On Tue, 23 Apr 2002, Reckhard, Tobias wrote:
As the SuSE kernel and some SuSE server packages have IPv6 enabled by default, I want to be sure that my SuSEfirewall2 is protecting these running servers.
What rules/chains should I look for? Do I need to add custom rules? (In my case I don't want to expose any of them to the dial-up interface. I use sshd over v6 on internal ethernet but only for convenience of configuration, I could switch to ipv4 if I need)
If you don't *need* a feature, security best practises say to turn it off, better even remove it. Or don't install it in the first place.
Of course Tobias is right - I made the mistake of assuming that since ipv6 was compiled in to the stock kernel and sshd binary, that it was properly protected by personal-firewall. Turning it off is easy for sshd, I think, just put SSHD_OPTS="-4" in /etc/rc.config and /usr/sbin/sshd restart But I think there are several other local services with v6 capability that I have no need to expose. Is there a correct way to turn it off in the kernel? I can't see it in the kernel docs, so maybe I should get the 2.4.16 sources and recompile w/o ipv6 Perhaps this is already addressed by some harden script I can use. (btw in my situation - of having a laptop moving between networks, it is nice to have ipv6 as it could save me from installing a dhcpd that I don't really need.) dproc