IPv6 - address get assigned to interface on which proxmox should not listen on

[superuser]

Hi

The server has two NICs. 1 is for the LAN, the other one is an untrusted WAN connection. On the WAN connection I don't want proxmox to listen, for security reasons. I have set up a bridge with that interface and left the IP configuration empty:



(the same on the "Network Device")

For IPv4 this works, neither the interface/Device nor the bridge get an IP. For IPv6 however, the bridge gets an IP:

ip a
5: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 3c:18:a0:77:f5:9a brd ff:ff:ff:ff:ff:ff
    inet6 2001:1e0:5af:2000:3e18:e1ff:af47:b51a/64 scope global dynamic mngtmpaddr
       valid_lft 2591968sec preferred_lft 604768sec
    inet6 fe80::3e18:e1ff:af47:b51a/64 scope link
       valid_lft forever preferred_lft forever

Why is this?

 

[Stoiko Ivanov]

Why is this?

on a hunch - stateless address autoconfiguration:
https://en.wikipedia.org/wiki/IPv6#Stateless_address_autoconfiguration_(SLAAC)

I would suggest to just set a single LISTEN_IP in /etc/default/pveproxy - see:
https://pve.proxmox.com/pve-docs/pveproxy.8.html

or use nftables/iptables to prevent access


I hope this helps!

 

[superuser]

Thank you! That only affects the web interface, doesn't it?

If I disable IPv6 in the OS, would that affect PVE (apart from the missing IPv6 functionality)?

 

[Dunuin]

If you don't need IPv6 simply add net.ipv6.conf.all.disable_ipv6 = 1 to "/etc/sysctl.conf". That will disable all IPv6 for the server. Works fine here for years.

 

[superuser]

Thanks! Seems to work here too..

Why is the autoionfiguration not disabled by default? With the IPv6 PVE is reachable from the internet..

 

[Stoiko Ivanov]

Why is the autoionfiguration not disabled by default? With the IPv6 PVE is reachable from the internet..

That's been the default in the linux kernel for quite a long time (as far as I remember) - so we simply kept that.