hey all,
I tried disabling tcp v6 on a C7 box this way:
[root at puppet:~] #cat /etc/sysctl.conf
# System default settings live in /usr/lib/sysctl.d/00-system.conf.
# To override those settings, enter new settings here, or in an
/etc/sysctl.d/<name>.conf file
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
Then going:
[root at puppet:~] #sysctl -p
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
Then I restarted xinetd for good measure:
[root at puppet:~] #systemctl restart xinetd
[root at puppet:~] #
Because I'm trying to hit nrpe on this host.
Yet, xinetd/nrpe still seems to be listeing on TCP v6!!
[root at puppet:~] #netstat -tulpn | grep -i listen | grep xinetd
tcp6 0 0 :::5666 :::* LISTEN
2915/xinetd
This is a CentOS 7.1 box:
[root at puppet:~] #cat /etc/redhat-release
CentOS Linux release 7.1.1503 (Core)
What am I doing wrong? I need to be able to disable tcpv6 completely!
Thanks
Tim
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
On 05/03/2015 02:18 PM, Tim Dunphy wrote:> Yet, xinetd/nrpe still seems to be listeing on TCP v6!!It's listening on both IPv6 and IPv4. Specifically, why is that a problem?> What am I doing wrong? I need to be able to disable tcpv6 completely!You could add "ipv6.disable=1" to your kernel args.
On Sun, May 3, 2015 at 4:18 PM Tim Dunphy <bluethundr at gmail.com> wrote:> > What am I doing wrong? I need to be able to disable tcpv6 completely! > > >Ultimately you can disable ipv6 completely by disabling the ipv6 module. On this FAQ below also includes a reason why you may not want to do that. http://wiki.centos.org/FAQ/CentOS7#head-8984faf811faccca74c7bcdd74de7467f2fcd8ee Alternatively on top of what you have already done which is disabling ipv6 via sysctl, you can set the xinet service to specifically listen on ipv4 only. There are other examples on that FAQ on how to accomplish that with other services. flags = IPv4 However if you feel like you have to completely disable ipv6 and you are not running selinux, ip6tables, this approach works on disabling ipv6.: - Edit /etc/default/grub and append 'ipv6.disable=1' to the GRUB_CMDLINE_LINUX configuration variable - Generate the grub configuration file grub2-mkconfig -o /boot/grub2/grub.cfg - Reboot
> > It's listening on both IPv6 and IPv4. Specifically, why is that a problem?The central problem seems to be that the monitoring host can't hit nrpe on port 5666 UDP. [root at monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H puppet.mydomain.com CHECK_NRPE: Socket timeout after 10 seconds. It is listening on the puppet host on port 5666 [root at puppet:~] #lsof -i :5666 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME xinetd 2915 root 5u IPv6 24493 0t0 TCP *:nrpe (LISTEN) And the firewall is allowing that port: [root at puppet:~] #firewall-cmd --list-ports 5666/udp But if I check the port using nmap [root at monitor1:~] #nmap -p 5666 puppet.mydomain.com Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 22:51 UTC Nmap scan report for puppet.jokefire.com (216.120.250.140) Host is up (0.012s latency). PORT STATE SERVICE 5666/tcp filtered nrpe That port is closed despite the port being allowed on the firewall. So I thought that the problem was that xinetd was listening to port 5666 only on tcp v6. And when the monitoring host hits the puppet host using tcp v4 it can't because only tcp v6 is active on that port. You mention that it's listening on both tcp v4 and v6. But I only see v6 in that output. How are you determining that It's a problem because the port does not appear to be open from the monitoring host: [root at monitor1:~] #nmap -p 5666 puppet.mydomain.com Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 22:33 UTC Nmap scan report for puppet.jokefire.com (216.120.250.140) Host is up (0.011s latency). PORT STATE SERVICE 5666/tcp filtered nrpe> > > You could add "ipv6.disable=1" to your kernel args.What am I doing wrong? I need to be able to disable tcpv6 completely!>Worth a shot! On Sun, May 3, 2015 at 5:44 PM, Gordon Messmer <gordon.messmer at gmail.com> wrote:> On 05/03/2015 02:18 PM, Tim Dunphy wrote: > >> Yet, xinetd/nrpe still seems to be listeing on TCP v6!! >> > > It's listening on both IPv6 and IPv4. Specifically, why is that a problem? > > What am I doing wrong? I need to be able to disable tcpv6 completely! >> > > You could add "ipv6.disable=1" to your kernel args. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >-- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B