-----Original Message----- From: Gregg Levine <gregg.drw...@gmail.com> To: Slackware ARM port <armedslack@lists.armedslack.org> Sent: Thu, Jun 27, 2013 1:46 am Subject: Re: [ARMedslack] IPv6 Default behaviour
On Wed, Jun 26, 2013 at 8:34 PM, <dowe...@netscape.net> wrote: > Has anyone got any idea about how to trun of the default behaviour of having > every interface automatically assigned an IPv6 address when it comes up? > > So far I've hunted around and around the interwebs, and pushed "0" into all > sorts of files in /proc/sys/net/ipv6/conf/*/* all to no avail. The moment I > bring an interface up an inet6 LLA address is automatically assigned to it. > > I'm starting to wonder if Linux is an OS I really want to have anywhere near > a computer of mine when it seems the designers of it decided it'd be a good > idea to (by default) automatically open up a connectable address on every > single nertwork interface, of every single device, without any consideration > for whether an interface was protected or not. > > I mean I've seen many utterly ridiculous decisions in my time in this > industry, but I never thought I'd see one which left nearly every single > linux system (all those where ip6tables hasn't been explicitly invoked > anyway) vulnerable to attack (even if only from another system on the local > network). Utter madness, with seemingly no way to disable it. > > Any ideas/suggestions welcomed. > > > Thanks > Dave Hello! And did you try using the rmmod command on the ipv6 module? And to prevent it being loaded all the time then add it to the blacklist for modules. Also check to see where its being loaded. In all actuality IPv6 happens to be practically right around the corner, we actually ran out of IPv4 addresses about three to six years previously. ----- Gregg C Levine gregg.drw...@gmail.com "This signature fought the Time Wars, time and again." _______________________________________________ ARMedslack mailing list ARMedslack@lists.armedslack.org http://lists.armedslack.org/mailman/listinfo/armedslack Hi Gregg, I don't want to disable IPv6, in fact I'm trying to implement it in an appliance. I just want it implemented securely. Assigning an EUI64 address to the interface automatically in the kernel is just plain daft... and IMHO dangerous. For example, thanks to the kernel team, every single Slackware system (and who knows how many other distributions) are by default connectable and therefore attackable upon install. Got an unpatched apache/ssh/email server running on your system, that's nice I'll just connect to it on the unprotected IPv6 interface which you probably don't even know exists (most normal people won't know it exists). What kind of madness is that... it's the latest kind. As implemented on every single linux system worldwide, good eh? What was wrong with the simple idea that interfaces are configured in userland? You know by users, who are at least then aware or culpable for having enabled it. I will no doubt today spend another several hours here trying to find a way close a hole which should never have been opened. Thanks Dave
_______________________________________________ ARMedslack mailing list ARMedslack@lists.armedslack.org http://lists.armedslack.org/mailman/listinfo/armedslack
