Scientific Linux Forum.org



  Reply to this topicStart new topicStart Poll

> How to CORRECTLY disable IPV6 in SL6
tux99
 Posted: Feb 1 2012, 10:04 PM
Quote Post


SLF Guru
********

Group: Members
Posts: 1301
Member No.: 224
Joined: 28-May 11









After having spent more than an hour fighting IPV6 that didn't want to die on a SL6 box despite trying all sorts of ways to disable it I finally found (on the Centos forum among loads of incorrect suggestions) the only (AFAIK) correct way that truly disables IPV6 on SL6 permanently:

add ipv6.disable=1 as a boot parameter to the kernel command line in /boot/grub/grub.conf

After that reboot.

This will generate the following message during boot:
CODE
IPv6: Loaded, but administratively disabled, reboot required to enable


You can check this with:
CODE
dmesg | grep -i ipv6


Credits to OneLoveAmaru from the Centos forum.

P.S: to check that IPV6 is really disabled 'ifconfig' is not enough, you need to use 'netstat -atnu' or 'lsof -i' because when IPV6 is not correctly disabled then you might not have IPV6 addresses configured, but daemons will still listen to the ::: (all interfaces) IPV6 address, for example ssh:

CODE
netstat -atnu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN
tcp        0      0 :::22                       :::*                        LISTEN


The only way that disables this is the one I mentioned above.


--------------------
My personal SL6 repository, specialized in audio/video software: http://pkgrepo.linuxtech.net/el6/
(can be used together with EPEL and ELRepo repositories) - repository mirror: http://linuxsoft.cern.ch/linuxtech/el6/
PM
^
AndrewSerk
 Posted: Feb 2 2012, 04:46 AM
Quote Post


SLF Moderator
******

Group: Moderators
Posts: 518
Member No.: 54
Joined: 14-April 11









Good post tux99, thank you http://th166.photobucket.com/albums/u117/rdshear/Smiley%20Faces/th_smiley-face-thumbs-up.gif

To my surprise, even with ipv6.disable=1 added to the kernel line. I found that the module still loads although it is not being used by anything now,

CODE
[root@localhost ~]# lsmod|grep ipv6
ipv6                  264641  0
[root@localhost ~]# modprobe -r ipv6
[root@localhost ~]# lsmod|grep ipv6
[root@localhost ~]#



Just a reminder for anyone doing this, you will have to add ipv6.disable=1 to the kernel line again after a kernel update/install.
PM
^
joutlan
 Posted: Feb 2 2012, 07:59 AM
Quote Post


SLF Founder
********

Group: Admins
Posts: 1115
Member No.: 1
Joined: 8-April 11









Thanks for the info guys....actually, I'm doing this now... rolleyes.gif


--------------------
DΞLL Precision M6700: 17 inch NB//i7-quad w/USB 3.0, 16.0GB, Quadro K5000M 2.0GB DDR3, RGBLED //W8P64/Scientific Linux 6.4 x64
DΞLL Vostro 3350 Nirvana: 13 inch NB w/ IntelSSD// W8Px64 (Work;Games)
Nexus 4 //Android
PMEmail PosterUsers WebsiteIntegrity Messenger IM
^
tux99
 Posted: Feb 2 2012, 09:47 AM
Quote Post


SLF Guru
********

Group: Members
Posts: 1301
Member No.: 224
Joined: 28-May 11









QUOTE (AndrewSerk @ Feb 2 2012, 05:46 AM)
Good post tux99, thank you  http://th166.photobucket.com/albums/u117/rdshear/Smiley%20Faces/th_smiley-face-thumbs-up.gif

To my surprise, even with ipv6.disable=1 added to the kernel line. I found that the module still loads although it is not being used by anything now,


Yes that's correct, the ipv6 module is apparently so ingrained in RHEL6/SL6 these days that if you don't load it you would get all sorts of problems (this is what I read, I haven't tried it as there appears to be no clean persistent way to do that, short of deleting the kernel module file).

