[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Disabling IPv6 and other networking protocols: Best Practice?

Hi 

Regarding the disabling of kernel modules, I was under the impression that the difference between:

install dccp /bin/true; and
blacklist dccp

is that the install line will alias the dccp load command to 0. The blacklist command will not load the module, but if another module depends on it then it will load the module. The install command therefore guarantees that the module will not be loaded (potentially causing problems elsewhere).

Laurie.

On Tue, Aug 7, 2012 at 6:08 PM, Michael Fladerer <fladerer@fnb.tu-darmstadt.de> wrote:
Hi.

On Tue Aug 07, 2012 at 17:09:50 +0100, Laurie Mercer wrote:
> I would like to disable IPv6, and some transport layer protocols, RDS, TIPC
> etc
>
> However I am unsure of the best practise in doing this.
>
> So far I am disabling IPv6 using the sysctl command:
>
> sysctl -w net.ipv6.conf.all.disable_ipv6 = 1
> sysctl -w net.ipv6.conf.default.disable_ipv6 = 1
>
> Then, making sure it is disabled in perpetuity by editing /etc/sysctl.conf
> to include the following lines:
>
> net.ipv6.conf.all.disable_ipv6 = 1
> net.ipv6.conf.default.disable_ipv6 = 1

I'd say that's the way to go, at least for in-kernel drivers/interfaces.
AFAIK blacklisting isn't possible here.

> To disable the transport layer protocols I am editing
> /etc/modprobe.d/blacklist-rare-network.conf. In the following example I
> will disable dccp::
>
> install dccp /bin/true
>
> This will replace the dccp command with nothing so dccp will not be loaded
> into the kernel.

I guess that's a valid solution.  I'd probably go with a blacklist
entry, e.g. 'blacklist <module>' in /etc/modprobe.d/blacklist-<module>
for each module or one file (e.g.
/etc/modprobe.d/blacklist-rar-network-modules) for all modules.

> However, the other entries in this file are not in this format, rather they
> use 'alias XXX off' format, e.g. rds is 'alias net-pf-21 off'. I cannot see
> where the mapping between rds and net-pf-21 is, and according to the man
> pages alias simply gives an alternative name for a module. So I am a little
> confused.

Right, as of the modprobe.d manpage the primary purpose of aliases is to
shorten really long module names or to specify alternate load-time
parameters (like loading additional modules or setting different
options).  What exactly made you feel confused?

> What is the best way to prevent the dccp/rds/tipc etc support being loaded?
> Do I need to use sysctl to unload the rare TCP modules?

As mentioned above, I'd simply add blacklist entries for each of them in
/etc/modprobe.d/blacklist-rare-network-modules.  This should reliably
disable them.

> And finally do I need to add IPv6 to /etc/modprobe.d/ config directory
> structure?

Depending on the kernel you use, you could also blacklist ipv6, in case
ipv6 is actually provided as module.  Newer distribution kernels (>=
2.6.26) normally don't come with an ipv6 module anymore, so nothing to
blacklist.  Then sysctl is the only way (I know of) for disabling
unwanted kernel features.

HTH.

Cheers,
 Michael


--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] 20120807170814.GE17576@fnb.tu-darmstadt.de" target="_blank">http://lists.debian.org/[🔎] 20120807170814.GE17576@fnb.tu-darmstadt.de




--
Laurie Mercer
_________________________
lsmercer@gmail.com
Reply to: