IPv6 - address get assigned to interface on which proxmox should not listen on

[superuser]

Hi

The server has two NICs. 1 is for the LAN, the other one is an untrusted WAN connection. On the WAN connection I don't want proxmox to listen, for security reasons. I have set up a bridge with that interface and left the IP configuration empty:



(the same on the "Network Device")

For IPv4 this works, neither the interface/Device nor the bridge get an IP. For IPv6 however, the bridge gets an IP:

ip a
5: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 3c:18:a0:77:f5:9a brd ff:ff:ff:ff:ff:ff
    inet6 2001:1e0:5af:2000:3e18:e1ff:af47:b51a/64 scope global dynamic mngtmpaddr
       valid_lft 2591968sec preferred_lft 604768sec
    inet6 fe80::3e18:e1ff:af47:b51a/64 scope link
       valid_lft forever preferred_lft forever

Why is this?

 

[Stoiko Ivanov]

Why is this?

on a hunch - stateless address autoconfiguration:
https://en.wikipedia.org/wiki/IPv6#Stateless_address_autoconfiguration_(SLAAC)

I would suggest to just set a single LISTEN_IP in /etc/default/pveproxy - see:
https://pve.proxmox.com/pve-docs/pveproxy.8.html

or use nftables/iptables to prevent access


I hope this helps!

 

[superuser]

Thank you! That only affects the web interface, doesn't it?

If I disable IPv6 in the OS, would that affect PVE (apart from the missing IPv6 functionality)?

 

[Dunuin]

If you don't need IPv6 simply add net.ipv6.conf.all.disable_ipv6 = 1 to "/etc/sysctl.conf". That will disable all IPv6 for the server. Works fine here for years.

 

[superuser]

Thanks! Seems to work here too..

Why is the autoionfiguration not disabled by default? With the IPv6 PVE is reachable from the internet..

 

[Stoiko Ivanov]

Why is the autoionfiguration not disabled by default? With the IPv6 PVE is reachable from the internet..

That's been the default in the linux kernel for quite a long time (as far as I remember) - so we simply kept that.

 

[KMJ]

I just came across this finding out the servers was public reachable since we added a IPv6. We use DHCPv6 only, but the server takes a SLACC IP. This MUST BE IN BIG LETTERS because this sets all Proxmox Servers running with IPv6 somewhere on a Interface the risk to be hacked and attacked without the Admins knows it.

One need to define the Interface to have it for the VMs, but the Interface by itself NEVER should take an IP by itself.

Brrrrrrrrrrrrrrrrrr I really love Proxmox, but this is hard.

 

[KMJ]

**on all interfaces public reachable:**

/etc/sysctl.d/99-ipv6.conf

net.ipv6.conf.vmbr1.accept_ra=0
net.ipv6.conf.vmbr1.autoconf=0

 

[damo2929]

Hi

The server has two NICs. 1 is for the LAN, the other one is an untrusted WAN connection. On the WAN connection I don't want proxmox to listen, for security reasons. I have set up a bridge with that interface and left the IP configuration empty:

View attachment 42267

(the same on the "Network Device")

For IPv4 this works, neither the interface/Device nor the bridge get an IP. For IPv6 however, the bridge gets an IP:

ip a
5: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 3c:18:a0:77:f5:9a brd ff:ff:ff:ff:ff:ff
    inet6 2001:1e0:5af:2000:3e18:e1ff:af47:b51a/64 scope global dynamic mngtmpaddr
       valid_lft 2591968sec preferred_lft 604768sec
    inet6 fe80::3e18:e1ff:af47:b51a/64 scope link
       valid_lft forever preferred_lft forever

Why is this?

use sysctl to disable ipv6 on the interfaces you don't want it
you will find all the values /proc/sys/net/ipv6/conf

under sysctl net.ipv6.conf.<interface>.disable_ipv6 =1