Re: Disabling IPv6 and other networking protocols: Best Practice?
On Tuesday 07 August 2012 wrote Andrej Kacian:
> On Tue, 7 Aug 2012 19:08:14 +0200
>
> Michael Fladerer <fladerer@fnb.tu-darmstadt.de> wrote:
> >On Tue Aug 07, 2012 at 17:09:50 +0100, Laurie Mercer wrote:
> >> I would like to disable IPv6, and some transport layer protocols, RDS,
> >> TIPC etc
> >>
> >> However I am unsure of the best practise in doing this.
> >>
> >> So far I am disabling IPv6 using the sysctl command:
> >>
> >> sysctl -w net.ipv6.conf.all.disable_ipv6 = 1
> >> sysctl -w net.ipv6.conf.default.disable_ipv6 = 1
> >>
> >> Then, making sure it is disabled in perpetuity by editing
> >> /etc/sysctl.conf to include the following lines:
> >>
> >> net.ipv6.conf.all.disable_ipv6 = 1
> >> net.ipv6.conf.default.disable_ipv6 = 1
> >
> >I'd say that's the way to go, at least for in-kernel drivers/interfaces.
> >AFAIK blacklisting isn't possible here.
>
> You could also pass ipv6.disable=1 on kernel command line during boot to
> disable IPv6 support completely (there was some bug where disabling above
> sysctl parameters did not actually disable IPv6 support for given interface
> - not sure if it's still current).
We run with a custom kernel that does not have IPv6 built in and met some
weird problems with services expecting IPv6. E.g. https access through squid3
breaks without it, unless you explictely tell Squid to bind to a IPv4 address
with "tcp_outgoing_address 0.0.0.0". My colleague also had other problems, I
think he mentioned ssh, too. So better be prepared for strange side effects.
Amon Ott
--
Dr. Amon Ott
m-privacy GmbH Tel: +49 30 24342334
Am Köllnischen Park 1 Fax: +49 30 24342336
10179 Berlin http://www.m-privacy.de
Amtsgericht Charlottenburg, HRB 84946
Geschäftsführer:
Dipl.-Kfm. Holger Maczkowsky,
Roman Maczkowsky
GnuPG-Key-ID: 0x2DD3A649
Reply to: