What do I need to do to disable IPv6?

Jan 12, 2015
80
2
8
I'll never use IPv6 and want to disable it completely. I don't like having rpcbind or ssh running on both v4 and v6.
I've tried disabling using sysctl but getting errors in the logs from pve-firewall:

iptables_restore_cmdlist: Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.

Is there a guide anywhere on how to go about removing v6 support?
 
Jan 12, 2015
80
2
8
Unfortunately, that answer won't survive a security audit. I need to prove that the listening services bound to ipv6 interfaces are properly firewalled. I do not know much about ipv6 but these services appear wide open. Am I misundestanding?

# ip6tables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

tcp6 0 0 :::5666 :::* LISTEN 109 14970 2142/nrpe off (0.00/0/0)
tcp6 0 0 :::56810 :::* LISTEN 104 18672 1929/rpc.statd off (0.00/0/0)
tcp6 0 0 :::111 :::* LISTEN 0 7931 1919/rpcbind off (0.00/0/0)
tcp6 0 0 :::22 :::* LISTEN 0 15839 2350/sshd off (0.00/0/0)
udp6 0 0 :::49454 :::* 104 18670 1929/rpc.statd off (0.00/0/0)
udp6 0 0 :::111 :::* 0 7929 1919/rpcbind off (0.00/0/0)
udp6 0 0 ::1:123 :::* 0 26729 2287/ntpd off (0.00/0/0)
udp6 0 0 :::123 :::* 0 16870 2287/ntpd off (0.00/0/0)
udp6 0 0 :::812 :::* 0 7930 1919/rpcbind off (0.00/0/0)

 
Jan 16, 2018
165
27
28
First off: As long as you don't have RA's sent from router you will only have link local IPV6 adresses.
They look like: inet6-Adresse: fe80::.........
A real IPV6 adress will start with 2xxx::.......

A security auditor should know that, or he/she is not worth his money.

if you have to protect against machines in same network, you can firewall ipv6 of course too, but the network segment in which your hosts run should be trusted anyway.


Second: did you ever hear that IPV4 address range is a rare resource nowadays? So engage in IPV6 before its too late for you and your company
 

wbumiller

Proxmox Staff Member
Staff member
Jun 23, 2015
645
84
28
For completeness' sake: You can add `net.ipv6.conf.all.disable_ipv6=1` and `net.ipv6.conf.default.disable_ipv6=1` to /etc/sysctl.conf. (You can apply that to a running system via the `sysctl` command as well, but for the sake of not confusing running services I'd recommend restarting them afterwards.) This still allows selectively enabling ipv6 on certain interfaces.

Alternatively you can add `ipv6.disable=1` to your kernel boot options and reboot, to disable it entirely.

But a much better solution is to configure & firewall it properly (IPv6 by definition and by all "standards" comes with horrible defaults such as autoconfiguration and accepting routing advertisements - if you can't trust your LAN (and note that VMs are usually part of that) you'll want to disable those).
 
Jan 12, 2015
80
2
8
@wbumiller I have tried `ipv6.disable=1` but it does not seem to work. This the boot line from same machine above:
# cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-4.4.98-6-pve root=/dev/mapper/pve-root ro ipv6.disble=1 vga=791 fsck.mode=force pti=on


I have made both the boot line modification as well as the `net.ipv6.conf.*` edits to `sysctl.conf`.
These result in the message logs filling up with the `ip6tables-restore` messages in the OP. How can these messages be prevented?

@Klaus Steinberger Network segments are inherently untrusted by nature. Malicious software can backdoor a device, users can install access points or download accidental trojans. These provide a point of entry for network based attacks. This is why it's important to firewall un-needed services (or disable them completley) and if possible trigger a firewall alert for a NIDs system to provide a log/alert of the event. In a home network, you may not want all of this and that is your choice. In corporate settings, there are security policies which must be adhered to and dictate how a machine is provisioned.

Yes, ipv4 has run it's course however many institutions use something called iPv4/IPv6 translation. This allows an edge to use IPv6 to talk on the Internet, but then uses Network Address Translation to "rewrite" the network packet into an IPv4 packet so private networks behind the edge can still use IPv4. This is why IPv4 is still relevant.
 

wbumiller

Proxmox Staff Member
Staff member
Jun 23, 2015
645
84
28
These result in the message logs filling up with the `ip6tables-restore` messages in the OP.
Ah yes, we currently don't support a failing ip6tables-restore. That would need to be added to the firewall code. In the mean time you could possibly replace the file with dummy I guess...
 
Jan 12, 2015
80
2
8
@wbumiller - Ah, nice catch on "disable"! I must have looked at it 20 times...
Considering the message log errors, its likely a better option to firewall the v6 instead of maintaining modifications across system upgrades.
Thanks for your time
 

Michel V

Member
Jul 5, 2018
31
1
8
119
But... looking at this website forum. wiki and the www website... only in IPv4. Is Proxmox also still advocating old technology ;)?
 
Jan 12, 2015
80
2
8
As I understand it, and I may be completely confused, but as I followed IPv6 adoption over the past decade I saw this:
* It sounded great at first but carriers took too long to adopt it. Killed the momentum.
* The added complexity of the addressing scheme is a big WTF scaring people away from it
* 6to4 NAT at the edge got worked out so adoption in the LAN is pointless now
* IOT put another nail in IPv6 (public route to devices on the LAN) since manufacturers can't do simple device security

Additionally, it's extra work to have IPv6 in Proxmox since everything I do is in IPv4 land. All it does is open up attack services for rpc services and other listening daemons because now I have to configure TWO FIREWALLS instead of just an IPv4. This goes for both LAN and DMZ servers. There's just no point to it. Why would anyone, outside of the NOC, really need IPv6 now?

PS: Not saying this is anything against Proxmox. I have been running several licensed servers for years and it's really a flawless product in comparison to some of the other options out there. I just find the IPv6 requirement maddening when it doesn't fit my use case.
 
Last edited:

Michel V

Member
Jul 5, 2018
31
1
8
119
6to4, two firewalls... oh my.
Well, even the topguys think that 4 will exist for a long time next to 6, so nobody will win this battle soon ;)

Some inspiration:
https://blogs.akamai.com/2016/06/preparing-for-ipv6-only-mobile-networks-why-and-how.html
https://serverfault.com/questions/894488/how-bad-is-ipv4-address-exhaustion-really

and the stats
https://www.ripe.net/publications/ipv6-info-centre/about-ipv6/ipv4-exhaustion/ipv4-available-pool

Any response from Proxmox why their sites are not on IPv6?
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!