forwarding *some* web traffic to a virtual machine

[Christopher Browne]

On Thu, Sep 9, 2010 at 12:50 PM, Christopher Browne <cbbrowne-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> When I was talking of "default," I was thinking in the secondary
> meaning of "the 'default' config that the devs use to somewhat lock
> things down."  *THAT* didn't consider IPv6, but isn't the fault of PG
> folk :-).

And this is actually the sort of thing that's liable to bite people a
lot as IPv6 lurks its way into Teh Interwebs.

The defaults provided by "system vendors" (which I'd interpret here to
include folks that don't necessarily sell things, such as the
PostgreSQL development group, (Free|Net|Open)BSD projects, and the
Debian project) may be pretty proper, and may nicely support IPv6.

Unfortunately, there are recipes out there for populating /etc/hosts,
pg_hba.conf, and any number of other such network-related config files
that *don't* contemplate IPv6.

My /etc/hosts on Debian includes some IPv6 recipes:

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

One of the basic security principles is to not run or configure
anything that does not expressly need to be run/configured.

Under that principle, it's not an outrageous notion to drop out "IPv6
cruft", if you don't specifically *know* you need to run it.

The conflict/contradiction that naturally results is something I'll
leave to the gentle readers to think about...
-- 
http://linuxfinances.info/info/linuxdistributions.html
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists