What do I need to do to disable IPv6?

Jan 12, 2015
94
2
28
I'll never use IPv6 and want to disable it completely. I don't like having rpcbind or ssh running on both v4 and v6.
I've tried disabling using sysctl but getting errors in the logs from pve-firewall:

iptables_restore_cmdlist: Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.

Is there a guide anywhere on how to go about removing v6 support?
 
Unfortunately, that answer won't survive a security audit. I need to prove that the listening services bound to ipv6 interfaces are properly firewalled. I do not know much about ipv6 but these services appear wide open. Am I misundestanding?

# ip6tables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

tcp6 0 0 :::5666 :::* LISTEN 109 14970 2142/nrpe off (0.00/0/0)
tcp6 0 0 :::56810 :::* LISTEN 104 18672 1929/rpc.statd off (0.00/0/0)
tcp6 0 0 :::111 :::* LISTEN 0 7931 1919/rpcbind off (0.00/0/0)
tcp6 0 0 :::22 :::* LISTEN 0 15839 2350/sshd off (0.00/0/0)
udp6 0 0 :::49454 :::* 104 18670 1929/rpc.statd off (0.00/0/0)
udp6 0 0 :::111 :::* 0 7929 1919/rpcbind off (0.00/0/0)
udp6 0 0 ::1:123 :::* 0 26729 2287/ntpd off (0.00/0/0)
udp6 0 0 :::123 :::* 0 16870 2287/ntpd off (0.00/0/0)
udp6 0 0 :::812 :::* 0 7930 1919/rpcbind off (0.00/0/0)

 
First off: As long as you don't have RA's sent from router you will only have link local IPV6 adresses.
They look like: inet6-Adresse: fe80::.........
A real IPV6 adress will start with 2xxx::.......

A security auditor should know that, or he/she is not worth his money.

if you have to protect against machines in same network, you can firewall ipv6 of course too, but the network segment in which your hosts run should be trusted anyway.


Second: did you ever hear that IPV4 address range is a rare resource nowadays? So engage in IPV6 before its too late for you and your company
 
For completeness' sake: You can add `net.ipv6.conf.all.disable_ipv6=1` and `net.ipv6.conf.default.disable_ipv6=1` to /etc/sysctl.conf. (You can apply that to a running system via the `sysctl` command as well, but for the sake of not confusing running services I'd recommend restarting them afterwards.) This still allows selectively enabling ipv6 on certain interfaces.

Alternatively you can add `ipv6.disable=1` to your kernel boot options and reboot, to disable it entirely.

But a much better solution is to configure & firewall it properly (IPv6 by definition and by all "standards" comes with horrible defaults such as autoconfiguration and accepting routing advertisements - if you can't trust your LAN (and note that VMs are usually part of that) you'll want to disable those).
 
@wbumiller I have tried `ipv6.disable=1` but it does not seem to work. This the boot line from same machine above:
# cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-4.4.98-6-pve root=/dev/mapper/pve-root ro ipv6.disble=1 vga=791 fsck.mode=force pti=on


I have made both the boot line modification as well as the `net.ipv6.conf.*` edits to `sysctl.conf`.
These result in the message logs filling up with the `ip6tables-restore` messages in the OP. How can these messages be prevented?

@Klaus Steinberger Network segments are inherently untrusted by nature. Malicious software can backdoor a device, users can install access points or download accidental trojans. These provide a point of entry for network based attacks. This is why it's important to firewall un-needed services (or disable them completley) and if possible trigger a firewall alert for a NIDs system to provide a log/alert of the event. In a home network, you may not want all of this and that is your choice. In corporate settings, there are security policies which must be adhered to and dictate how a machine is provisioned.

Yes, ipv4 has run it's course however many institutions use something called iPv4/IPv6 translation. This allows an edge to use IPv6 to talk on the Internet, but then uses Network Address Translation to "rewrite" the network packet into an IPv4 packet so private networks behind the edge can still use IPv4. This is why IPv4 is still relevant.
 
These result in the message logs filling up with the `ip6tables-restore` messages in the OP.
Ah yes, we currently don't support a failing ip6tables-restore. That would need to be added to the firewall code. In the mean time you could possibly replace the file with dummy I guess...
 
@wbumiller - Ah, nice catch on "disable"! I must have looked at it 20 times...
Considering the message log errors, its likely a better option to firewall the v6 instead of maintaining modifications across system upgrades.
Thanks for your time
 
But... looking at this website forum. wiki and the www website... only in IPv4. Is Proxmox also still advocating old technology ;)?
 
