Fedora 10 Live CD services (all necessary?)

Chuck Anderson cra at WPI.EDU
Thu Oct 9 17:29:33 UTC 2008 

On Thu, Oct 09, 2008 at 07:15:27PM +0200, Valent Turkovic wrote:
> "That is why I believe that ALL services should be disabled, and then
> for each one there should be some kind of explanation why this service
> absolutely needs to be enabled. All the rest services should be left
> disabled by default."

Ok, so that is why I'm pointing out the importance of ip6tables 
service.  The name "service" is really a misnomer, because all the 
"service" does is load a configuration file into the kernel.  Nothing 
remains running or listening to network sockets after ip6tables is 
done loading the firewall rules.

> Fedora 9 had an option during install where you choose to use or not
> to use IPv6, I don't see that option in Fedora 10, why? If there is an
> option I would like to disabel IPv6, and also IPv6 iptables. If there
> is no option to disable IPv6 then as I wrote already "there should be
> some kind of explanation why this service absolutely needs to be
> enabled."

Even if you disable IPv6 during the install of Fedora, it does NOT 
prevent the IPv6 network stack from loading into the kernel.  
Link-local will still work.  Stateless IPv6 Auto-Configuration for 
local and global connectivity will still work.  The only thing it does 
is prevent manual static addressing or DHCPv6 from being configured.

> In a care that IPv6 can't be disabled in Fedora 10, as as previously
> possible in Feodra 9, then IPv6 should be turned on by default.

Why don't we provide an option to disable IPv4 by default?  (Hint: 
that was a rhetorical question).  In any case, given the miniscule 
costs associated with keeping ip6tables enabled by default, I believe 
the benefits to protect against accidental exposure to other IPv6 
hosts is worth it, especially given how easy it is to unknowingly get 
IPv6 connectivity.

> Why do you only commend the "low hanging fruits" :) ie. services, what
> are your comments regarding other services on the list?

It is my self-appointed job to be vigilent about IPv6 :-)  I do care 
about the others on your list, but I'm sure others care enough about 
them to comment as well.

More information about the devel mailing list