Priority
High
Description
Currently, only trusted DNS servers are allowed (default: 8.8.8.8, 8.8.4.4) for IPv4. However, IPv6 lacks equivalent protection. When ip6tables is unavailable, IPv6 traffic bypasses all filtering, enabling potential C2 communication or data exfiltration.
Impact
- Severity: High
- Attack Vector: IPv6 traffic can bypass all firewall rules when ip6tables is not available
- Risk: C2 communication, data exfiltration via IPv6
Proposed Solution
Disable IPv6 completely via sysctl if ip6tables is unavailable:
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1
Effort Estimate
~1 hour
References
Priority
High
Description
Currently, only trusted DNS servers are allowed (default: 8.8.8.8, 8.8.4.4) for IPv4. However, IPv6 lacks equivalent protection. When ip6tables is unavailable, IPv6 traffic bypasses all filtering, enabling potential C2 communication or data exfiltration.
Impact
Proposed Solution
Disable IPv6 completely via sysctl if ip6tables is unavailable:
Effort Estimate
~1 hour
References