QUOTE (AndrewSerk @ Feb 2 2012, 05:46 AM)
Just a reminder for anyone doing this,  you will have to add ipv6.disable=1 to the kernel line again after a kernel update/install.


Good point, I haven't tried that yet, although I find that's a serious flaw of RHEL6/SL6 if that's true, on Mandriva Linux for example any customisations of the kernel parameters in grub.conf are automatically carried over for the new kernel when doing kernel upgrades. I'm surprised Redhat hasn't implemented this.


--------------------
My personal SL6 repository, specialized in audio/video software: http://pkgrepo.linuxtech.net/el6/
(can be used together with EPEL and ELRepo repositories) - repository mirror: http://linuxsoft.cern.ch/linuxtech/el6/
PM
^
Nathan
 Posted: Feb 2 2012, 02:00 PM
Quote Post


SLF Geek
****

Group: Members
Posts: 285
Member No.: 928
Joined: 15-October 11









I don't really know much about IPv4 and IPv6, anyone care to explain why you would want to disable IPv6?
PM
^
tux99
 Posted: Feb 2 2012, 10:39 PM
Quote Post


SLF Guru
********

Group: Members
Posts: 1301
Member No.: 224
Joined: 28-May 11









QUOTE (Nathan @ Feb 2 2012, 03:00 PM)
I don't really know much about IPv4 and IPv6, anyone care to explain why you would want to disable IPv6?


Because if you have it enabled even though you don't use it it can be a security risk and it can cause slow downs.


--------------------
My personal SL6 repository, specialized in audio/video software: http://pkgrepo.linuxtech.net/el6/
(can be used together with EPEL and ELRepo repositories) - repository mirror: http://linuxsoft.cern.ch/linuxtech/el6/
PM
^
Nathan
 Posted: Feb 3 2012, 12:04 AM
Quote Post


SLF Geek
****

Group: Members
Posts: 285
Member No.: 928
Joined: 15-October 11









QUOTE (tux99 @ Feb 2 2012, 11:39 PM)
Because if you have it enabled even though you don't use it it can be a security risk and it can cause slow downs.

I see, guess I'll disable it then. Thanks for the explanation!
PM
^
tux99
 Posted: Feb 9 2012, 11:09 PM
Quote Post


SLF Guru
********

Group: Members
Posts: 1301
Member No.: 224
Joined: 28-May 11









QUOTE (AndrewSerk @ Feb 2 2012, 05:46 AM)

Just a reminder for anyone doing this,  you will have to add ipv6.disable=1 to the kernel line again after a kernel update/install.


Just a brief update with regards to this: I'm glad (because it would have been a major nuisance otherwise) to say that the above statement is incorrect.

SL6 (and therefore presumably any RHEL6 clone) does carry over custom kernel parameters to the new kernel when installing updated kernel packages.

I just tested this on a box that still had the 2.6.32-220.2.1.el6 kernel and had "ipv6.disable=1" on the kernel line in grub.conf. After a "yum update' that installed the current 2.6.32-220.4.1.el6 kernel, the kernel line for the current kernel also contains the "ipv6.disable=1" parameter.

So custom kernel parameters in SL6 are persistent across kernel updates.


--------------------
My personal SL6 repository, specialized in audio/video software: http://pkgrepo.linuxtech.net/el6/
(can be used together with EPEL and ELRepo repositories) - repository mirror: http://linuxsoft.cern.ch/linuxtech/el6/
PM
^
AndrewSerk
 Posted: Feb 10 2012, 04:34 AM
Quote Post


SLF Moderator
******

Group: Moderators
Posts: 518
Member No.: 54
Joined: 14-April 11









Thanks for the correction tux99,

I was not sure if the custom settings would transfer with the stock kernel. Thanks for clearing that up. To my surprise, the custom setting transferred over when I built/intalled the 3.2.5 kernel also. ohmy.gif


So good news!
PM
^
synflag
 Posted: Feb 11 2012, 07:11 AM
Quote Post


SLF Rookie
*

Group: Members
Posts: 24
Member No.: 1281
Joined: 11-February 12









ipv6 disable in cmdline work, but after reboot, load the module again
Investigating about this, and asking #rhel people in freenode, say me that in RHEL6.x ipv6 is engraned in the kernel, and bounding depend of that module, so, modprobe -r ipv6 is no correct way, the correct way is described in centos wiki, and work, disable ipv6 support completely, but the module is necessary:

from centos wiki and confirmed by #rhel people:

add in sysctl.conf net.ipv6.conf.all.disable_ipv6 = 1, because:

Upstream employee Daniel Walsh recommends not disabling the ipv6 module, as that can cause issues with SELinux and other components. Reference:

bugzilla ipv6

Greets


--------------------
AMD Phenom x4 945 3.0Ghz - 8Gb Ram DDR3-1600 GSKILL RIPJAWS - 2 HDD 500GB WD SATAII - Thermaltake Toughpower 700 - Thermaltake V9 Black - LG LED 19" // Windows 7 Ultimate x86_64 (for games only), Fedora 16 x86_64
-------------------------------------------------------------------------------------------------------------------------------
Lenovo Thinkpad T400 Intel P8600 - 500GB SATAII - 4GB DDR3-1066 // SL6.2, Windows 7 Ultimate x86_64 (games and security test)
PMUsers Website
^
tux99
 Posted: Feb 11 2012, 09:02 AM
Quote Post


SLF Guru
********

Group: Members
Posts: 1301
Member No.: 224
Joined: 28-May 11









QUOTE (synflag @ Feb 11 2012, 08:11 AM)
ipv6 disable in cmdline work, but after reboot, load the module again
Investigating about this, and asking #rhel people in freenode, say me that in RHEL6.x ipv6 is engraned in the kernel, and bounding depend of that module, so, modprobe -r ipv6 is no correct way,

I'm not suggesting that, in fact I said so myself that the module should not be prevented from loading.

Using the ipv6.disable=1 kernel parameter (as I suggested in the first post of this thread) does not prevent the ipv6 kernel module from being loaded, but it completely deactivates it (despite it's loaded).

QUOTE (synflag @ Feb 11 2012, 08:11 AM)

add in sysctl.conf net.ipv6.conf.all.disable_ipv6 = 1, because:


Unfortunately in my experience this method does not work, I tried it and I still had daemons listening on the :::* (all interfaces) IPV6 address.

The SELinux errors in that bug report are due to a configuration mistake by the admin who made the bug report, when disabling the ipv6 module in modprobe.d he needed to also disable the net-pf-10 module. (but anyway disabling ipv6 via modprobe.d doesn't work so it's wrong in any case).


--------------------
My personal SL6 repository, specialized in audio/video software: http://pkgrepo.linuxtech.net/el6/
(can be used together with EPEL and ELRepo repositories) - repository mirror: http://linuxsoft.cern.ch/linuxtech/el6/
PM
^
doublejoon
 Posted: Mar 22 2012, 02:11 PM
Quote Post


SLF Newbie


Group: Members
Posts: 5
Member No.: 1381
Joined: 16-March 12









This is what I do to disable it

Create this file /etc/modprobe.d/ipv6.conf

Edit with the following
CODE
install ipv6 /bin/true
Taken from the NSA RHEL security guide


Now the "ipv6" module never loads at boot

And of course in the /etc/sysconfig/network-scripts/ifcfg-ethx file
CODE
IPV6INIT=no

PM
^
tux99
 Posted: Mar 22 2012, 03:58 PM
Quote Post


SLF Guru
********

Group: Members
Posts: 1301
Member No.: 224
Joined: 28-May 11









QUOTE (doublejoon @ Mar 22 2012, 03:11 PM)
This is what I do to disable it


If you are using SL6 (as opposed to SL5) then as had been said earlier preventing the module from loading can cause problems. It's best to let it load but disable it as explained in the OP.


