[clug] Debian testing and IPv6
Bob Edwards
Robert.Edwards at anu.edu.au
Fri May 27 00:27:10 GMT 2005
I have been a bit worried about various Debian "testing" (sarge)
boxes running standard Debian kernels coming up with IPv6 enabled
and configured on the network interfaces (also affects Ubuntu).
Various services, notably SSH, will bind to the IPv6 (tcp6) ports
as well as the usual IPv4 tcp ports. Without proper network filtering
setup, this can pose a vulnerability, especially if connected to an
ISP.
Two options that I can think of:
- use ip6tables to create rules for the IPv6 traffic (eg. DROP)
- disable IPv6
I decided to disable IPv6 as follows (with thanks to Stephen Rothwell):
edit /etc/modprobe.d/aliases and change the line that says:
alias net-pf-10 ipv6
to
alias net-pf-10 off
Note that you may then need to reboot as you apparently can't disable
IPv6 on a running 2.6 system.
Disabling IPv6 may also improve performance as some services will
attempt to reverse-lookup addresses against an IPv6 DNS server, which
may not exist, requiring a timeout to occur.
Others might have smoother ways of accomplishing the above.
Cheers,
Bob Edwards.
More information about the linux
mailing list