What do I need to do to disable IPv6?

Discussion in 'Proxmox VE: Networking and Firewall' started by jimmyjoe, Mar 26, 2018.

  1. jimmyjoe

    jimmyjoe Member
    Proxmox VE Subscriber

    Joined:
    Jan 12, 2015
    Messages:
    79
    Likes Received:
    2
    I'll never use IPv6 and want to disable it completely. I don't like having rpcbind or ssh running on both v4 and v6.
    I've tried disabling using sysctl but getting errors in the logs from pve-firewall:

    iptables_restore_cmdlist: Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.

    Is there a guide anywhere on how to go about removing v6 support?
     
  2. Klaus Steinberger

    Proxmox VE Subscriber

    Joined:
    Jan 16, 2018
    Messages:
    145
    Likes Received:
    19
    There is no need to disable IPV6 as long as you have no sluggish ipv6 connectivity. Just let the system jobs do its work.
     
  3. jimmyjoe

    jimmyjoe Member
    Proxmox VE Subscriber

    Joined:
    Jan 12, 2015
    Messages:
    79
    Likes Received:
    2
    Unfortunately, that answer won't survive a security audit. I need to prove that the listening services bound to ipv6 interfaces are properly firewalled. I do not know much about ipv6 but these services appear wide open. Am I misundestanding?

    # ip6tables -nvL
    Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination

    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination

    Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination

    tcp6 0 0 :::5666 :::* LISTEN 109 14970 2142/nrpe off (0.00/0/0)
    tcp6 0 0 :::56810 :::* LISTEN 104 18672 1929/rpc.statd off (0.00/0/0)
    tcp6 0 0 :::111 :::* LISTEN 0 7931 1919/rpcbind off (0.00/0/0)
    tcp6 0 0 :::22 :::* LISTEN 0 15839 2350/sshd off (0.00/0/0)
    udp6 0 0 :::49454 :::* 104 18670 1929/rpc.statd off (0.00/0/0)
    udp6 0 0 :::111 :::* 0 7929 1919/rpcbind off (0.00/0/0)
    udp6 0 0 ::1:123 :::* 0 26729 2287/ntpd off (0.00/0/0)
    udp6 0 0 :::123 :::* 0 16870 2287/ntpd off (0.00/0/0)
    udp6 0 0 :::812 :::* 0 7930 1919/rpcbind off (0.00/0/0)

     
  4. Klaus Steinberger

    Proxmox VE Subscriber

    Joined:
    Jan 16, 2018
    Messages:
    145
    Likes Received:
    19
    First off: As long as you don't have RA's sent from router you will only have link local IPV6 adresses.
    They look like: inet6-Adresse: fe80::.........
    A real IPV6 adress will start with 2xxx::.......

    A security auditor should know that, or he/she is not worth his money.

    if you have to protect against machines in same network, you can firewall ipv6 of course too, but the network segment in which your hosts run should be trusted anyway.


    Second: did you ever hear that IPV4 address range is a rare resource nowadays? So engage in IPV6 before its too late for you and your company
     
  5. wbumiller

    wbumiller Proxmox Staff Member
    Staff Member

    Joined:
    Jun 23, 2015
    Messages:
    616
    Likes Received:
    72
    For completeness' sake: You can add `net.ipv6.conf.all.disable_ipv6=1` and `net.ipv6.conf.default.disable_ipv6=1` to /etc/sysctl.conf. (You can apply that to a running system via the `sysctl` command as well, but for the sake of not confusing running services I'd recommend restarting them afterwards.) This still allows selectively enabling ipv6 on certain interfaces.

    Alternatively you can add `ipv6.disable=1` to your kernel boot options and reboot, to disable it entirely.

    But a much better solution is to configure & firewall it properly (IPv6 by definition and by all "standards" comes with horrible defaults such as autoconfiguration and accepting routing advertisements - if you can't trust your LAN (and note that VMs are usually part of that) you'll want to disable those).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. jimmyjoe

    jimmyjoe Member
    Proxmox VE Subscriber

    Joined:
    Jan 12, 2015
    Messages:
    79
    Likes Received:
    2
    @wbumiller I have tried `ipv6.disable=1` but it does not seem to work. This the boot line from same machine above:
    # cat /proc/cmdline
    BOOT_IMAGE=/boot/vmlinuz-4.4.98-6-pve root=/dev/mapper/pve-root ro ipv6.disble=1 vga=791 fsck.mode=force pti=on


    I have made both the boot line modification as well as the `net.ipv6.conf.*` edits to `sysctl.conf`.
    These result in the message logs filling up with the `ip6tables-restore` messages in the OP. How can these messages be prevented?

    @Klaus Steinberger Network segments are inherently untrusted by nature. Malicious software can backdoor a device, users can install access points or download accidental trojans. These provide a point of entry for network based attacks. This is why it's important to firewall un-needed services (or disable them completley) and if possible trigger a firewall alert for a NIDs system to provide a log/alert of the event. In a home network, you may not want all of this and that is your choice. In corporate settings, there are security policies which must be adhered to and dictate how a machine is provisioned.

    Yes, ipv4 has run it's course however many institutions use something called iPv4/IPv6 translation. This allows an edge to use IPv6 to talk on the Internet, but then uses Network Address Translation to "rewrite" the network packet into an IPv4 packet so private networks behind the edge can still use IPv4. This is why IPv4 is still relevant.
     
  7. wbumiller

    wbumiller Proxmox Staff Member
    Staff Member

    Joined:
    Jun 23, 2015
    Messages:
    616
    Likes Received:
    72
    disble => disable
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. wbumiller

    wbumiller Proxmox Staff Member
    Staff Member

    Joined:
    Jun 23, 2015
    Messages:
    616
    Likes Received:
    72
    Ah yes, we currently don't support a failing ip6tables-restore. That would need to be added to the firewall code. In the mean time you could possibly replace the file with dummy I guess...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. jimmyjoe

    jimmyjoe Member
    Proxmox VE Subscriber

    Joined:
    Jan 12, 2015
    Messages:
    79
    Likes Received:
    2
    @wbumiller - Ah, nice catch on "disable"! I must have looked at it 20 times...
    Considering the message log errors, its likely a better option to firewall the v6 instead of maintaining modifications across system upgrades.
    Thanks for your time
     
  10. Michel V

    Michel V Member

    Joined:
    Jul 5, 2018
    Messages:
    31
    Likes Received:
    1
    @jimmyjoe Shouldn't you rather go the other way and turn IPv4 off? Really don't get the arguments against IPv6...
     
  11. Michel V

    Michel V Member

    Joined:
    Jul 5, 2018
    Messages:
    31
    Likes Received:
    1
    But... looking at this website forum. wiki and the www website... only in IPv4. Is Proxmox also still advocating old technology ;)?
     
  12. jimmyjoe

    jimmyjoe Member
    Proxmox VE Subscriber

    Joined:
    Jan 12, 2015
    Messages:
    79
    Likes Received:
    2
    As I understand it, and I may be completely confused, but as I followed IPv6 adoption over the past decade I saw this:
    * It sounded great at first but carriers took too long to adopt it. Killed the momentum.
    * The added complexity of the addressing scheme is a big WTF scaring people away from it
    * 6to4 NAT at the edge got worked out so adoption in the LAN is pointless now
    * IOT put another nail in IPv6 (public route to devices on the LAN) since manufacturers can't do simple device security

    Additionally, it's extra work to have IPv6 in Proxmox since everything I do is in IPv4 land. All it does is open up attack services for rpc services and other listening daemons because now I have to configure TWO FIREWALLS instead of just an IPv4. This goes for both LAN and DMZ servers. There's just no point to it. Why would anyone, outside of the NOC, really need IPv6 now?

    PS: Not saying this is anything against Proxmox. I have been running several licensed servers for years and it's really a flawless product in comparison to some of the other options out there. I just find the IPv6 requirement maddening when it doesn't fit my use case.
     
    #12 jimmyjoe, Aug 8, 2018
    Last edited: Aug 8, 2018
  13. Michel V

    Michel V Member

    Joined:
    Jul 5, 2018
    Messages:
    31
    Likes Received:
    1
    6to4, two firewalls... oh my.
    Well, even the topguys think that 4 will exist for a long time next to 6, so nobody will win this battle soon ;)

    Some inspiration:
    https://blogs.akamai.com/2016/06/preparing-for-ipv6-only-mobile-networks-why-and-how.html
    https://serverfault.com/questions/894488/how-bad-is-ipv4-address-exhaustion-really

    and the stats
    https://www.ripe.net/publications/ipv6-info-centre/about-ipv6/ipv4-exhaustion/ipv4-available-pool

    Any response from Proxmox why their sites are not on IPv6?
     
    #13 Michel V, Aug 9, 2018
    Last edited: Aug 14, 2018
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice