RE: [squid-users] Strange 503 on https sites [ipv6 edition]

From: Jenny Lee <bodycare_5_at_live.com>
Date: Tue, 28 Jun 2011 00:20:04 +0000

> NP: (rant warning) if you followed most any online tutorial for
> disabling IPv6 in RHEL. Most only go so far as to make the kernel drop
> IPv6 packets. Rather than actually turning the OFF kernel control which
> would inform the relevant software that it cannot use IPv6 ports. So it
> sends a packet, and waits... and waits...
> (and yes I know you are connecting to an IPv4 host. Linux "hybrid
> stack" which Squid uses can use IPv6 sockets to contact IPv4 space).

It probably is because ipv6 is no longer a module and built into kernel.
 
Most online tutorials would not be working or half-working.

Proper way to disable ipv6 virus in rhel6 is:

/boot/grub/grub.conf
ipv6.disable=1
 
/etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
 
/etc/modprobe.conf
/etc/modprobe.d/local.conf
alias net-pf-10 off
alias ipv6 off

/etc/sysconfig/network
NETWORKING_IPV6=off

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
 
chkconfig ip6tables off

/etc/sysconfig/network-scripts/ifcfg-eth0
make sure ipv6 DNS entries are removed
 
 
Doing all above would disable ipv6 both in RHEL5 and RHEL6. Instead of thinking what is what and what works or not, I run this everywhere and it covers all my machines.
 
I also run this just in case ipv6 is enabled somewhere, it is dropped:
 
#!/bin/bash
if [ -d "/proc/sys/net/ipv6/conf" ];then
        IPT6=/sbin/ip6tables
 
        # Flush all
        $IPT6 -F ; $IPT6 -F FORWARD ; $IPT6 -X ; $IPT6 -Z ;
 
        $IPT6 -A INPUT -j LOG --log-prefix "IPv6 INPUT DROPPED: "
        $IPT6 -A OUTPUT -j LOG --log-prefix "IPv6 OUTPUT DROPPED: "
        $IPT6 -A FORWARD -j LOG --log-prefix "IPv6 FORWARD DROPPED: "
        $IPT6 -P INPUT DROP
        $IPT6 -P OUTPUT DROP
        $IPT6 -P FORWARD DROP
fi
 
 
Little bit old school perhaps, but I don't have knowledge about this ipv6 and I would rather have it disabled until I learn it instead of keeping my machines open for another vector of attack.
 
You might not agree with me but this minimalistic approach "Don't use it now, don't keep it" saved me many times over the years.
 
Hope someone finds this helpful.
 
Jenny
 
 
DISCLAIMER: Use at your own risk. I am not responsible if it blows up your house, bites your dog, does your wife.
 
 
                                                
Received on Tue Jun 28 2011 - 00:20:10 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 28 2011 - 12:00:02 MDT