CentOS - May 2015 - can't disable tcp6 on centos 7

>
> It's listening on both IPv6 and IPv4.  Specifically, why is that a
problem?

The central problem seems to be that the monitoring host can't hit nrpe on
port 5666 UDP.

[root at monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H
puppet.mydomain.com
CHECK_NRPE: Socket timeout after 10 seconds.

It is listening on the puppet host on port 5666

[root at puppet:~] #lsof -i :5666
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
xinetd  2915 root    5u  IPv6  24493      0t0  TCP *:nrpe (LISTEN)

And the firewall is allowing that port:

[root at puppet:~] #firewall-cmd --list-ports
5666/udp

But if I check the port using nmap

[root at monitor1:~] #nmap -p 5666 puppet.mydomain.com

Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 22:51 UTC
Nmap scan report for puppet.jokefire.com (216.120.250.140)
Host is up (0.012s latency).
PORT     STATE    SERVICE
5666/tcp filtered nrpe

That port is closed despite the port being allowed on the firewall.

So I thought that the problem was that xinetd was listening to port 5666
only on tcp v6. And when the monitoring host hits the puppet host using tcp
v4 it can't because only tcp v6 is active on that port.

You mention that it's listening on both tcp v4 and v6. But I only see v6 in
that output. How are you determining that

It's a problem because the port does not appear to be open from the
monitoring host:

[root at monitor1:~] #nmap -p 5666 puppet.mydomain.com

Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 22:33 UTC
Nmap scan report for puppet.jokefire.com (216.120.250.140)
Host is up (0.011s latency).
PORT     STATE    SERVICE
5666/tcp filtered nrpe
>
>
> You could add "ipv6.disable=1" to your kernel args.
What am I doing wrong? I need to be able to disable tcpv6
completely!
>
Worth a shot!

On Sun, May 3, 2015 at 5:44 PM, Gordon Messmer <gordon.messmer at
gmail.com>
wrote:
> On 05/03/2015 02:18 PM, Tim Dunphy wrote:
>
>> Yet, xinetd/nrpe still seems to be listeing on TCP v6!!
>>
>
> It's listening on both IPv6 and IPv4.  Specifically, why is that a
problem?
>
>  What am I doing wrong? I need to be able to disable tcpv6 completely!
>>
>
> You could add "ipv6.disable=1" to your kernel args.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>


-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

is it working on localhost or not???!!! it could be selinux problem also,
if context is not correct.

--
Eero

2015-05-04 1:55 GMT+03:00 Tim Dunphy <bluethundr at gmail.com>:
> >
> > It's listening on both IPv6 and IPv4.  Specifically, why is that a
> problem?
>
>
> The central problem seems to be that the monitoring host can't hit nrpe
on
> port 5666 UDP.
>
> [root at monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H
> puppet.mydomain.com
> CHECK_NRPE: Socket timeout after 10 seconds.
>
> It is listening on the puppet host on port 5666
>
> [root at puppet:~] #lsof -i :5666
> COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> xinetd  2915 root    5u  IPv6  24493      0t0  TCP *:nrpe (LISTEN)
>
> And the firewall is allowing that port:
>
> [root at puppet:~] #firewall-cmd --list-ports
> 5666/udp
>
> But if I check the port using nmap
>
> [root at monitor1:~] #nmap -p 5666 puppet.mydomain.com
>
> Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 22:51 UTC
> Nmap scan report for puppet.jokefire.com (216.120.250.140)
> Host is up (0.012s latency).
> PORT     STATE    SERVICE
> 5666/tcp filtered nrpe
>
> That port is closed despite the port being allowed on the firewall.
>
> So I thought that the problem was that xinetd was listening to port 5666
> only on tcp v6. And when the monitoring host hits the puppet host using tcp
> v4 it can't because only tcp v6 is active on that port.
>
> You mention that it's listening on both tcp v4 and v6. But I only see
v6 in
> that output. How are you determining that
>
> It's a problem because the port does not appear to be open from the
> monitoring host:
>
> [root at monitor1:~] #nmap -p 5666 puppet.mydomain.com
>
> Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 22:33 UTC
> Nmap scan report for puppet.jokefire.com (216.120.250.140)
> Host is up (0.011s latency).
> PORT     STATE    SERVICE
> 5666/tcp filtered nrpe
>
> >
> >
> > You could add "ipv6.disable=1" to your kernel args.
>
> What am I doing wrong? I need to be able to disable tcpv6 completely!
> >
>
> Worth a shot!
>
> On Sun, May 3, 2015 at 5:44 PM, Gordon Messmer <gordon.messmer at
gmail.com>
> wrote:
>
> > On 05/03/2015 02:18 PM, Tim Dunphy wrote:
> >
> >> Yet, xinetd/nrpe still seems to be listeing on TCP v6!!
> >>
> >
> > It's listening on both IPv6 and IPv4.  Specifically, why is that a
> problem?
> >
> >  What am I doing wrong? I need to be able to disable tcpv6 completely!
> >>
> >
> > You could add "ipv6.disable=1" to your kernel args.
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
>
>
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

