On 07/06/2012 16:36, John Doe wrote: > Hi, > > after IPv6 day, I was wondering if our server were really secure... > And, I know we should switch on IPv6 everywhere but... it will take some time. > > > Usually, we disable(d) IPv6; so we are not running ip6tables. > Can I start ip6tables in all cases (even if only IPv4) just to be on the safe side? > > On CentOS 6 servers, I use the --noipv6 in the kickstart files and I removed NetworkManager; but ifconfig still shows IPv6 adresses. > And I wonder from where it gets them... based on the MAC? > > I guess they are not routable, so I should not get any traffic... right? > > Thx, > JD > > Your best bet with regard to protecting yourself from passing IPv6 tunnelled traffic is to make sure you're blocking protocol 41. This will prevent rogue IPv6 tunnels forming across your IPv4 network. You don't need ip6tables to do this. If your other managed endpoints are not running IPv6 and you're blocking protocol 41 (note this is not port 41, but _protocol_ 41) then you should mitigate most of the IPv6 issues. I would normally assume that your demarc points have a default policy to drop unknown / unspecified traffic. -- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk giles at coochey.net