Hi.
On Tue Aug 07, 2012 at 17:09:50 +0100, Laurie Mercer wrote:
> I would like to disable IPv6, and some transport layer protocols, RDS, TIPC
> etc
>
> However I am unsure of the best practise in doing this.
>
> So far I am disabling IPv6 using the sysctl command:
>
> sysctl -w net.ipv6.conf.all.disable_ipv6 = 1
> sysctl -w net.ipv6.conf.default.disable_ipv6 = 1
>
> Then, making sure it is disabled in perpetuity by editing /etc/sysctl.conf
> to include the following lines:
>
> net.ipv6.conf.all.disable_ipv6 = 1
> net.ipv6.conf.default.disable_ipv6 = 1
I'd say that's the way to go, at least for in-kernel drivers/interfaces.
AFAIK blacklisting isn't possible here.
> To disable the transport layer protocols I am editing
> /etc/modprobe.d/blacklist-rare-network.conf. In the following example I
> will disable dccp::
>
> install dccp /bin/true
>
> This will replace the dccp command with nothing so dccp will not be loaded
> into the kernel.
I guess that's a valid solution. I'd probably go with a blacklist
entry, e.g. 'blacklist <module>' in /etc/modprobe.d/blacklist-<module>
for each module or one file (e.g.
/etc/modprobe.d/blacklist-rar-network-modules) for all modules.
> However, the other entries in this file are not in this format, rather they
> use 'alias XXX off' format, e.g. rds is 'alias net-pf-21 off'. I cannot see
> where the mapping between rds and net-pf-21 is, and according to the man
> pages alias simply gives an alternative name for a module. So I am a little
> confused.
Right, as of the modprobe.d manpage the primary purpose of aliases is to
shorten really long module names or to specify alternate load-time
parameters (like loading additional modules or setting different
options). What exactly made you feel confused?
> What is the best way to prevent the dccp/rds/tipc etc support being loaded?
> Do I need to use sysctl to unload the rare TCP modules?
As mentioned above, I'd simply add blacklist entries for each of them in
/etc/modprobe.d/blacklist-rare-network-modules. This should reliably
disable them.
> And finally do I need to add IPv6 to /etc/modprobe.d/ config directory
> structure?
Depending on the kernel you use, you could also blacklist ipv6, in case
ipv6 is actually provided as module. Newer distribution kernels (>=
2.6.26) normally don't come with an ipv6 module anymore, so nothing to
blacklist. Then sysctl is the only way (I know of) for disabling
unwanted kernel features.
HTH.
Cheers,
Michael
--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] 20120807170814.GE17576@fnb.tu-darmstadt.de" target="_blank">http://lists.debian.org/[🔎] 20120807170814.GE17576@fnb.tu-darmstadt.de