Notice: IPv6 breaking issues tentatively considered blocker for F17

Thomas Woerner twoerner at redhat.com
Mon Mar 12 12:41:39 UTC 2012 

On 03/10/2012 03:31 PM, Tore Anderson wrote:
>
> Regarding this bug in particular, I'll just note that it there is
> already a precedent. In a default Fedora installation, traffic to the
> DHCPv4 client (which is the same binary as the DHCPv6 client) is allowed
> from the entire internet. From a security standpoint, blocking only one
> of the two does not make much sense. At least not to me, and there has
> been no attempt at an explanation for any other viewpoint that I'm aware of.
>
> There are also a few other problems that prevent IPv6-only from working
> out of the box. I have also nominated those as release blockers:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=538499#c65
> https://bugzilla.redhat.com/show_bug.cgi?id=798697#c3
>
> Also, I also understand that the "ip6tables" service might be replaced
> with "firewalld" in F17 (cf. https://fedorahosted.org/fesco/ticket/805).
> If so, that would probably make #591630 irrelevant, however firewalld
> has IPv6 problems all on its own (even more so than just breaking
> DHCPv6, *all* IPv6 connectivity is broken by default), see:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=801182
>
> I did not nominate this one as a blocker yet though, as I don't know if
> firewalld will indeed be made the default solution for F17. However, if
> it does, #801182 needs to be a release blocker as well.
>
> Best regards,

With zone support in firewalld I'd like to start a discussion on the 
zones that should enable DHCPv6 client support.

We have these zones:
   block     all incoming connection requests blocked (rejected)
   dmz       ssh enabled
   drop      all incoming connecion requests dropped
   external  ssh and masquerade enabled
   home      ssh, ipp-client, mdns, samba-client, dhcpv6-client enabled
   internal  ssh, ipp-client, mdns and sambla-client enabled
   public    ssh enabled
   trusted   all incoming connections allowed
   work      ssh, ipp-client and dhcpv6-client enabled

For now DHCPv6-client support is enabled in 'work' and 'home', but not 
in the default zone 'public'.

Should we enable dhcpv6-client in the default zone and maybe others also?

Thanks,
Thomas

More information about the devel mailing list