From owner-freebsd-audit Thu Mar 23 11:19:57 2000 Delivered-To: freebsd-audit@freebsd.org Received: from cypherpunks.ai (cypherpunks.ai [209.88.68.47]) by hub.freebsd.org (Postfix) with ESMTP id 5979337BE11 for ; Thu, 23 Mar 2000 11:19:51 -0800 (PST) (envelope-from jeroen@vangelderen.org) Received: from vangelderen.org (intefix.ai [209.88.68.216]) by cypherpunks.ai (Postfix) with ESMTP id CAA1349 for ; Thu, 23 Mar 2000 15:19:44 -0400 (AST) Message-ID: <38DA6D77.FB93FC36@vangelderen.org> Date: Thu, 23 Mar 2000 15:16:07 -0400 From: "Jeroen C. van Gelderen" X-Mailer: Mozilla 4.61 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: FreeBSD Audit List Subject: Portmapper enabled, IPv6 circumvents FW Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I'm wondering whether this is appropriate for the audit list: 1. Portmapper is enabled by default on freshly installed FreeBSD 4.0 systems. I think this is undesirable for security reasons. 2. The GENERIC kernel has IPv6 enabled by default and interfaces automatically assign themselves link-local IPv6 addresses. This is a problem because people will generally be unaware of the fact that IPFW does not filter IPv6 addresses. Setting up a strict firewall using IPFW therefore leaves you open for attacks via link-local IPv6. An extra nuisanse is that FreeBSD does not provide a kernel module for IP6FW. I'd suggest disabling the portmapper in a default installation unless there is a good reason not to. Another solution is to add a comment to /etc/inetd.conf because that's what people usually edit on new systems (because FreeBSD *still* runs ftpd and telnetd by default). For IPv6 there is a number of potential solutions. I'd be most happy if interfaces did not assign themselves IPv6 addresses unless and until they are requested to do so. Opinions? Cheers, Jeroen -- Jeroen C. van Gelderen - jeroen@vangelderen.org Kick-ass crypto for you: http://www.cryptix.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message