Re: [PATCH] firewall-manager: allow dhcpv6-client service

[Tore Anderson <tore fud no>]

* Ludwig Nussel

> Uh, ssh would probably be the last thing I'd allow in the public zone by
> default :-)

Fully agreed. On hosts that have the SSH daemon open from the world, I
see a constant stream of brute force attacks on it.

DHCP (both versions) appears to be left alone by attackers, on the other
hand. DHCPv4 is allowed by default in Fedora, though, while DHCPv6 for
some reason are singled out by the Fedora firewall infrastructure
maintainer as being too insecure to be allowed by default. And that is
before you even take into account that DHCPv6 (unlike DHCPv4) can be
restricted so that it would only be open from nodes that are attached to
the local link, making it impossible contact from the internet.

Barring some undisclosed vulnerability in the DHCPv6 client (which is
the same binary as the default-open DHCPv4 client by the way), to me
this is quite unfathomable.

> So the zone intentionally does not allow ipv6. What sense does that make
> if NM can add (and will) it anyways then?

It doesn't make any sense. This patch is not required on a distribution
that have a sane default firewall that allows DHCPv6 in the first place.
I know that is the case for Ubuntu at least.

The best solution would obviously be to just fix the default firewall in
Fedora too, but the firewall infrastructure maintainer is refusing to
make that change. To the best of my knowledge, he has not offered any
explanation for his position, and have ignored all arguments against it.
In short, he doesn't seem likely to change his mind any time soon.
Therefore, a work-around for the broken default is necessary on Fedora,
and this patch does exactly that.

Best regards,
-- 
Tore Anderson