>
> is it working on localhost or not???!!! it could be selinux problem also,
> if context is not correct.

It's working on localhost:

[root at puppet:~] #telnet localhost 5666
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

I notice if I stop the firewall on the puppet host (for no more than 2
seconds) and hit NRPE from the monitoring host it works:

[root at monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H
puppet.mydomain.com
NRPE v2.15

But as soon as the firewall has been enabled on the puppet host (a
microsecond later) I get this result:

[root at monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H
puppet.mydomain.com
connect to address 216.120.xxx.xxx port 5666: No route to host
connect to host puppet.mydomain.com port 5666: No route to host

And nmap from the monitoring host tells me that the port is closed:

[root at monitor1:~] #nmap -p 5666 puppet.mydomain.com

Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 23:20 UTC
Nmap scan report for puppet.jokefire.com (216.120.250.140)
Host is up (0.011s latency).
PORT     STATE    SERVICE
5666/tcp filtered nrpe

Back on the puppet host I verify that the port is open for UDP:

[root at puppet:~] #firewall-cmd --list-ports
5666/udp

That should be right AFAIK.

 Can anybody tell me what I'm doing wrong ?

Thanks
Tim







On Sun, May 3, 2015 at 6:59 PM, Eero Volotinen <eero.volotinen at iki.fi>
wrote:
> is it working on localhost or not???!!! it could be selinux problem also,
> if context is not correct.
>
> --
> Eero
>
> 2015-05-04 1:55 GMT+03:00 Tim Dunphy <bluethundr at gmail.com>:
>
> > >
> > > It's listening on both IPv6 and IPv4.  Specifically, why is
that a
> > problem?
> >
> >
> > The central problem seems to be that the monitoring host can't hit
nrpe
> on
> > port 5666 UDP.
> >
> > [root at monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H
> > puppet.mydomain.com
> > CHECK_NRPE: Socket timeout after 10 seconds.
> >
> > It is listening on the puppet host on port 5666
> >
> > [root at puppet:~] #lsof -i :5666
> > COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> > xinetd  2915 root    5u  IPv6  24493      0t0  TCP *:nrpe (LISTEN)
> >
> > And the firewall is allowing that port:
> >
> > [root at puppet:~] #firewall-cmd --list-ports
> > 5666/udp
> >
> > But if I check the port using nmap
> >
> > [root at monitor1:~] #nmap -p 5666 puppet.mydomain.com
> >
> > Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 22:51 UTC
> > Nmap scan report for puppet.jokefire.com (216.120.250.140)
> > Host is up (0.012s latency).
> > PORT     STATE    SERVICE
> > 5666/tcp filtered nrpe
> >
> > That port is closed despite the port being allowed on the firewall.
> >
> > So I thought that the problem was that xinetd was listening to port
5666
> > only on tcp v6. And when the monitoring host hits the puppet host
using
> tcp
> > v4 it can't because only tcp v6 is active on that port.
> >
> > You mention that it's listening on both tcp v4 and v6. But I only
see v6
> in
> > that output. How are you determining that
> >
> > It's a problem because the port does not appear to be open from
the
> > monitoring host:
> >
> > [root at monitor1:~] #nmap -p 5666 puppet.mydomain.com
> >
> > Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 22:33 UTC
> > Nmap scan report for puppet.jokefire.com (216.120.250.140)
> > Host is up (0.011s latency).
> > PORT     STATE    SERVICE
> > 5666/tcp filtered nrpe
> >
> > >
> > >
> > > You could add "ipv6.disable=1" to your kernel args.
> >
> > What am I doing wrong? I need to be able to disable tcpv6 completely!
> > >
> >
> > Worth a shot!
> >
> > On Sun, May 3, 2015 at 5:44 PM, Gordon Messmer <gordon.messmer at
gmail.com
> >
> > wrote:
> >
> > > On 05/03/2015 02:18 PM, Tim Dunphy wrote:
> > >
> > >> Yet, xinetd/nrpe still seems to be listeing on TCP v6!!
> > >>
> > >
> > > It's listening on both IPv6 and IPv4.  Specifically, why is
that a
> > problem?
> > >
> > >  What am I doing wrong? I need to be able to disable tcpv6
completely!
> > >>
> > >
> > > You could add "ipv6.disable=1" to your kernel args.
> > > _______________________________________________
> > > CentOS mailing list
> > > CentOS at centos.org
> > > http://lists.centos.org/mailman/listinfo/centos
> > >
> >
> >
> >
> > --
> > GPG me!!
> >
> > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>