As I understand it, and I may be completely confused, but as I followed IPv6 adoption over the past decade I saw this:
* It sounded great at first but carriers took too long to adopt it. Killed the momentum.
* The added complexity of the addressing scheme is a big WTF scaring people away from it
* 6to4 NAT at the edge got worked out so adoption in the LAN is pointless now
* IOT put another nail in IPv6 (public route to devices on the LAN) since manufacturers can't do simple device security

Additionally, it's extra work to have IPv6 in Proxmox since everything I do is in IPv4 land. All it does is open up attack services for rpc services and other listening daemons because now I have to configure TWO FIREWALLS instead of just an IPv4. This goes for both LAN and DMZ servers. There's just no point to it. Why would anyone, outside of the NOC, really need IPv6 now?

PS: Not saying this is anything against Proxmox. I have been running several licensed servers for years and it's really a flawless product in comparison to some of the other options out there. I just find the IPv6 requirement maddening when it doesn't fit my use case.
 
Last edited:
6to4, two firewalls... oh my.
Well, even the topguys think that 4 will exist for a long time next to 6, so nobody will win this battle soon ;)

Some inspiration:
https://blogs.akamai.com/2016/06/preparing-for-ipv6-only-mobile-networks-why-and-how.html
https://serverfault.com/questions/894488/how-bad-is-ipv4-address-exhaustion-really

and the stats
https://www.ripe.net/publications/ipv6-info-centre/about-ipv6/ipv4-exhaustion/ipv4-available-pool

Any response from Proxmox why their sites are not on IPv6?
 
Last edited:
You can use a custom script which just exits immediately on call and combine it with the "alternatives" feature of Debian to eliminate the annoying log messages.

I mean, you can create a shell script that does nothing. Put it into /usr/local/sbin/ip6tables-dummy for example. Then you can create new alternative by issuing:

Code:
# update-alternatives --install /usr/bin/ip6tables ip6tables /usr/local/sbin/ip6tables-dummy 40 \
    --slave /usr/bin/ip6tables-restore ip6tables-restore /usr/sbin/ip6tables-dummy \
    --slave /usr/bin/ip6tables-save ip6tables-save /usr/sbin/ip6tables-dummy

You can activate this alternative with
Code:
# update-alternatives --config ip6tables
and choosing the dummy one.
 
The whole ip4 rare limited issues is anyway not really an issue tbh.

For example, in my company, we got from ripe an really big ipv4 block, an /19 ipv4 block to be exact.
And we use from that block maybe 100-150 ips in total.
But since it's assigned to us, it counts as "taken" and for sure from the company view, we would never exchange our /19 block to a smaller one....

And i know at least 10-15 more company's in my small branch in germany alone that have totally oversized blocks given from ripe xD

Ripe does indeed checks for the used ip's in our range, so we have to spin up once a year or so a vm that simply takes via dhcp over a thousand ip address for a short time. Dunno if this is really needed tbh, but we simply do it, to feel safe xD

However, from my point of view, there is really enough ipv4 adresses available and thanks to nat, not every device needs an ipv4 address.

The only problem there are all the phones over lte/3g/etc that have all an ipv4 address assigned and that is the basic problem why we needed ipv6 at all.
But tbh, the companys could do a nat for those devices over lte/3g/etc either, without a big problem.
Sure that solution would have downsides, but ipv6 have downsides either.
The biggest downside is, that no one can remember an ipv6 address, while ipv4 is easy to remember and to manage xD

However, this all doesn't means that im against ipv6, ipv6 provides many amazing features, even for the lanside, like autoconfiguration & multicast over different networks etc...
And has the same time big downsides either like ipv6 isn't even completed yet there are many key options missing, for example:
https://tools.ietf.org/html/rfc5006
Aside from the managing horror that you have to set it proper up.
Another big downside is, that in most homeuser cases ipv6 is dynamic either, so the clients have to get their new ipv6 address based on what range you get over wan at whatever dynamic time your provider decides to rotate ipv6.
While this is working in simple environments, it's a drama to configure routing for that and make proper firewall rules. Since you can't simply configure it based on static ip addresses like with ipv4 in your lan.

So in the end it's something you simply have to decide your own, if you need and want it or you don't want it. Both ways works and will work forever. At least on the lanside, we will always have ipv4 if you don't decide to deactivate it...

Im using ipv6 in all the networks (home/office) personally, because i personally have a benefit of it.

About disabling ipv6, from my findings, the best way is to disable ipv6 completely except for loopback.
Some services need ipv6 on the loopback interface, why ever.
So i would use:
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=0

Cheers
 
Last edited:
Thanks this worked for me.


net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1

/etc/sysctl.conf


Regards John
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!