sandcastle

sandcastle copied to clipboard

I think we can just block everything for now until we support ipv6

I just dug around for a little while and it appears that ipv6 is disabled

root@sandstorm:/home/vagrant# sudo sysctl -p | grep disable_ipv6
net.ipv6.conf.all.disable_ipv6 = 1

It is still possible to add some firewalling, but is it necessary?

It appears we can add ipv6.disable=1 to the kernel command line, but I haven't tested if it breaks anything yet.

Disabling it anyway, #31 also adds a reboot, so I think we need to start figuring out some smoke tests to make sure everything still works and starts automatically properly.

This may cause errors on subsequent runs of vagrant provision. To fix it I need to change the hardening role, since the ignoreerrors in the sysctl module doesn't seem to be behaving the way I thought it would. Don't merge yet.

The hardening module disables ipv6, but the kernel module is stlll loaded at boot, so we're vulnerable to ipv6-based exploits until sysctl is loaded, which is a pretty slim period of time during the boot sequence. I don't know how serious we want to get on this. I think disabling it using sysctl is sufficient and we can close this one.

I think we still want to configure ip6tables:

From https://wiki.archlinux.org/index.php/IPv6#Other_programs

Disabling IPv6 functionality in the kernel does not prevent other programs from trying to use IPv6. In most cases, this is completely harmless, but if you find yourself having issues with that program, you should consult the program's manual pages for a way to disable that functionality.

I'm worried we will not think about ipv6 at all and then set up a service that binds itself to an ipv6 port without us realizing.