Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.

Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. Corresponding tickets:

Modules to blacklist

  • ax25: (AX.25) amateur radio. Kernel module to work with amateur radio. Has had numerous vulnerabilities in the past. CVE's: CVE-2009-2909/CVE-2013-3223/. Indirect: CVE-2014-1446

Modules to remove

  • ipx: (Internetwork Packet Exchange) Primarily used on Novell Netware networks and popular in the 90's. Little networks make use of IPX if any. CVE-2013-7268.
  • appletalk: AppleTalk, unsupported in OS X since 2009. CVE's: CVE-2013-7267/CVE-2009-2903/CVE-2007-1357
  • psnap: (Subnetwork Access Protocol Relies on the ipx module, obscure and not used much.
  • rose: (network protocol derived from X.25) FIXME: explanation
  • p8023: Ethernet frame#Novell raw IEEE 802.3, was used by Novel NetWare until the mid-nineties. Relies on the ipx module.
  • llc: (ANSI/IEEE 802.2 LLC type 2 Support, IEEE 802.2 FIXME: explanation
  • p8022: IEEE 802.2 FIXME: explanation
  • decnet: The Linux DECnet Network Protocol FIXME: explanation
  • econet: FIXME: explanation
  • netrom: The amateur radio NET/ROM network and transport layer protocol FIXME: explanation
  • af_802154: IEEE 802.15.4 Kernel module to make low-power, low-rate network standard possible.

[1] [2]