On Tue, 28 Jun 2011 00:20:04 +0000, Jenny Lee wrote:
>> NP: (rant warning) if you followed most any online tutorial for
>> disabling IPv6 in RHEL. Most only go so far as to make the kernel
>> drop
>> IPv6 packets. Rather than actually turning the OFF kernel control
>> which
>> would inform the relevant software that it cannot use IPv6 ports. So
>> it
>> sends a packet, and waits... and waits...
>> (and yes I know you are connecting to an IPv4 host. Linux "hybrid
>> stack" which Squid uses can use IPv6 sockets to contact IPv4 space).
>
> It probably is because ipv6 is no longer a module and built into
> kernel.
>
> Most online tutorials would not be working or half-working.
>
> Proper way to disable ipv6 virus in rhel6 is:
>
> /boot/grub/grub.conf
> ipv6.disable=1
>
> /etc/sysctl.conf
> net.ipv6.conf.all.disable_ipv6 = 1
>
> /etc/modprobe.conf
> /etc/modprobe.d/local.conf
> alias net-pf-10 off
> alias ipv6 off
>
> /etc/sysconfig/network
> NETWORKING_IPV6=off
>
> echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
>
> chkconfig ip6tables off
>
> /etc/sysconfig/network-scripts/ifcfg-eth0
> make sure ipv6 DNS entries are removed
>
>
> Doing all above would disable ipv6 both in RHEL5 and RHEL6. Instead
> of thinking what is what and what works or not, I run this everywhere
> and it covers all my machines.
Yes, that is correct.
This bit is what Squid IPv6 support detection tests and relies on:
"
/etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
"
>
> I also run this just in case ipv6 is enabled somewhere, it is
> dropped:
>
> #!/bin/bash
> if [ -d "/proc/sys/net/ipv6/conf" ];then
> IPT6=/sbin/ip6tables
>
> # Flush all
> $IPT6 -F ; $IPT6 -F FORWARD ; $IPT6 -X ; $IPT6 -Z ;
>
> $IPT6 -A INPUT -j LOG --log-prefix "IPv6 INPUT DROPPED: "
> $IPT6 -A OUTPUT -j LOG --log-prefix "IPv6 OUTPUT DROPPED: "
> $IPT6 -A FORWARD -j LOG --log-prefix "IPv6 FORWARD DROPPED: "
Ouch! Add these at least:
$IPT6 -A INPUT -j REJECT
$IPT6 -A OUTPUT -j REJECT
$IPT6 -A FORWARD -j REJECT
> $IPT6 -P INPUT DROP
> $IPT6 -P OUTPUT DROP
> $IPT6 -P FORWARD DROP
> fi
>
And *that* is exactly the type of false "disable" I was talking about.
Squid and other software will attempt to open an IPv6 socket(). As long
as the IPv6 modules are loaded in the kernel that will *succeed*. At
first glance this is fine, IPv4 can still come and go through that
socket.
- In TCP they might then try to bind() to an IPv6, that *succeeds*.
[bingo! IPv6 enabled and working. Squid will use it.]
Then try to connect() to an IPv6. That also "succeeds" (partially).
But the firewall DROP prevents the SYN packet ever going anywhere. Up to
*15 minutes* later TCP will timeout.
- In UDP things get even stranger. It expects no response, so send()
to both IPv4 and IPv6 will *succeed*.
Does the DNS error "No Servers responding;;" sound all too familiar?
then you or a transit network is most likely using DROP somewhere on
UDP, TCP or ICMP.
>
> Little bit old school perhaps, but I don't have knowledge about this
> ipv6 and I would rather have it disabled until I learn it instead of
> keeping my machines open for another vector of attack.
Treat it like you do IPv4. Preferably with a REJECT if you are using
the same port in IPv4 but don't want to enable that service yet. DROP if
you want to DoS the remote end software (ie responding to an attack by
letting the remote end think its working even as you discard
everything).
>
> You might not agree with me but this minimalistic approach "Don't use
> it now, don't keep it" saved me many times over the years.
>
> Hope someone finds this helpful.
>
> Jenny
>
>
> DISCLAIMER: Use at your own risk. I am not responsible if it blows up
> your house, bites your dog, does your wife.
see above.
Amos
Received on Tue Jun 28 2011 - 01:18:17 MDT
This archive was generated by hypermail 2.2.0 : Tue Jun 28 2011 - 12:00:02 MDT