--------------------
My personal SL6 repository, specialized in audio/video software: http://pkgrepo.linuxtech.net/el6/
(can be used together with EPEL and ELRepo repositories) - repository mirror: http://linuxsoft.cern.ch/linuxtech/el6/
PM
^
doublejoon
 Posted: Mar 22 2012, 06:16 PM
Quote Post


SLF Newbie


Group: Members
Posts: 5
Member No.: 1381
Joined: 16-March 12









QUOTE
If you are using SL6 (as opposed to SL5) then as had been said earlier preventing the module from loading can cause problems. It's best to let it load but disable it as explained in the OP.


I can now confirm that removing the ipv6 module at boot can cause autonegotiation problems for gigE NICS
Now I see why 2 of our RHEL6 production boxes autoneg to 100Mb/s

I removed the /etc/modprobe.d/ipv6.conf file

modprobe ipv6
and added to sysctl.conf as suggested
net.ipv6.conf.all.disable_ipv6 = 1

Problem fixed

I never suspected the absense of the "ipv6" would cause my problem
Thank you for reiterating that this can cause issues!!

CODE
ethtool em1
Settings for em1:
Supported ports: [ TP ]
Supported link modes:   10baseT/Half 10baseT/Full
                        100baseT/Half 100baseT/Full
                        1000baseT/Full
Supports auto-negotiation: Yes
Advertised link modes:  10baseT/Half 10baseT/Full
                        100baseT/Half 100baseT/Full
                        1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
MDI-X: Unknown
Supports Wake-on: g
Wake-on: d
Link detected: yes




PM
^
log69
 Posted: Mar 22 2012, 07:55 PM
Quote Post


SLF Member
***

Group: Members
Posts: 98
Member No.: 1325
Joined: 24-February 12









QUOTE (tux99 @ Feb 2 2012, 10:47 AM)
...although I find that's a serious flaw of RHEL6/SL6 if that's true, on Mandriva Linux for example any customisations of the kernel parameters in grub.conf are automatically carried over for the new kernel when doing kernel upgrades. I'm surprised Redhat hasn't implemented this.


SL does carry on the custom kernel parameters. I have "elevetor=deadline" and though I spent a day searching for a default setting in grub 1 for this, I realized the system takes care of my custom parameter and after a kernel upgrade it was there again smile.gif
PM
^
tbsky
 Posted: Mar 27 2012, 03:11 AM
Quote Post


SLF Rookie
*

Group: Members
Posts: 16
Member No.: 79
Joined: 21-April 11









hi:
I also used /etc/modprobe.d/ipv6.conf to disable ipv6 for a long time. and with SL6 I still use this method. but I didn't notice any problem.

I checked all my servers with gigE and they are fine. I also disabled all the "fancy" things like selinux and zeroconf.

the only problem I see is some software like postfix ask for ipv6 because the default configuration of SL6 include the ipv6 configuration. most of them can be configured to use ipv4 only.

anyway the information is useful. if someday I get network problem i will try to enable ipv6, although that is very strange I think.


QUOTE (doublejoon @ Mar 23 2012, 02:16 AM)
QUOTE
If you are using SL6 (as opposed to SL5) then as had been said earlier preventing the module from loading can cause problems. It's best to let it load but disable it as explained in the OP.


I can now confirm that removing the ipv6 module at boot can cause autonegotiation problems for gigE NICS
Now I see why 2 of our RHEL6 production boxes autoneg to 100Mb/s

I removed the /etc/modprobe.d/ipv6.conf file

modprobe ipv6
and added to sysctl.conf as suggested
net.ipv6.conf.all.disable_ipv6 = 1

Problem fixed

I never suspected the absense of the "ipv6" would cause my problem
Thank you for reiterating that this can cause issues!!

CODE
ethtool em1
Settings for em1:
Supported ports: [ TP ]
Supported link modes:   10baseT/Half 10baseT/Full
                        100baseT/Half 100baseT/Full
                        1000baseT/Full
Supports auto-negotiation: Yes
Advertised link modes:  10baseT/Half 10baseT/Full
                        100baseT/Half 100baseT/Full
                        1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
MDI-X: Unknown
Supports Wake-on: g
Wake-on: d
Link detected: yes
PM
^
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll