Re: 2.6.9-1.11_FC2smp IPv6 issue

From: Michael H. Warfield (mhw_at_wittsend.com)
Date: 02/07/05

  • Next message: Craig White: "Re: timsieved"
    To: For users of Fedora Core releases <fedora-list@redhat.com>
    Date: Sun, 06 Feb 2005 21:54:09 -0500
    
    
    
    

    On Sun, 2005-02-06 at 19:36 +0000, John Logsdon wrote:
    > Hi
    >
    > I downloaded 2.6.9-1.11_FC2smp in early January but have only just tried
    > it. Previously the box was in FC2 but using various bespoke 2.4 kernels
    > although 2.6.8-1.521smp had been used without problem.
    >
    > Booting this kernel has switched sshd into dual-listen mode so that all IP
    > numbers are reported as ::ffff:n.n.n.n. This makes a monkey of my BF
    > protection as the apf firewall doesn't parse it correctly. When I boot
    > back into 2.4, sshd mode is retained in dual-listen, despite being dropped
    > on bootup.
    >
    > I have explicitly switched ipv6 off in /etc/sysconfig/network but this
    > problem is still there. (NETWORKING_IPV6=no). IPV6 is enabled in the 2.4
    > kernel by modules but none of them are loaded.

            IPv6 in FC2 and FC3 are on purely by accident. It's not being loaded
    because NETWORKING_IPV6 is enabled, in fact it's not, but rather because
    some application, early on, made explicit reference to PF_INET6 which
    caused the kernel to modload net-pf-10. You have to disable it in
    modules.conf by aliasing net-pf-10 off. Real thing about having
    "NETWORKING_IPv6=no" is that it IS enabled, it just NOT properly
    configured. So you pays your nickel and you takes your chance. :-(
    You're better off setting it to "=yes" and setting it up properly.

    > Can someone tell me please how do I stop sshd from working in dual-listen
    > mode?

            Adding -4 to /etc/sysconfig/sshd should do the trick, or disabling
    IPv6. Or fix your access codes to support both, which is pretty
    trivial, just add the compatibility addresses. IPv6 is ubiquitous at
    this point anyways. You can get at it from ANYWHERE on the Internet
    (and people on IPv6 can get at you). Might as well get use to it and
    use it to your advantage (before others use it to their advantage
    against you).

            Hell! I configure ALL of my SSH to listen on IPv6 and then block ALL
    access to port 22 from IPv4! I can get back to them from anywhere on
    the IPv4 internet, no problem. Firewalls aren't even a problem (IPv6
    over UDP). Worms/viruses/snot-noses can't scan IPv6 and I can get at
    the IPv6 ports from anywhere you can get at IPv4 from. Use 6to4 if you
    want, I have servers which change their 6to4 address every 15 minutes
    and update my DNS zone, so I can always find and get to the address, but
    it still can't be scanned for (scanning 65,536 * 4 billion * 4 billion
    possible addresses for a given IPv4 address is NOT practical and ICMP
    errors return from ::1 which is blocked). Don't want to use 6to4, there
    are lots of free tunnels available for static IPv6 addresses even if you
    are on dynamic IPv4 address space. Provider blocking port 80 or port
    25? No problem. Jerk off providers have no clue that IPv6 is
    permeating their networks and they don't even see it. DSL provider I
    use blocks both inbound and outbound port 25 (and I agree with their
    policy due to the technotards who get infected with MSTDs - MicroSoft
    Transmitted Diseases). Doesn't stop me. Doesn't even slow me down. I
    got port 25 inbound and outbound just fine. All my E-Mail comes in on
    port 25 over IPv6 and all my outbound goes out that way. Hey! They
    don't support it? No problem. Doesn't mean they don't have it. Just
    means they don't control it. No rules, just right... IPv6 works for
    me.

    > TIA

    > John

    > John Logsdon "Try to make things as simple
    > Quantex Research Ltd, Manchester UK as possible but not simpler"
    > j.logsdon@quantex-research.com a.einstein@relativity.org
    > +44(0)161 445 4951/G:+44(0)7717758675 www.quantex-research.com

            Regards,
            Mike

    -- 
     Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com  
      /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
      NIC whois:  MHW9      |  An optimist believes we live in the best of all
     PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
    
    

    
    

    -- 
    fedora-list mailing list
    fedora-list@redhat.com
    To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
    


  • Next message: Craig White: "Re: timsieved"