Thor Lancelot Simon <tls%panix.com@localhost> writes: > On Wed, Apr 16, 2014 at 06:29:02PM -0400, Greg Troxel wrote: >> >> So I would ask: why do you think you need to disable it? By default, >> the system will have no v6 addresses configured and should not incur >> delays due to this. Are you having a problem? > > The system will have link-local addresses configured and anything that > listens on ANY will take packets from them. Without a firewall configuration > that blocks all IPv6 traffic on the Internet side, this can be very > dangerous, effectively exposing services that were not exposed over IPv4. A fair point. I run real v6, so I have a corresponding v6 ruleset, but I hadn't really contemptated link-local. I wonder, given that, if our firewall rules should be configured so that one can write rules that match tcp/tcp6 in one rule, kind of like the tcp/udp block rules for the same port in different protocols within an AF.
Description: PGP signature