Re: Notice: IPv6 breaking issues tentatively considered blocker for F17

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 03/10/2012 03:31 PM, Tore Anderson wrote:


Regarding this bug in particular, I'll just note that it there is
already a precedent. In a default Fedora installation, traffic to the
DHCPv4 client (which is the same binary as the DHCPv6 client) is allowed
from the entire internet. From a security standpoint, blocking only one
of the two does not make much sense. At least not to me, and there has
been no attempt at an explanation for any other viewpoint that I'm aware of.

There are also a few other problems that prevent IPv6-only from working
out of the box. I have also nominated those as release blockers:

https://bugzilla.redhat.com/show_bug.cgi?id=538499#c65
https://bugzilla.redhat.com/show_bug.cgi?id=798697#c3

Also, I also understand that the "ip6tables" service might be replaced
with "firewalld" in F17 (cf. https://fedorahosted.org/fesco/ticket/805).
If so, that would probably make #591630 irrelevant, however firewalld
has IPv6 problems all on its own (even more so than just breaking
DHCPv6, *all* IPv6 connectivity is broken by default), see:

https://bugzilla.redhat.com/show_bug.cgi?id=801182

I did not nominate this one as a blocker yet though, as I don't know if
firewalld will indeed be made the default solution for F17. However, if
it does, #801182 needs to be a release blocker as well.

Best regards,
With zone support in firewalld I'd like to start a discussion on the zones that should enable DHCPv6 client support. 

We have these zones:
  block     all incoming connection requests blocked (rejected)
  dmz       ssh enabled
  drop      all incoming connecion requests dropped
  external  ssh and masquerade enabled
  home      ssh, ipp-client, mdns, samba-client, dhcpv6-client enabled
  internal  ssh, ipp-client, mdns and sambla-client enabled
  public    ssh enabled
  trusted   all incoming connections allowed
  work      ssh, ipp-client and dhcpv6-client enabled
For now DHCPv6-client support is enabled in 'work' and 'home', but not in the default zone 'public'. 

Should we enable dhcpv6-client in the default zone and maybe others also?

Thanks,
Thomas
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux