Notice: IPv6 breaking issues tentatively considered blocker for F17
Thomas Woerner
twoerner at redhat.com
Mon Mar 12 12:41:39 UTC 2012
On 03/10/2012 03:31 PM, Tore Anderson wrote:
>
> Regarding this bug in particular, I'll just note that it there is
> already a precedent. In a default Fedora installation, traffic to the
> DHCPv4 client (which is the same binary as the DHCPv6 client) is allowed
> from the entire internet. From a security standpoint, blocking only one
> of the two does not make much sense. At least not to me, and there has
> been no attempt at an explanation for any other viewpoint that I'm aware of.
>
> There are also a few other problems that prevent IPv6-only from working
> out of the box. I have also nominated those as release blockers:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=538499#c65
> https://bugzilla.redhat.com/show_bug.cgi?id=798697#c3
>
> Also, I also understand that the "ip6tables" service might be replaced
> with "firewalld" in F17 (cf. https://fedorahosted.org/fesco/ticket/805).
> If so, that would probably make #591630 irrelevant, however firewalld
> has IPv6 problems all on its own (even more so than just breaking
> DHCPv6, *all* IPv6 connectivity is broken by default), see:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=801182
>
> I did not nominate this one as a blocker yet though, as I don't know if
> firewalld will indeed be made the default solution for F17. However, if
> it does, #801182 needs to be a release blocker as well.
>
> Best regards,
With zone support in firewalld I'd like to start a discussion on the
zones that should enable DHCPv6 client support.
We have these zones:
block all incoming connection requests blocked (rejected)
dmz ssh enabled
drop all incoming connecion requests dropped
external ssh and masquerade enabled
home ssh, ipp-client, mdns, samba-client, dhcpv6-client enabled
internal ssh, ipp-client, mdns and sambla-client enabled
public ssh enabled
trusted all incoming connections allowed
work ssh, ipp-client and dhcpv6-client enabled
For now DHCPv6-client support is enabled in 'work' and 'home', but not
in the default zone 'public'.
Should we enable dhcpv6-client in the default zone and maybe others also?
Thanks,
Thomas
More information about the devel
mailing list