On 07/06/2012 16:36, John Doe wrote:> Hi,
>
> after IPv6 day, I was wondering if our server were really secure...
> And, I know we should switch on IPv6 everywhere but... it will take some
time.
>
>
> Usually, we disable(d) IPv6; so we are not running ip6tables.
> Can I start ip6tables in all cases (even if only IPv4) just to be on the
safe side?
>
> On CentOS 6 servers, I use the --noipv6 in the kickstart files and I
removed NetworkManager; but ifconfig still shows IPv6 adresses.
> And I wonder from where it gets them... based on the MAC?
>
> I guess they are not routable, so I should not get any traffic... right?
>
> Thx,
> JD
>
>
Your best bet with regard to protecting yourself from passing IPv6
tunnelled traffic is to make sure you're blocking protocol 41. This will
prevent rogue IPv6 tunnels forming across your IPv4 network. You don't
need ip6tables to do this.
If your other managed endpoints are not running IPv6 and you're blocking
protocol 41 (note this is not port 41, but _protocol_ 41) then you
should mitigate most of the IPv6 issues. I would normally assume that
your demarc points have a default policy to drop unknown / unspecified
traffic.
--
Regards,
Giles Coochey, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 7983 877438
http://www.coochey.net
http://www.netsecspec.co.uk
giles at coochey.net