Re: Debian 11: How to disable IPv6

[gene heskett <gheskett@shentel.net>]

On 7/12/22 10:21, Lee wrote:
> On 7/11/22, rhkramer  wrote:
> >  From the peanut gallery: I disabled IPv6 quite some time ago.  I don't
> > recall how I did it, but I might have that information in my notes, somewhere.
> >
> > The reason that I disabled it (which might not be totally logical) is that
> > in IPv4, I have always had my computers (and LAN) behind a NAT device.
> A NAT device does not necessarily act like a stateful firewall.
>
> Years ago I ran a TOR middle node ... and noticed someone scanning my
> internal network!!  Turns out they were using loose source routing to
> get around NAT:
>    https://en.wikipedia.org/wiki/Loose_Source_Routing
>      Loose Source Routing is an IP option which can be used for address
> translation.
>
> My cable modem was quite willing to forward packets addressed to the
> publicly addressable outside IP address of the box to my internal LAN
> with the RFC-1918 address space .. that I thought was unreachable from
> the public Internet because NAT :(
>
> So lesson learned - get a firewall or router that will drop packets
> that have IP options set.
>
> Regards,
> Lee
Your cable modem is NOT a router.

If you want that sort of protection, get a reflashable router and put 
dd-wrt in it.

Only one person in about18 years has come thru dd-wrt, and I had to give 
him
the credentials on the phone. I would estimate that dd-wrt has blocked a 
billion
attacks or more in that some time frame. The exceptions are a NAT
that allows me to serve my own web page. No tracking other than the logs 
apache2
keeps. No commercials, just me blowing my own horn. Boring...

> .


Cheers, Gene Heskett.
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page <http://geneslinuxbox.net:6309/>