I have a setup with virtual Xen hosts connected to a set of VLAN-s. On Dom0, I have set up a bridge for each of my VLAN-s to connect DomU-s to. Bridges are set up in /etc/network/interfaces like this:
auto eth0
iface eth0 inet manual
auto eth0.1
iface eth0.1 inet manual
vlan_raw_device eth0
auto br1
iface br1 inet manual
bridge_ports eth0.1
For most of these interfaces, I don't want Dom0 to be reachable, I just want it to bridge.
However, with IPv6, each interface automatically gets a link local address on the fe80::/64-network, which effectively breaks my security by letting Dom0 be available on all interfaces/VLAN-s.
I guess I can block all incoming packets with iptables, but avoiding any IPv6-address altogether seems like a cleaner solution.
Is there anyway to take an interface up on the link-layer but not on the IP-layer?
This is linux/debian (sorry I missed this detail initially…)
(master) 844$ cat /etc/issue.net
Debian GNU/Linux 5.0
(master) 845$ uname -a
Linux master 2.6.26-2-xen-amd64 #1 SMP Sun Jun 20 20:51:58 UTC 2010 x86_64 GNU/Linux
Best Answer
It looks like you are running a Debian variant, and at least Linux. You could drop a file in
/etc/sysctl.d
to disable IPv6 on the interface or all interfaces. I have enabled IPv6, but this is the file I used to disable IPv6. Initially, I disabled everything, then I disabled individual interfaces while I brought up IPv6. You should be able to just disable your bridge.