Disabling ipv6

[BruceLee]

Hi,

I had ipv6 disabled but only via:

Code: Select all

vi /etc/sysconfig/network
       NETWORKING_IPV6=no

Because of another thread Scotts post caught my attention and I disabled it via:

Code: Select all

vi /etc/modprobe.conf
       install ipv6 /bin/true

vi /etc/sysconfig/network
       NETWORKING_IPV6=no
       IPV6INIT=no

and rebootet.
During boot this showed up:

ip6t_REJECT: Unknown symbol ip6_local_out
ip6t_REJECT: Unknown symbol ip6_route_output
ip6t_REJECT: Unknown symbol icmpv6_send
nf_conntrack_ipv6: Unknown symbol ip6_frag_match
nf_conntrack_ipv6: Unknown symbol nf_ip6_checksum
nf_conntrack_ipv6: Unknown symbol ip6_frag_init
nf_conntrack_ipv6: Unknown symbol inet6_hash_frag

Anything I have to do or is it good like that?
Thanks a lot

[arifa]

You didn't wrote which distro you are using. I'll assume it is RHEL or CentOS

You can disable IPV6 easy on 2 locations:

first in /etc/sysconfig/network (as you did already):
NETWORKING_IPV6=no

and second in /etc/modprobe.conf:
alias net-pf-10 off
(that's doing the trick)

And don't forget disable ip6tables (for example run ntsysv command and uncheck it) - it wipes these errors during boot

[BruceLee]

thanks, I will give it a try the next time I need to boot.

[breun]

You could check it now. If ip6tables (the IPv6-aware version of iptables) is configured to start on boot, but IPv6 is disabled, then yeah, that will throw some error messages. I'm pretty sure you don't want/expect ip6tables to start if you've disabled IPv6 networking.

[BruceLee]

Thanks breun.

I disabled ipv6tables first and made all the settings (except alias net-pf-10 off).
But the bootup ipv6 errors stayed the same. So that's not all that needs to be done.
According to arifas post I have searched trough the net and found a redhat KB:
http://kbase.redhat.com/faq/docs/DOC-8711

So the next time I have to boot I will give it a try.

[biggles]

Did you ever get a chance to try it?

[BruceLee]

yes, but since centos 5.5 I had to follow the wiki :
http://wiki.centos.org/FAQ/CentOS5#head ... 366b421dc4
Done that:

Edit /etc/sysconfig/network and set "NETWORKING_IPV6" to "no"
Add the following to /etc/modprobe.conf :

alias ipv6 off
alias net-pf-10 off

Run /sbin/chkconfig ip6tables off to disable the IPv6 firewall

touch /etc/modprobe.d/disable-ipv6
echo "install ipv6 /bin/true" >> /etc/modprobe.d/disable-ipv6

Reboot the system

[biggles]

I've done all of the above and still get

Code: Select all

ip6t_REJECT: Unknown symbol ip6_local_out
ip6t_REJECT: Unknown symbol ip6_route_output
ip6t_REJECT: Unknown symbol icmpv6_send
nf_conntrack_ipv6: Unknown symbol ip6_frag_match
nf_conntrack_ipv6: Unknown symbol nf_ip6_checksum
nf_conntrack_ipv6: Unknown symbol ip6_frag_init
nf_conntrack_ipv6: Unknown symbol inet6_hash_frag

at startup with 2.6.32.13-2

[BruceLee]

hmm, I don't know. It works on my system but I'm stilll using kernel 2.6.32.8-1

[biggles]

I wonder if this mentioned auto loading of modules have anything to do with being unable to turn IPv6 off?

[mdtiberi]

I have read through the posts and get that IPV6 enabled presents issues for net-pf-10. I have done all of the suggestions to turn IPV6 off, however, I still get the following:

grsec: denied kernel module auto-load of net-pf-10 by /usr/bin/spamassassin[spamassassin:26971] uid/euid:506/506 gid/egid:503/503, parent /usr/bin/procmail[procmail:26970] uid/euid:506/506 gid/egid:503/503

Does this mean that spamassassin is checking IPV6?

There is an option of ---ipv4only when executing spamd in daemon mode but I am not sure what file I need to add it to.

Thanks folks.

[webfeatus]

Is this an acceptible single-step solution?

http://www.g-loaded.eu/2008/05/12/how-t ... nd-centos/

[biggles]

Is this an acceptible single-step solution?

http://www.g-loaded.eu/2008/05/12/how-t ... nd-centos/

Well, it might be for you, but it doesn't work for me... Since the new kernel at least...

[DarkF@der]

So anyone get the solution to disable IPv6 of centos 5.5 and kernel 2.6.32.16-2.art.i686.PAE???

to get ride off the error messages??

Code: Select all

grsec: denied kernel module auto-load of net-pf-10....... 

Greetz

[webfeatus]

There does not seem to be reliable solution in this post.

I assume that one must be standing beside the console, anyway, in order to note some of the errors reported here. This is simply not possible for many of us. Am I incorrect in this understanding?

What are the options?

1. Receive OSSEC Notifications and wade through the huge number of warnings about this to discover the relevent security events?

2. Disable the ASL option to allow Kernel Module loading?

3. Somehow configure reporting to not send these warnings?

Obviously the best solution is to remove IPv6 if it is not required on the system, however I am not prepared to attempt any of the solutions offered here; not with my lack of knowledge and no onsite support.