Working on a new CentOS 7 image, I was warned off completely disabling the IPv6 stack for
three main categories of reasons I've come to identify as "it breaks other stuff
somewhat unpredictably", "a whole bunch of stuff in the OS relies on IPv6 in
ways that are nearly unpredictable" (which I consider a superset of category 1, but
sounds less like a scary bedtime story / an excuse for bad programming) and "IPv6 is
the future; get with it". However, as I need to also exist in the present time, and
I do not intend to make active use of IPv6, I want to secure my server against speaking or
hearing IPv6 on the physical interface in any way I reasonably can. I used sysctl to
disable IPv6 on all physical interfaces, but it still leaves a link-local address bound to
the physical interface and as this machine is going into a colocation facility, I
don't trust my neighbours so my next stop is the firewall.
In my firewalld configuration, I have been trying to add the broadest rich rule to drop
IPv6 traffic I can. My initial attempt was:
sudo firewall-cmd --add-rich-rule=’rule family=”ipv6” drop’
But I got back:
Error: INVALID_RULE: no element, no source, no destination
I then tried:
sudo firewall-cmd --add-rich-rule=’rule family=”ipv6” protocol value=”ipv6” drop’
Which was successfully added, but when I took a closer look at /etc/protocols, it appears
that protocol is actually only for IPv6 tunneling over IPv4 so while the firewall accepts
the rich rule, I don't think it's going to do what I want it to do. If it was
IPv4 I would do a source restriction of 0.0.0.0/0 and Google / Server Fault tells me the
IPv6 equivalent is ::0/0 so when I run:
sudo firewall-cmd --add-rich-rule=’rule family=”ipv6” source address="::0/0"
drop’
It leaves me with an ip6tables -S rule of:
-A IN_myserverzone_deny -p ipv6 -m conntrack --ctstate NEW -j DROP
Which LOOKS like what I want, but I almost just mistook the IPv6 over IPv4 tunneling
protocol for IPv6 so I'm asking the gurus on here if this is how they deafen their
interfaces to IPv6 or if I've missed something due to my lack of understanding of the
protocol.
Any suggestions would be appreciated.
Thanks,
Scott