I'll never use IPv6 and want to disable it completely. I don't like having rpcbind or ssh running on both v4 and v6. I've tried disabling using sysctl but getting errors in the logs from pve-firewall: iptables_restore_cmdlist: Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information. Is there a guide anywhere on how to go about removing v6 support?
There is no need to disable IPV6 as long as you have no sluggish ipv6 connectivity. Just let the system jobs do its work.
Unfortunately, that answer won't survive a security audit. I need to prove that the listening services bound to ipv6 interfaces are properly firewalled. I do not know much about ipv6 but these services appear wide open. Am I misundestanding? # ip6tables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination tcp6 0 0 :::5666 :::* LISTEN 109 14970 2142/nrpe off (0.00/0/0) tcp6 0 0 :::56810 :::* LISTEN 104 18672 1929/rpc.statd off (0.00/0/0) tcp6 0 0 :::111 :::* LISTEN 0 7931 1919/rpcbind off (0.00/0/0) tcp6 0 0 :::22 :::* LISTEN 0 15839 2350/sshd off (0.00/0/0) udp6 0 0 :::49454 :::* 104 18670 1929/rpc.statd off (0.00/0/0) udp6 0 0 :::111 :::* 0 7929 1919/rpcbind off (0.00/0/0) udp6 0 0 ::1:123 :::* 0 26729 2287/ntpd off (0.00/0/0) udp6 0 0 :::123 :::* 0 16870 2287/ntpd off (0.00/0/0) udp6 0 0 :::812 :::* 0 7930 1919/rpcbind off (0.00/0/0)
First off: As long as you don't have RA's sent from router you will only have link local IPV6 adresses. They look like: inet6-Adresse: fe80::......... A real IPV6 adress will start with 2xxx::....... A security auditor should know that, or he/she is not worth his money. if you have to protect against machines in same network, you can firewall ipv6 of course too, but the network segment in which your hosts run should be trusted anyway. Second: did you ever hear that IPV4 address range is a rare resource nowadays? So engage in IPV6 before its too late for you and your company
For completeness' sake: You can add `net.ipv6.conf.all.disable_ipv6=1` and `net.ipv6.conf.default.disable_ipv6=1` to /etc/sysctl.conf. (You can apply that to a running system via the `sysctl` command as well, but for the sake of not confusing running services I'd recommend restarting them afterwards.) This still allows selectively enabling ipv6 on certain interfaces. Alternatively you can add `ipv6.disable=1` to your kernel boot options and reboot, to disable it entirely. But a much better solution is to configure & firewall it properly (IPv6 by definition and by all "standards" comes with horrible defaults such as autoconfiguration and accepting routing advertisements - if you can't trust your LAN (and note that VMs are usually part of that) you'll want to disable those).
@wbumiller I have tried `ipv6.disable=1` but it does not seem to work. This the boot line from same machine above: # cat /proc/cmdline BOOT_IMAGE=/boot/vmlinuz-4.4.98-6-pve root=/dev/mapper/pve-root ro ipv6.disble=1 vga=791 fsck.mode=force pti=on I have made both the boot line modification as well as the `net.ipv6.conf.*` edits to `sysctl.conf`. These result in the message logs filling up with the `ip6tables-restore` messages in the OP. How can these messages be prevented? @Klaus Steinberger Network segments are inherently untrusted by nature. Malicious software can backdoor a device, users can install access points or download accidental trojans. These provide a point of entry for network based attacks. This is why it's important to firewall un-needed services (or disable them completley) and if possible trigger a firewall alert for a NIDs system to provide a log/alert of the event. In a home network, you may not want all of this and that is your choice. In corporate settings, there are security policies which must be adhered to and dictate how a machine is provisioned. Yes, ipv4 has run it's course however many institutions use something called iPv4/IPv6 translation. This allows an edge to use IPv6 to talk on the Internet, but then uses Network Address Translation to "rewrite" the network packet into an IPv4 packet so private networks behind the edge can still use IPv4. This is why IPv4 is still relevant.
Ah yes, we currently don't support a failing ip6tables-restore. That would need to be added to the firewall code. In the mean time you could possibly replace the file with dummy I guess...
@wbumiller - Ah, nice catch on "disable"! I must have looked at it 20 times... Considering the message log errors, its likely a better option to firewall the v6 instead of maintaining modifications across system upgrades. Thanks for your time
@jimmyjoe Shouldn't you rather go the other way and turn IPv4 off? Really don't get the arguments against IPv6...
But... looking at this website forum. wiki and the www website... only in IPv4. Is Proxmox also still advocating old technology ?
As I understand it, and I may be completely confused, but as I followed IPv6 adoption over the past decade I saw this: * It sounded great at first but carriers took too long to adopt it. Killed the momentum. * The added complexity of the addressing scheme is a big WTF scaring people away from it * 6to4 NAT at the edge got worked out so adoption in the LAN is pointless now * IOT put another nail in IPv6 (public route to devices on the LAN) since manufacturers can't do simple device security Additionally, it's extra work to have IPv6 in Proxmox since everything I do is in IPv4 land. All it does is open up attack services for rpc services and other listening daemons because now I have to configure TWO FIREWALLS instead of just an IPv4. This goes for both LAN and DMZ servers. There's just no point to it. Why would anyone, outside of the NOC, really need IPv6 now? PS: Not saying this is anything against Proxmox. I have been running several licensed servers for years and it's really a flawless product in comparison to some of the other options out there. I just find the IPv6 requirement maddening when it doesn't fit my use case.
6to4, two firewalls... oh my. Well, even the topguys think that 4 will exist for a long time next to 6, so nobody will win this battle soon Some inspiration: https://blogs.akamai.com/2016/06/preparing-for-ipv6-only-mobile-networks-why-and-how.html https://serverfault.com/questions/894488/how-bad-is-ipv4-address-exhaustion-really and the stats https://www.ripe.net/publications/ipv6-info-centre/about-ipv6/ipv4-exhaustion/ipv4-available-pool Any response from Proxmox why their sites are not on IPv6?
