Hi. On Tue Aug 07, 2012 at 17:09:50 +0100, Laurie Mercer wrote: > I would like to disable IPv6, and some transport layer protocols, RDS, TIPC > etc > > However I am unsure of the best practise in doing this. > > So far I am disabling IPv6 using the sysctl command: > > sysctl -w net.ipv6.conf.all.disable_ipv6 = 1 > sysctl -w net.ipv6.conf.default.disable_ipv6 = 1 > > Then, making sure it is disabled in perpetuity by editing /etc/sysctl.conf > to include the following lines: > > net.ipv6.conf.all.disable_ipv6 = 1 > net.ipv6.conf.default.disable_ipv6 = 1
I'd say that's the way to go, at least for in-kernel drivers/interfaces. AFAIK blacklisting isn't possible here. > To disable the transport layer protocols I am editing > /etc/modprobe.d/blacklist-rare-network.conf. In the following example I > will disable dccp:: > > install dccp /bin/true > > This will replace the dccp command with nothing so dccp will not be loaded > into the kernel. I guess that's a valid solution. I'd probably go with a blacklist entry, e.g. 'blacklist <module>' in /etc/modprobe.d/blacklist-<module> for each module or one file (e.g. /etc/modprobe.d/blacklist-rar-network-modules) for all modules. > However, the other entries in this file are not in this format, rather they > use 'alias XXX off' format, e.g. rds is 'alias net-pf-21 off'. I cannot see > where the mapping between rds and net-pf-21 is, and according to the man > pages alias simply gives an alternative name for a module. So I am a little > confused. Right, as of the modprobe.d manpage the primary purpose of aliases is to shorten really long module names or to specify alternate load-time parameters (like loading additional modules or setting different options). What exactly made you feel confused? > What is the best way to prevent the dccp/rds/tipc etc support being loaded? > Do I need to use sysctl to unload the rare TCP modules? As mentioned above, I'd simply add blacklist entries for each of them in /etc/modprobe.d/blacklist-rare-network-modules. This should reliably disable them. > And finally do I need to add IPv6 to /etc/modprobe.d/ config directory > structure? Depending on the kernel you use, you could also blacklist ipv6, in case ipv6 is actually provided as module. Newer distribution kernels (>= 2.6.26) normally don't come with an ipv6 module anymore, so nothing to blacklist. Then sysctl is the only way (I know of) for disabling unwanted kernel features. HTH. Cheers, Michael -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120807170814.ge17...@fnb.tu-darmstadt.de