Re: ipv6 link local address

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Ð ÐÑÑ, 07/06/2011 Ð 00:06 -0700, Erik Schorr ÐÐÑÐÑ:
> On 06/06/2011 11:44 PM, Nikolay S. wrote:
> > Ð ÐÐÐ, 06/06/2011 Ð 21:47 +0000, bmcdowell@xxxxxxxxxxxxxxxxxx ÐÐÑÐÑ:
> >> Hello list.  I'm updating my IBF (invisible bridging firewall) deployments, and I'd like to add support for ip6tables.  In the near-term, I'd like to '-P DROP' everything, but I'd rather not have to reinvent the wheel once/when/if we start supporting this protocol in the DMZ.
> >>
> >> Everything seems to be moving along just fine, except the matter of the link local addressing.  While not specifically a netfilter issue, I do wonder if anyone on the list has dealt with this in the past.  It seems to my somewhat-limited understanding of the protocol that there's simply no way to filter ipv6 without 'speaking' it.  Even in my very early days of learning ipv4 I could have specified a '0.0.0.0' address on the interface, but ipv6 is designed from the ground up to prohibit this behavior.  Ostensibly for issues such as address allotment, any ipv6 enabled interface defaults to being able to converse with any other interface on the same layer 3 link.  For an IBF this is potentially a bad thing, because now my unaddressable device is suddenly addressable, even if only to those on the same local link. The simplest example scenario I can imagine is a compromised FTP/Web server speaking to a vulnerable iptables firewall and re-writing the rules it carries.
> >>
> >> While I can certainly firewall off this traffic easily using netfilter today, I'll not be able to do that forever.  The moment I allow link-local traffic I'll be exposing my bridge interfaces to the same.  Assuming netfilter is never down or misconfigured seems to be a fatal conceit.
> >>
> >> Thoughts?
> >>
> >>
> >
> > You can turn off ipv6 on interfaces. This should not prevent bridging
> > ipv6, but will remove any ipv6 logic from them.
> 
> I wish I'd known this.  Could you give an example of how to remove ipv6 
> functionality from an interface?  I think this was the only thing 
> preventing me from unloading an accidentally-loaded ipv6.ko module.
> 

Sure

sysctl net.ipv6.conf.{interface|all|default}.disable_ipv6=1

or

echo 1 > /proc/sys/net/ipv6/conf/{interface|all|default}/disable_ipv6


--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux