On Tue, 28 Jun 2011 00:20:04 +0000, Jenny Lee wrote:
NP: (rant warning) if you followed most any online tutorial for
disabling IPv6 in RHEL. Most only go so far as to make the kernel
drop
IPv6 packets. Rather than actually turning the OFF kernel control
which
would inform the relevant software that it cannot use IPv6 ports. So
it
sends a packet, and waits... and waits...
(and yes I know you are connecting to an IPv4 host. Linux "hybrid
stack" which Squid uses can use IPv6 sockets to contact IPv4 space).
It probably is because ipv6 is no longer a module and built into
kernel.
Most online tutorials would not be working or half-working.
Proper way to disable ipv6 virus in rhel6 is:
/boot/grub/grub.conf
ipv6.disable=1
/etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
/etc/modprobe.conf
/etc/modprobe.d/local.conf
alias net-pf-10 off
alias ipv6 off
/etc/sysconfig/network
NETWORKING_IPV6=off
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
chkconfig ip6tables off
/etc/sysconfig/network-scripts/ifcfg-eth0
make sure ipv6 DNS entries are removed
Doing all above would disable ipv6 both in RHEL5 and RHEL6. Instead
of thinking what is what and what works or not, I run this everywhere
and it covers all my machines.
Yes, that is correct.
This bit is what Squid IPv6 support detection tests and relies on:
"
/etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
"
I also run this just in case ipv6 is enabled somewhere, it is
dropped:
#!/bin/bash
if [ -d "/proc/sys/net/ipv6/conf" ];then
IPT6=/sbin/ip6tables
# Flush all
$IPT6 -F ; $IPT6 -F FORWARD ; $IPT6 -X ; $IPT6 -Z ;
$IPT6 -A INPUT -j LOG --log-prefix "IPv6 INPUT DROPPED: "
$IPT6 -A OUTPUT -j LOG --log-prefix "IPv6 OUTPUT DROPPED: "
$IPT6 -A FORWARD -j LOG --log-prefix "IPv6 FORWARD DROPPED: "
Ouch! Add these at least:
$IPT6 -A INPUT -j REJECT
$IPT6 -A OUTPUT -j REJECT
$IPT6 -A FORWARD -j REJECT
$IPT6 -P INPUT DROP
$IPT6 -P OUTPUT DROP
$IPT6 -P FORWARD DROP
fi
And *that* is exactly the type of false "disable" I was talking about.
Squid and other software will attempt to open an IPv6 socket(). As long
as the IPv6 modules are loaded in the kernel that will *succeed*. At
first glance this is fine, IPv4 can still come and go through that
socket.
- In TCP they might then try to bind() to an IPv6, that *succeeds*.
[bingo! IPv6 enabled and working. Squid will use it.]
Then try to connect() to an IPv6. That also "succeeds" (partially).
But the firewall DROP prevents the SYN packet ever going anywhere. Up to
*15 minutes* later TCP will timeout.
- In UDP things get even stranger. It expects no response, so send()
to both IPv4 and IPv6 will *succeed*.
Does the DNS error "No Servers responding;;" sound all too familiar?
then you or a transit network is most likely using DROP somewhere on
UDP, TCP or ICMP.
Little bit old school perhaps, but I don't have knowledge about this
ipv6 and I would rather have it disabled until I learn it instead of
keeping my machines open for another vector of attack.
Treat it like you do IPv4. Preferably with a REJECT if you are using
the same port in IPv4 but don't want to enable that service yet. DROP if
you want to DoS the remote end software (ie responding to an attack by
letting the remote end think its working even as you discard
everything).
You might not agree with me but this minimalistic approach "Don't use
it now, don't keep it" saved me many times over the years.
Hope someone finds this helpful.
Jenny
DISCLAIMER: Use at your own risk. I am not responsible if it blows up
your house, bites your dog, does your wife.
see above.
Amos
