Disabling ipv6
Reindl Harald
h.reindl at thelounge.net
Fri Jul 12 16:48:41 UTC 2013
Am 12.07.2013 18:44, schrieb Fernando Lozano:
>> [As I changed the subject, let me clear: IPv6 still compiled in the kernel. Just the network interfaces configs
>> that should come with IPv6 disabled by default, if the user wants it should be easy to enable]
>> exactly *that* is my point
>>
>> it is ridiculous that i bave a clearly static ipv4 config
>> using network.service as well as "ipv6disable=1" as kernel
>> param and on a F19 machine with 3.10.0-1.fc20.x86_64 eth0
>> comes up with "inet6 fe80::20c:29ff:fe30:82b9"
>>
>> this is not a matter of ipv6 security / yes / no / don't know
>> it is a matter of if ipv6 would make sense for the network
>> and would enable and *properly* configure it but this is
>> not the case because the gateway is for sure not ipv6 capable
>>
>> i do not need to see any ip-address (ipv4 or ipv6) on a
>> statically interface which was not explicitly configured
> Having a smarter ifconfig / ip tool or ethernet device driver would be a way to implement my proposal.
>
> But, by the IPv6 RTFs, just having IPv6 enabled means there is an IPv6 address for that interface. IPv6 provides
> local auto-configuration for network intefaces, without DHCP or any other infrastrucure being present.
>
> That's one thing that creates security risks: you don't know you could be reached by that address.
>
> So, ifconfig or ip or whatever would have to disable IPv6 for any interface that does not having an explicit IPv6
> address. I'd think it would be easier to have the default eth*-cfg files and Network Manager disable IPv6 unless
> the user tells them to enable.
hence it would be enough if "ifup" would respect the configuration
i can not see "just having IPv6 enabled means there is an IPv6 address"
below - where is there ipv6 enabled? there is even a "IPV6INIT=no"
jesus this is a *ipv6 disabled* interface and it has a link-local
address and NM does not run here at all because on complex network
configuration with different interfaces "network.service" is the
better way (MHO and IMHO is enough on machines i am responsible for)
http://www.cyberciti.biz/faq/rhel-redhat-fedora-centos-ipv6-network-configuration/
[root at rawhide ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
HWADDR=00:0c:29:30:82:b9
ONBOOT=yes
BOOTPROTO=static
TYPE=Ethernet
MODE=Managed
IPADDR=192.168.196.18
NM_CONTROLLED=no
IPV6INIT=no
NETMASK=255.255.255.0
GATEWAY=192.168.196.2
USERCTL=no
MTU=1500
[root at rawhide ~]# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.196.18 netmask 255.255.255.0 broadcast 192.168.196.255
inet6 fe80::20c:29ff:fe30:82b9 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:30:82:b9 txqueuelen 1000 (Ethernet)
RX packets 2046 bytes 170804 (166.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1608 bytes 176828 (172.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130712/976de0b3/attachment.sig>
More information about the users
mailing list