On Sun, 2009-10-25 at 17:41 +0100, Per Jessen wrote:
Hans Witvliet wrote:
On Sun, 2009-10-25 at 14:23 +0100, Per Jessen wrote:
Is that a _real_ issue to worry about, Hans? If a customer is IPv4-only, and his provider decides to offer IPv6 too without telling the customer, I don't see that changing anything for the customer. [snip] I think so. Systems can have their dhcp-set-up in different ways: IPV4-ONLY, IPV6-ONLY and both IPv4 AND IPv6. As long as your provider only hands out v4 addresses, all works well, and the client just keeps on polling for ever. But as soon as your ISP "sees the light" and gives you both an v4 AND and v6 address, and your v6 rule-set is "accept anyone from anywhere" you might (!) end up in shit-creek. <<<<<< find your system compromised. Unless you have your ip6tables rule set changed to default drop-anything, which implies that one has started to think/do something with IPv6, which was the main issue i made. I was considering that most consumer/commodity ADSL boxes do not yet support IPV6, so the provider can advertise IPV6 as much as he wants, it won't cause a problem. That was what happened on my system.
Ok, but most organizations of any size are probably not connected to the Internet via a commodity ADSL router. Every single organization I visit has either a Cisco or 3com device. But leaking through a traditional firewall sandwich would be hard; from a security perspective I'm far more concerned about avoiding a crunchy-on-the-outside-chewy-on-the-inside situation [which is what an over-reliance on perimeter defenses results in]. If you don't deal with IPv6 you can easily end up running a parallel essentially stealth network inside your organization.
Anyway, what are the default SuSEfirewall settings for IPv6?
Glancing at my laptop it looks like it drops everything but ICMP; but I haven't looked at a truly fresh install to see if that is the same. -- openSUSE http://www.opensuse.org/en/ Linux for human beings who need to get things done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org