Re: Disabling IPv6 and other networking protocols: Best Practice?
On 08/07/12 11:09, Laurie Mercer wrote:
>
> However, the other entries in this file are not in this format, rather
> they use 'alias XXX off' format, e.g. rds is 'alias net-pf-21 off'. I
> cannot see where the mapping between rds and net-pf-21 is, and according
> to the man pages alias simply gives an alternative name for a module. So
> I am a little confused.
>
net-pf-21 is the alias internal to the module. The modules themselves
have the ability to add aliases. You can use the modinfo tool to see this.
An alias directive will be processed and overwrite any attempt to load
module X. In that for "alias X Y", "modprove X" becomes "modprobe Y"
and X is then never loaded. However if X is an alias then it's target
would still be available. I don't know if aliases are done recursively,
given "alias Z X" would X or Y be loaded for "modprobe Z"?
P.S. Your assessment about blacklist seams to be correct, udev calls
modprobe with the necessary '-b' option to enable processing of the
blacklist. The kernel's invocation of modprobe, see
/proc/sys/kernel/modprobe, would not.
Bottom line if you want it never in your kernel for security then
install is the directive you should use. You should list the modules'
name not any of it's aliases and the aliases will get caught up in your
install directive.
>
> --
> Laurie Mercer
> _________________________
> lsmercer@gmail.com <mailto:lsmercer@gmail.com>
Reply to: