On Sun, 2005-02-06 at 19:36 +0000, John Logsdon wrote: > Hi > > I downloaded 2.6.9-1.11_FC2smp in early January but have only just tried > it. Previously the box was in FC2 but using various bespoke 2.4 kernels > although 2.6.8-1.521smp had been used without problem. > > Booting this kernel has switched sshd into dual-listen mode so that all IP > numbers are reported as ::ffff:n.n.n.n. This makes a monkey of my BF > protection as the apf firewall doesn't parse it correctly. When I boot > back into 2.4, sshd mode is retained in dual-listen, despite being dropped > on bootup. > > I have explicitly switched ipv6 off in /etc/sysconfig/network but this > problem is still there. (NETWORKING_IPV6=no). IPV6 is enabled in the 2.4 > kernel by modules but none of them are loaded. IPv6 in FC2 and FC3 are on purely by accident. It's not being loaded because NETWORKING_IPV6 is enabled, in fact it's not, but rather because some application, early on, made explicit reference to PF_INET6 which caused the kernel to modload net-pf-10. You have to disable it in modules.conf by aliasing net-pf-10 off. Real thing about having "NETWORKING_IPv6=no" is that it IS enabled, it just NOT properly configured. So you pays your nickel and you takes your chance. :-( You're better off setting it to "=yes" and setting it up properly. > Can someone tell me please how do I stop sshd from working in dual-listen > mode? Adding -4 to /etc/sysconfig/sshd should do the trick, or disabling IPv6. Or fix your access codes to support both, which is pretty trivial, just add the compatibility addresses. IPv6 is ubiquitous at this point anyways. You can get at it from ANYWHERE on the Internet (and people on IPv6 can get at you). Might as well get use to it and use it to your advantage (before others use it to their advantage against you). Hell! I configure ALL of my SSH to listen on IPv6 and then block ALL access to port 22 from IPv4! I can get back to them from anywhere on the IPv4 internet, no problem. Firewalls aren't even a problem (IPv6 over UDP). Worms/viruses/snot-noses can't scan IPv6 and I can get at the IPv6 ports from anywhere you can get at IPv4 from. Use 6to4 if you want, I have servers which change their 6to4 address every 15 minutes and update my DNS zone, so I can always find and get to the address, but it still can't be scanned for (scanning 65,536 * 4 billion * 4 billion possible addresses for a given IPv4 address is NOT practical and ICMP errors return from ::1 which is blocked). Don't want to use 6to4, there are lots of free tunnels available for static IPv6 addresses even if you are on dynamic IPv4 address space. Provider blocking port 80 or port 25? No problem. Jerk off providers have no clue that IPv6 is permeating their networks and they don't even see it. DSL provider I use blocks both inbound and outbound port 25 (and I agree with their policy due to the technotards who get infected with MSTDs - MicroSoft Transmitted Diseases). Doesn't stop me. Doesn't even slow me down. I got port 25 inbound and outbound just fine. All my E-Mail comes in on port 25 over IPv6 and all my outbound goes out that way. Hey! They don't support it? No problem. Doesn't mean they don't have it. Just means they don't control it. No rules, just right... IPv6 works for me. > TIA > John > John Logsdon "Try to make things as simple > Quantex Research Ltd, Manchester UK as possible but not simpler" > j.logsdon@xxxxxxxxxxxxxxxxxxxx a.einstein@xxxxxxxxxxxxxx > +44(0)161 445 4951/G:+44(0)7717758675 www.quantex-research.com Regards, Mike -- Michael H. Warfield | (770) 985-6132 | mhw@xxxxxxxxxxxx /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Attachment:
signature.asc
Description: This is a digitally signed message part
