On 26/06/12 05:03, Alex Efros wrote: > If I'm right (about creating new security holes because of enabling ipv6 > USE flag) then it may be bad idea to enable it by default until we'll be > sure admin is ready for this (for example, we may check is IPv6 enabled in > kernel and is there exists IPv6 firewall rules).
Yes, you are right. Enabling IPv6 is the same as enabling a completely new protocol. Configuration, routing and firewalls needs to be set up. But there is an easy way to "opt-out" which could easily be described. If the default kernel config builds IPv6 support as a module, you can easily do 'modprobe -r ipv6' and you don't have IPv6 enabled on a running kernel. This can also be added to the modprobe blacklist as well, so it's not loaded upon boot. Or for those configuring their own kernels, disabling the IPv6 module can be another alternative. These alternatives can easily be documented, IMHO. kind regards, David Sommerseth
