gentoo.list at topphemmelig
Jun 28, 2012, 6:43 AM
Post #28 of 28
On 26/06/12 05:03, Alex Efros wrote:
Re: ipv6 on by default for hardened profile
[In reply to]
> If I'm right (about creating new security holes because of enabling ipv6
> USE flag) then it may be bad idea to enable it by default until we'll be
> sure admin is ready for this (for example, we may check is IPv6 enabled in
> kernel and is there exists IPv6 firewall rules).
Yes, you are right. Enabling IPv6 is the same as enabling a completely
new protocol. Configuration, routing and firewalls needs to be set up.
But there is an easy way to "opt-out" which could easily be described.
If the default kernel config builds IPv6 support as a module, you can
easily do 'modprobe -r ipv6' and you don't have IPv6 enabled on a
running kernel. This can also be added to the modprobe blacklist as
well, so it's not loaded upon boot. Or for those configuring their own
kernels, disabling the IPv6 module can be another alternative. These
alternatives can easily be documented, IMHO.