2:47 p.m.
Working on a new CentOS 7 image, I was warned off completely disabling the IPv6 stack for
three main categories of reasons I've come to identify as "it breaks other stuff
somewhat unpredictably", "a whole bunch of stuff in the OS relies on IPv6 in
ways that are nearly unpredictable" (which I consider a superset of category 1, but
sounds less like a scary bedtime story / an excuse for bad programming) and "IPv6 is
the future; get with it". However, as I need to also exist in the present time, and
I do not intend to make active use of IPv6, I want to secure my server against speaking or
hearing IPv6 on the physical interface in any way I reasonably can. I used sysctl to
disable IPv6 on all physical interfaces, but it still leaves a link-local address bound to
the physical interface and as this machine is going into a colocation facility, I
don't trust my neighbours so my next stop is the firewall.
In my firewalld configuration, I have been trying to add the broadest rich rule to drop
IPv6 traffic I can. My initial attempt was:
sudo firewall-cmd --add-rich-rule=’rule family=”ipv6” drop’
But I got back:
Error: INVALID_RULE: no element, no source, no destination
I then tried:
sudo firewall-cmd --add-rich-rule=’rule family=”ipv6” protocol value=”ipv6” drop’
Which was successfully added, but when I took a closer look at /etc/protocols, it appears
that protocol is actually only for IPv6 tunneling over IPv4 so while the firewall accepts
the rich rule, I don't think it's going to do what I want it to do. If it was
IPv4 I would do a source restriction of 0.0.0.0/0 and Google / Server Fault tells me the
IPv6 equivalent is ::0/0 so when I run:
sudo firewall-cmd --add-rich-rule=’rule family=”ipv6” source address="::0/0"
drop’
It leaves me with an ip6tables -S rule of:
-A IN_myserverzone_deny -p ipv6 -m conntrack --ctstate NEW -j DROP
Which LOOKS like what I want, but I almost just mistook the IPv6 over IPv4 tunneling
protocol for IPv6 so I'm asking the gurus on here if this is how they deafen their
interfaces to IPv6 or if I've missed something due to my lack of understanding of the
protocol.
Any suggestions would be appreciated.
Thanks,
Scott
8:34 a.m.
On Sat, Aug 03, 2019 at 07:47:02PM -0000, Scott A. Wozny wrote:
Working on a new CentOS 7 image, I was warned off completely
disabling
the IPv6 stack for three main categories of reasons I've come to
identify as "it breaks other stuff somewhat unpredictably", "a whole
bunch of stuff in the OS relies on IPv6 in ways that are nearly
unpredictable" (which I consider a superset of category 1, but sounds
less like a scary bedtime story / an excuse for bad programming) and
"IPv6 is the future; get with it". However, as I need to also exist
in the present time, and I do not intend to make active use of IPv6, I
want to secure my server against speaking or hearing IPv6 on the
physical interface in any way I reasonably can. I used sysctl to
disable IPv6 on all physical interfaces, but it still leaves a
link-local address bound to the physical interface and as this machine
is going into a colocation facility, I don't trust my neighbours so my
next stop is the firewall.
First of all, I'll echo the advice to _not_ disable IPv6.
Secondly, firewalld already filters IPv6 just as it does for IPv4. That
is, it only allows services/ports/etc that you enable.
In my firewalld configuration, I have been trying to add the broadest
rich rule to drop IPv6 traffic I can. My initial attempt was:
sudo firewall-cmd --add-rich-rule=’rule family=”ipv6” drop’
But I got back:
Error: INVALID_RULE: no element, no source, no destination
I then tried:
sudo firewall-cmd --add-rich-rule=’rule family=”ipv6” protocol value=”ipv6” drop’
Which was successfully added, but when I took a closer look at
/etc/protocols, it appears that protocol is actually only for IPv6
tunneling over IPv4 so while the firewall accepts the rich rule, I
don't think it's going to do what I want it to do. If it was IPv4 I
would do a source restriction of 0.0.0.0/0 and Google / Server Fault
tells me the IPv6 equivalent is ::0/0 so when I run:
It would actually be IPv6 in IPv6. But you're correct, that's not what
you want.
sudo firewall-cmd --add-rich-rule=’rule family=”ipv6” source
address="::0/0" drop’
It leaves me with an ip6tables -S rule of:
-A IN_myserverzone_deny -p ipv6 -m conntrack --ctstate NEW -j DROP
Which LOOKS like what I want, but I almost just mistook the IPv6 over
IPv4 tunneling protocol for IPv6 so I'm asking the gurus on here if
this is how they deafen their interfaces to IPv6 or if I've missed
something due to my lack of understanding of the protocol.
This may be what you want, but it's not a complete block on IPv6 as it's
only blocking NEW connections. If your server started an IPv6 connection
with something to the outside world it would still work.
If you want a _complete_ block, you can use a direct rule that occurs
very early in the netfilter pipeline.
# firewall-cmd --direct --add-rule ipv6 raw PREROUTING 0 -j DROP
10:57 a.m.
Why not disable IPv6 at all?
Put the following lines in /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
1708
days inactive
1728
days old
firewalld-users@lists.fedorahosted.org
2 comments
3 participants
participants (3)
-
Eric Garver -
Freek de Kruijf -
Scott A. Wozny