Date: Thu, 23 Mar 2000 15:16:07 -0400 From: "Jeroen C. van Gelderen" <jeroen@vangelderen.org> To: FreeBSD Audit List <freebsd-audit@freebsd.org> Subject: Portmapper enabled, IPv6 circumvents FW Message-ID: <38DA6D77.FB93FC36@vangelderen.org>
next in thread | raw e-mail | index | archive | help
Hi, I'm wondering whether this is appropriate for the audit list: 1. Portmapper is enabled by default on freshly installed FreeBSD 4.0 systems. I think this is undesirable for security reasons. 2. The GENERIC kernel has IPv6 enabled by default and interfaces automatically assign themselves link-local IPv6 addresses. This is a problem because people will generally be unaware of the fact that IPFW does not filter IPv6 addresses. Setting up a strict firewall using IPFW therefore leaves you open for attacks via link-local IPv6. An extra nuisanse is that FreeBSD does not provide a kernel module for IP6FW. I'd suggest disabling the portmapper in a default installation unless there is a good reason not to. Another solution is to add a comment to /etc/inetd.conf because that's what people usually edit on new systems (because FreeBSD *still* runs ftpd and telnetd by default). For IPv6 there is a number of potential solutions. I'd be most happy if interfaces did not assign themselves IPv6 addresses unless and until they are requested to do so. Opinions? Cheers, Jeroen -- Jeroen C. van Gelderen - jeroen@vangelderen.org Kick-ass crypto for you: http://www.cryptix.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38DA6D77.FB93FC36>