On Wednesday 28 March 2007 16:41, John Brahy wrote: > So if I use GENERIC and then disable ipv6 is that a safe thing do to? > In light of the recent security issue and since I don't use ipv6 I > thought it would make the system more secure, but I definitely don't > want to make it unstable.
John, You're kind of missing the philosophy behind how and why things are done. Firstly, OpenBSD is very well known for having "sane defaults" in every place where a default is needed. This includes kernel configuration and the inclusion of IPv6. Messing with the default settings found in the kernel configuration (a.k.a. "GENERIC") is not smart. More often than not, you are not increasing security or performance, instead, in nearly all cases you are only shooting yourself in the foot. If you have no need for IPv6 and want to make sure it is not available, the most correct and most sane answer is also the most simple; just block IPv6 traffic with pf(4). block in quick all inet6 If you're not using IPv6, then the above line should have *already* been in your pf.conf and you would have never been vulnerable to the recent security issue --even if you were running the exploitable code. When people mistakenly decided to roll their own custom kernel, they are beyond help -there is no way anyone else could help them debug problems because there's no way of knowing what kind of madness was used to configure the custom kernel. Blindly twisting knobs and pushing unknown buttons will only bring you heartache and headache. jcr
