On Sat, Aug 03, 2019 at 07:47:02PM -0000, Scott A. Wozny wrote:
Working on a new CentOS 7 image, I was warned off completely
disabling
the IPv6 stack for three main categories of reasons I've come to
identify as "it breaks other stuff somewhat unpredictably", "a whole
bunch of stuff in the OS relies on IPv6 in ways that are nearly
unpredictable" (which I consider a superset of category 1, but sounds
less like a scary bedtime story / an excuse for bad programming) and
"IPv6 is the future; get with it". However, as I need to also exist
in the present time, and I do not intend to make active use of IPv6, I
want to secure my server against speaking or hearing IPv6 on the
physical interface in any way I reasonably can. I used sysctl to
disable IPv6 on all physical interfaces, but it still leaves a
link-local address bound to the physical interface and as this machine
is going into a colocation facility, I don't trust my neighbours so my
next stop is the firewall.
First of all, I'll echo the advice to _not_ disable IPv6.
Secondly, firewalld already filters IPv6 just as it does for IPv4. That
is, it only allows services/ports/etc that you enable.
In my firewalld configuration, I have been trying to add the broadest
rich rule to drop IPv6 traffic I can. My initial attempt was:
sudo firewall-cmd --add-rich-rule=’rule family=”ipv6” drop’
But I got back:
Error: INVALID_RULE: no element, no source, no destination
I then tried:
sudo firewall-cmd --add-rich-rule=’rule family=”ipv6” protocol value=”ipv6” drop’
Which was successfully added, but when I took a closer look at
/etc/protocols, it appears that protocol is actually only for IPv6
tunneling over IPv4 so while the firewall accepts the rich rule, I
don't think it's going to do what I want it to do. If it was IPv4 I
would do a source restriction of 0.0.0.0/0 and Google / Server Fault
tells me the IPv6 equivalent is ::0/0 so when I run:
It would actually be IPv6 in IPv6. But you're correct, that's not what
you want.
sudo firewall-cmd --add-rich-rule=’rule family=”ipv6” source
address="::0/0" drop’
It leaves me with an ip6tables -S rule of:
-A IN_myserverzone_deny -p ipv6 -m conntrack --ctstate NEW -j DROP
Which LOOKS like what I want, but I almost just mistook the IPv6 over
IPv4 tunneling protocol for IPv6 so I'm asking the gurus on here if
this is how they deafen their interfaces to IPv6 or if I've missed
something due to my lack of understanding of the protocol.
This may be what you want, but it's not a complete block on IPv6 as it's
only blocking NEW connections. If your server started an IPv6 connection
with something to the outside world it would still work.
If you want a _complete_ block, you can use a direct rule that occurs
very early in the netfilter pipeline.
# firewall-cmd --direct --add-rule ipv6 raw PREROUTING 0 -j DROP