avoid IPv6 link local address on interface
It looks like you are running a Debian variant, and at least Linux. You could drop a file in /etc/sysctl.d
to disable IPv6 on the interface or all interfaces. I have enabled IPv6, but this is the file I used to disable IPv6. Initially, I disabled everything, then I disabled individual interfaces while I brought up IPv6. You should be able to just disable your bridge.
# 80-disable-ipv6.conf #net.ipv6.conf.default.disable_ipv6 = 0 #net.ipv6.conf.all.disable_ipv6 = 0 #net.ipv6.conf.lo.disable_ipv6 = 0 #net.ipv6.conf.eth0.disable_ipv6 = 0 #net.ipv6.conf.virbr0.disable_ipv6 = 0 #net.ipv6.conf.virbr1.disable_ipv6 = 0
Related videos on Youtube
Bert Goethals
Computer professional working with architecture, requirements and project management. Expert in java, SQL, xml and various internet protocols. Fluent in C and several unix-variants. Know some perl, python, common lisp, opengl, prolog, C++. I am rolfn on keybase.io, and the proof is: -----BEGIN PGP MESSAGE----- owGbwMvMwMF4pylN96Bwigrj6QNJSQwhmtXTQjIyixWAKFGhODM9LzVFobgksSQ1 NzWvRCGtKD9XISg/J00hKDEvJbVIwW9icTEvl6dCYq5CRklJQbGVvn52amVSYnGq Xma+fhFQZZ5Cfp4CVIyXyzEvBawQqA5oanJ2akVyRmJeeqpecn6ufmlxalGxvpGB gYEFWKtuEcQSoAHBIMUKrlDVvFy+lQoF6QW6QHMV0jKBIkUFRZlA92UWWymYuhha KBiZmjsrWLqZmCqYGxpYKLi4OZopOLqYGiq4OFsYKZiZGbkoOBsaGiuYmRiZ8HKF ZOamAp2TW2Cl4AuyLLVAwchSwdDcysjYythEwdk1OETByMAQqLKTUYaFgZGDgY2V CRhUsxi4OAVgATgphv2/z//aHN8qXwvlJZOeveJ1KGqqqH6qLjJHNkvfUZA5/aa7 26swXunAu0bTJM6LVcrMfTrxwFx+nuW6HacDVSd7FS39G8OVvLL72QeV7lJGa4U/ 2yaqSex/NKftpNe7M51ybSkHputP1Z7vxsGn+ryALzft0uJDaYHvPSQcL5qKxjRo HlZI8dEMafHVOmRT+Kap9kXVOwH3yYyK5wtt7rH9jVBQ8Uz/JPhcuPDpo0SLqysU +/8HmzQ+7bvtVi3kIsg4a+rpmRUSAYvEwpznvHDT5/mR7fBlogyzu+W025rsP/4/ mLfrYA3nvp1ah5m+iW7LW9pgZDeD0e7vxG/KGUa+MuL62/c/Y/SZdC2iFAA= =ac7u -----END PGP MESSAGE-----
Updated on September 17, 2022Comments
-
Bert Goethals over 1 year
I have a setup with virtual Xen hosts connected to a set of VLAN-s. On Dom0, I have set up a bridge for each of my VLAN-s to connect DomU-s to. Bridges are set up in /etc/network/interfaces like this:
auto eth0 iface eth0 inet manual auto eth0.1 iface eth0.1 inet manual vlan_raw_device eth0 auto br1 iface br1 inet manual bridge_ports eth0.1
For most of these interfaces, I don't want Dom0 to be reachable, I just want it to bridge.
However, with IPv6, each interface automatically gets a link local address on the fe80::/64-network, which effectively breaks my security by letting Dom0 be available on all interfaces/VLAN-s.
I guess I can block all incoming packets with iptables, but avoiding any IPv6-address altogether seems like a cleaner solution.
Is there anyway to take an interface up on the link-layer but not on the IP-layer?
This is linux/debian (sorry I missed this detail initially...)
(master) 844$ cat /etc/issue.net Debian GNU/Linux 5.0 (master) 845$ uname -a Linux master 2.6.26-2-xen-amd64 #1 SMP Sun Jun 20 20:51:58 UTC 2010 x86_64 GNU/Linux
-
Bert Goethals about 13 yearsI had to update to squeeze (debian 6) to get a kernel recent enough to have the disable_ipv6-parameter.
-
Björn Lindqvist over 8 yearsDon't forget to also delete all ipv6 addresses from your
/etc/hosts
file.