Hi; in shorewall.conf I found "# DISABLE IPV6 # # Distributions (notably SuSE) are beginning to ship with IPV6 # enabled. If you are not using IPV6, you are at risk of being # exploited by users who do. Setting DISABLE_IPV6=Yes will cause # Shorewall to disable IPV6 traffic to/from and through your # firewall system. This requires that you have ip6tables installed." Just for clarification: Does "ipv6 enabled" meab that either ipv6 is compiled into kernel, or ipv6.o is loaded as module? In other words - Is there any risk, if you prepare a kernel with ipv6.o (module), but do not load the module? kp
K.-P. Kirchdörfer wrote:> > Just for clarification: > > Does "ipv6 enabled" meab that either ipv6 is compiled into kernel, or ipv6.o > is loaded as module?Yes.> In other words - Is there any risk, if you prepare a kernel with ipv6.o > (module), but do not load the module? >No, so long as module autoloading is also disabled or you have set net-pf-10 off in modules.conf. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Am Freitag, 14. Mai 2004 19:45 schrieb Tom Eastep:> K.-P. Kirchdörfer wrote: > > Just for clarification: > > > > Does "ipv6 enabled" meab that either ipv6 is compiled into kernel, or > > ipv6.o is loaded as module? > > Yes. > > > In other words - Is there any risk, if you prepare a kernel with ipv6.o > > (module), but do not load the module? > > No, so long as module autoloading is also disabled or you have set > net-pf-10 off in modules.conf.Ok; I asked because LEAF Bering-uClibc is ipv6 ready with an drop-in for ipv6. But it needs the ipv6 module loaded (there is no autoloading, not to mention net-pf-10, in this small distro) and has been concerned about space (ip6tables). Just a note for others or new readers on list - LEAF Bering-uClibc''s ipv6 drop-in provides 6wall, a compagnon to shorewall for ipv6. kp