know by users, who are at least then aware or culpable for having enabled it.
I will no doubt today spend another several hours here trying to find a way close a hole which should never have been opened.
Thanks
Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.armedslack.org/pipermail/armedslack/attachments/20130627/39bafb7b/attachment.html>
More information about the ARMedslack
mailing list