Correct way to not load ipv6 module f8/9?
Steve Grubb
sgrubb at redhat.com
Fri Mar 21 14:19:03 UTC 2008
On Friday 21 March 2008 10:02:04 Chuck Anderson wrote:
> > This is the guidance I'm passing out in our security documents:
> >
> > 1) Create a file /etc/modprobe.d/no-ipv6
> > 2) Add inside it
> > install ipv6 /bin/true
> > 3) Close up and reboot
>
> Why not just firewall it?
The whole idea is to reduce the attack surface of linux. What if there is a
vulnerability in the ipv6 code between the ethernet card and iptables? What
if you protect it from external abuse but there is still a privilege
escalation attack for local users?
Its best to just get rid of it if you do not need it.
-Steve
More information about the fedora-test-list
mailing list