On Thu, Oct 09, 2008 at 07:15:27PM +0200, Valent Turkovic wrote: > "That is why I believe that ALL services should be disabled, and then > for each one there should be some kind of explanation why this service > absolutely needs to be enabled. All the rest services should be left > disabled by default." Ok, so that is why I'm pointing out the importance of ip6tables service. The name "service" is really a misnomer, because all the "service" does is load a configuration file into the kernel. Nothing remains running or listening to network sockets after ip6tables is done loading the firewall rules. > Fedora 9 had an option during install where you choose to use or not > to use IPv6, I don't see that option in Fedora 10, why? If there is an > option I would like to disabel IPv6, and also IPv6 iptables. If there > is no option to disable IPv6 then as I wrote already "there should be > some kind of explanation why this service absolutely needs to be > enabled." Even if you disable IPv6 during the install of Fedora, it does NOT prevent the IPv6 network stack from loading into the kernel. Link-local will still work. Stateless IPv6 Auto-Configuration for local and global connectivity will still work. The only thing it does is prevent manual static addressing or DHCPv6 from being configured. > In a care that IPv6 can't be disabled in Fedora 10, as as previously > possible in Feodra 9, then IPv6 should be turned on by default. Why don't we provide an option to disable IPv4 by default? (Hint: that was a rhetorical question). In any case, given the miniscule costs associated with keeping ip6tables enabled by default, I believe the benefits to protect against accidental exposure to other IPv6 hosts is worth it, especially given how easy it is to unknowingly get IPv6 connectivity. > Why do you only commend the "low hanging fruits" :) ie. services, what > are your comments regarding other services on the list? It is my self-appointed job to be vigilent about IPv6 :-) I do care about the others on your list, but I'm sure others care enough about them to comment as well. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