-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

On 2015-05-03 6:55 pm, Tim Dunphy wrote:
>> 
>> It's listening on both IPv6 and IPv4.  Specifically, why is that a 
>> problem?
> 
> 
> The central problem seems to be that the monitoring host can't hit nrpe
> on
> port 5666 UDP.
> 
> [root at monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H
> puppet.mydomain.com
> CHECK_NRPE: Socket timeout after 10 seconds.
> 
> It is listening on the puppet host on port 5666
> 
> [root at puppet:~] #lsof -i :5666
> COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
> xinetd  2915 root    5u  IPv6  24493      0t0  TCP *:nrpe (LISTEN)
> 
> And the firewall is allowing that port:
> 
> [root at puppet:~] #firewall-cmd --list-ports
> 5666/udp
> 
> But if I check the port using nmap
> 
> [root at monitor1:~] #nmap -p 5666 puppet.mydomain.com
> 
> Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 22:51 UTC
> Nmap scan report for puppet.jokefire.com (216.120.250.140)
> Host is up (0.012s latency).
> PORT     STATE    SERVICE
> 5666/tcp filtered nrpe
> 
> That port is closed despite the port being allowed on the firewall.
> 
> So I thought that the problem was that xinetd was listening to port 
> 5666
> only on tcp v6. And when the monitoring host hits the puppet host using 
> tcp
> v4 it can't because only tcp v6 is active on that port.
> 
> You mention that it's listening on both tcp v4 and v6. But I only see 
> v6 in
> that output. How are you determining that
> 
> It's a problem because the port does not appear to be open from the
> monitoring host:
> 
> [root at monitor1:~] #nmap -p 5666 puppet.mydomain.com
> 
> Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 22:33 UTC
> Nmap scan report for puppet.jokefire.com (216.120.250.140)
> Host is up (0.011s latency).
> PORT     STATE    SERVICE
> 5666/tcp filtered nrpe
I see that there's been quite a bit of discussion on this issue, 
already, but I don't believe I've seen anyone note/mention this:

The above does not indicate that the port is closed...the above 
indicates that the port is open but is being filtered by your firewall 
rules.

You might want to also check your firewall rules to ensure that port 
5666 is allowing connections from the client system(s) in question.

-- 
Mike Burger
http://www.bubbanfriends.org

"It's always suicide-mission this, save-the-planet that. No one ever 
just stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1

On 05/03/2015 03:55 PM, Tim Dunphy wrote:
> You mention that it's listening on both tcp v4 and v6. But I only see
v6 in
> that output. How are you determining that
On Linux, IPv4 is mapped inside the IPv6 space.  An application that 
listens on an address-less v6 port is listening on both IPv4 and IPv6.  
For example, look at TCP port 22 for SSH.