Re: 2.6.9-1.11_FC2smp IPv6 issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 2005-02-06 at 19:36 +0000, John Logsdon wrote:
> Hi
> 
> I downloaded 2.6.9-1.11_FC2smp in early January but have only just tried
> it.  Previously the box was in FC2 but using various bespoke 2.4 kernels
> although 2.6.8-1.521smp had been used without problem.
> 
> Booting this kernel has switched sshd into dual-listen mode so that all IP
> numbers are reported as ::ffff:n.n.n.n.  This makes a monkey of my BF
> protection as the apf firewall doesn't parse it correctly. When I boot
> back into 2.4, sshd mode is retained in dual-listen, despite being dropped
> on bootup.
> 
> I have explicitly switched ipv6 off in /etc/sysconfig/network but this
> problem is still there. (NETWORKING_IPV6=no).  IPV6 is enabled in the 2.4
> kernel by modules but none of them are loaded.

	IPv6 in FC2 and FC3 are on purely by accident.  It's not being loaded
because NETWORKING_IPV6 is enabled, in fact it's not, but rather because
some application, early on, made explicit reference to PF_INET6 which
caused the kernel to modload net-pf-10.  You have to disable it in
modules.conf by aliasing net-pf-10 off.  Real thing about having
"NETWORKING_IPv6=no" is that it IS enabled, it just NOT properly
configured.  So you pays your nickel and you takes your chance.  :-(
You're better off setting it to "=yes" and setting it up properly.

> Can someone tell me please how do I stop sshd from working in dual-listen
> mode?

	Adding -4 to /etc/sysconfig/sshd should do the trick, or disabling
IPv6.  Or fix your access codes to support both, which is pretty
trivial, just add the compatibility addresses.  IPv6 is ubiquitous at
this point anyways.  You can get at it from ANYWHERE on the Internet
(and people on IPv6 can get at you).  Might as well get use to it and
use it to your advantage (before others use it to their advantage
against you).

	Hell!  I configure ALL of my SSH to listen on IPv6 and then block ALL
access to port 22 from IPv4!  I can get back to them from anywhere on
the IPv4 internet, no problem.  Firewalls aren't even a problem (IPv6
over UDP).  Worms/viruses/snot-noses can't scan IPv6 and I can get at
the IPv6 ports from anywhere you can get at IPv4 from.  Use 6to4 if you
want, I have servers which change their 6to4 address every 15 minutes
and update my DNS zone, so I can always find and get to the address, but
it still can't be scanned for (scanning 65,536 * 4 billion * 4 billion
possible addresses for a given IPv4 address is NOT practical and ICMP
errors return from ::1 which is blocked).  Don't want to use 6to4, there
are lots of free tunnels available for static IPv6 addresses even if you
are on dynamic IPv4 address space.  Provider blocking port 80 or port
25?  No problem.  Jerk off providers have no clue that IPv6 is
permeating their networks and they don't even see it.  DSL provider I
use blocks both inbound and outbound port 25 (and I agree with their
policy due to the technotards who get infected with MSTDs - MicroSoft
Transmitted Diseases).  Doesn't stop me.  Doesn't even slow me down.  I
got port 25 inbound and outbound just fine.  All my E-Mail comes in on
port 25 over IPv6 and all my outbound goes out that way.  Hey!  They
don't support it?  No problem.  Doesn't mean they don't have it.  Just
means they don't control it.  No rules, just right...  IPv6 works for
me.

> TIA

> John

> John Logsdon                               "Try to make things as simple
> Quantex Research Ltd, Manchester UK         as possible but not simpler"
> j.logsdon@xxxxxxxxxxxxxxxxxxxx              a.einstein@xxxxxxxxxxxxxx
> +44(0)161 445 4951/G:+44(0)7717758675       www.quantex-research.com

	Regards,
	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@xxxxxxxxxxxx  
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

Attachment: signature.asc
Description: This is a digitally signed message part


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux