Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: Debian 11: How to disable IPv6
945 views
Skip to first unread message
Greg
Jul 9, 2022, 10:00:06 AM7/9/22
to
On 7/9/22 15:52, Roger Price wrote:
> In a Debian 11 system, I would like to disable IPv6 adapters in order to
> persuade fetchmail to talk to exim4. The advice generally given is to
> add a line to /etc/sysctl.conf
>
> net.ipv6.conf.all.disable_ipv6 = 1
>
> and run sysctl -p as root. With Debian 11 this generates the error message
>
> sysctl: cannot stat /proc/sys/net/ipv6/conf/all/disable_ipv6: No such
> file or directory
>
> because directory /proc/sys/net/ipv6 doesn't exist. What is the new way
> of disabling IPv6?
ipv6.disable=1 as a bootarg
Regards
> In a Debian 11 system, I would like to disable IPv6 adapters in order to
> persuade fetchmail to talk to exim4. The advice generally given is to
> add a line to /etc/sysctl.conf
>
> net.ipv6.conf.all.disable_ipv6 = 1
>
> and run sysctl -p as root. With Debian 11 this generates the error message
>
> sysctl: cannot stat /proc/sys/net/ipv6/conf/all/disable_ipv6: No such
> file or directory
>
> because directory /proc/sys/net/ipv6 doesn't exist. What is the new way
> of disabling IPv6?
ipv6.disable=1 as a bootarg
Regards
Roger Price
Jul 9, 2022, 10:00:06 AM7/9/22
to
In a Debian 11 system, I would like to disable IPv6 adapters in order to
persuade fetchmail to talk to exim4. The advice generally given is to add a
line to /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
and run sysctl -p as root. With Debian 11 this generates the error message
sysctl: cannot stat /proc/sys/net/ipv6/conf/all/disable_ipv6: No such file or directory
because directory /proc/sys/net/ipv6 doesn't exist. What is the new way of
disabling IPv6?
Roger
persuade fetchmail to talk to exim4. The advice generally given is to add a
line to /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
and run sysctl -p as root. With Debian 11 this generates the error message
sysctl: cannot stat /proc/sys/net/ipv6/conf/all/disable_ipv6: No such file or directory
because directory /proc/sys/net/ipv6 doesn't exist. What is the new way of
disabling IPv6?
Andy Smith
Jul 9, 2022, 10:20:05 AM7/9/22
to
Hello,
On Sat, Jul 09, 2022 at 03:52:03PM +0200, Roger Price wrote:
> I would like to disable IPv6 adapters in order to persuade
> fetchmail to talk to exim4.
Sounds like you have a misconfiguration that should be fixed, rather
than disabling IPv6 to work around it.
> net.ipv6.conf.all.disable_ipv6 = 1
>
> and run sysctl -p as root. With Debian 11 this generates the error message
>
> sysctl: cannot stat /proc/sys/net/ipv6/conf/all/disable_ipv6: No such file or directory
>
> because directory /proc/sys/net/ipv6 doesn't exist. What is the new way of
> disabling IPv6?
That directory exists for me on all of my Debian 11 machines, so I
guess you have something else wrong. Or maybe have already disabled
IPv6 on the kernel command line (don't know if that removes the
net.ipv6 sysfs tree as well).
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
On Sat, Jul 09, 2022 at 03:52:03PM +0200, Roger Price wrote:
> I would like to disable IPv6 adapters in order to persuade
> fetchmail to talk to exim4.
than disabling IPv6 to work around it.
> net.ipv6.conf.all.disable_ipv6 = 1
>
> and run sysctl -p as root. With Debian 11 this generates the error message
>
> sysctl: cannot stat /proc/sys/net/ipv6/conf/all/disable_ipv6: No such file or directory
>
> because directory /proc/sys/net/ipv6 doesn't exist. What is the new way of
> disabling IPv6?
guess you have something else wrong. Or maybe have already disabled
IPv6 on the kernel command line (don't know if that removes the
net.ipv6 sysfs tree as well).
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Roger Price
Jul 9, 2022, 11:00:05 AM7/9/22
to
On Sat, 9 Jul 2022, Andy Smith wrote:
> On Sat, Jul 09, 2022 at 03:52:03PM +0200, Roger Price wrote:
>> I would like to disable IPv6 adapters in order to persuade
>> fetchmail to talk to exim4.
>
> Sounds like you have a misconfiguration that should be fixed, rather
> than disabling IPv6 to work around it.
Its the misconfiguration that I'm trying to fix. When I try to start fetchmail I
> On Sat, Jul 09, 2022 at 03:52:03PM +0200, Roger Price wrote:
>> I would like to disable IPv6 adapters in order to persuade
>> fetchmail to talk to exim4.
>
> Sounds like you have a misconfiguration that should be fixed, rather
> than disabling IPv6 to work around it.
get the error message
Jul 09 10:22:57 titan fetchmail[7286]:
reading message
mai...@rogerprice.org@mail.gandi.net:1 of 7 (8954 octets)
(log message incomplete)
Jul 09 10:22:57 titan fetchmail[7286]:
Connection errors for this poll:
name 0: connection to localhost:smtp [127.0.0.1/25] failed:
Connection refused.
name 1: connection to localhost:smtp [127.0.0.1/25] failed:
Connection refused.
Jul 09 10:22:57 titan fetchmail[7286]: SMTP connect to localhost failed
I understand this to mean that my Debian 11 machine cannot connect to itself on
port 25 despite the netfilter rule "iif lo accept", so I assumed it was an IPv6
problem with fetchmail trying to use IPv6 with exim4. As a check, I tried:
root@titan ~ telnet localhost 25
Trying 127.0.0.1...
Trying ::1...
telnet: Unable to connect to remote host: Address family not supported by protocol
There is nothing I can find in the exim4 configuration that would inhibit IPv6.
>> net.ipv6.conf.all.disable_ipv6 = 1
>> and run sysctl -p as root. With Debian 11 this generates the error message
>> sysctl: cannot stat /proc/sys/net/ipv6/conf/all/disable_ipv6: No such file or directory
>> because directory /proc/sys/net/ipv6 doesn't exist. What is the new way of
>> disabling IPv6?
>
> That directory exists for me on all of my Debian 11 machines, so I
> guess you have something else wrong. Or maybe have already disabled
> IPv6 on the kernel command line (don't know if that removes the
> net.ipv6 sysfs tree as well).
# See https://nouveau.freedesktop.org/Bugs.html
GRUB_CMDLINE_LINUX="log_buf_len=1M ipv6.disable=1 net.ifnames=0 3"
I do not remember adding the ipv6.disable=1 myself. I do not know where it
comes from.
Roger
Greg Wooledge
Jul 9, 2022, 11:10:05 AM7/9/22
to
On Sat, Jul 09, 2022 at 04:52:27PM +0200, Roger Price wrote:
> Jul 09 10:22:57 titan fetchmail[7286]:
> Connection errors for this poll:
> name 0: connection to localhost:smtp [127.0.0.1/25] failed:
> Connection refused.
> name 1: connection to localhost:smtp [127.0.0.1/25] failed:
> Connection refused.
Find out what's going on with your MTA. You could start with
> Jul 09 10:22:57 titan fetchmail[7286]:
> Connection errors for this poll:
> name 0: connection to localhost:smtp [127.0.0.1/25] failed:
> Connection refused.
> name 1: connection to localhost:smtp [127.0.0.1/25] failed:
> Connection refused.
ss -lnt | grep :25
to see what's listening on port 25, if anything, and which address(es)
it's listening on.
If you don't see anything listening on port 25 at all, then perhaps your
MTA is simply not running. Use "systemctl status exim4" or whatever
package/service your MTA uses. (I don't use exim4, so I don't know its
service name.)
If you don't get helpful error messages out of that, try running it as
root. Sometimes that gives more information.
Also check exim4's configuration, and make sure it has been told to run,
and to listen on port 25 of *all* interfaces.
Andy Smith
Jul 9, 2022, 11:30:05 AM7/9/22
to
Hello,
On Sat, Jul 09, 2022 at 04:52:27PM +0200, Roger Price wrote:
single IPv6 address in that text. There is an IPv4 address though
(127.0.0.1).
> As a check, I tried:
>
> root@titan ~ telnet localhost 25
> Trying 127.0.0.1...
> Trying ::1...
> telnet: Unable to connect to remote host: Address family not supported by protocol
This shows that nothing is listening on port 25 of 127.0.0.1 (or
it's firewalled with a rule that returns TCP RST) and that there is
something wrong with your IPv6, maybe because you disabled it or
maybe because this variant of telnet you're using doesn't support
it. But whatever the case, it seems like port 25 of your (IPv4)
localhost is the main issue here.
I don't use fetchmail but I guess you are wanting it to connect to
your Exim, so you should check that Exim is actually set to listen
on port 25 of 127.0.0.1.
Thing is, I think that Exim by default does listen on localhost:25
on Debian, so in order for yours to not do that you probably have
altered its config in some way. Or it could be the firewall.
> There is nothing I can find in the exim4 configuration that would inhibit IPv6.
You disabling IPv6 inhibits IPv6 but I really don't know what the
fixation is with IPv6 (and why it must be disabled).
On Sat, Jul 09, 2022 at 04:52:27PM +0200, Roger Price wrote:
> When I try to start fetchmail I get the error message
>
> Jul 09 10:22:57 titan fetchmail[7286]:
> reading message
> mai...@rogerprice.org@mail.gandi.net:1 of 7 (8954 octets)
> (log message incomplete)
> Jul 09 10:22:57 titan fetchmail[7286]:
> Connection errors for this poll:
> name 0: connection to localhost:smtp [127.0.0.1/25] failed:
> Connection refused.
> name 1: connection to localhost:smtp [127.0.0.1/25] failed:
> Connection refused.
> Jul 09 10:22:57 titan fetchmail[7286]: SMTP connect to localhost failed
>
> I understand this to mean that my Debian 11 machine cannot connect to itself
> on port 25 despite the netfilter rule "iif lo accept", so I assumed it was
> an IPv6 problem with fetchmail trying to use IPv6 with exim4.
There's nothing in the above that references IPv6. There isn't a
>
> Jul 09 10:22:57 titan fetchmail[7286]:
> reading message
> mai...@rogerprice.org@mail.gandi.net:1 of 7 (8954 octets)
> (log message incomplete)
> Jul 09 10:22:57 titan fetchmail[7286]:
> Connection errors for this poll:
> name 0: connection to localhost:smtp [127.0.0.1/25] failed:
> Connection refused.
> name 1: connection to localhost:smtp [127.0.0.1/25] failed:
> Connection refused.
> Jul 09 10:22:57 titan fetchmail[7286]: SMTP connect to localhost failed
>
> I understand this to mean that my Debian 11 machine cannot connect to itself
> on port 25 despite the netfilter rule "iif lo accept", so I assumed it was
> an IPv6 problem with fetchmail trying to use IPv6 with exim4.
single IPv6 address in that text. There is an IPv4 address though
(127.0.0.1).
> As a check, I tried:
>
> root@titan ~ telnet localhost 25
> Trying 127.0.0.1...
> Trying ::1...
> telnet: Unable to connect to remote host: Address family not supported by protocol
it's firewalled with a rule that returns TCP RST) and that there is
something wrong with your IPv6, maybe because you disabled it or
maybe because this variant of telnet you're using doesn't support
it. But whatever the case, it seems like port 25 of your (IPv4)
localhost is the main issue here.
I don't use fetchmail but I guess you are wanting it to connect to
your Exim, so you should check that Exim is actually set to listen
on port 25 of 127.0.0.1.
Thing is, I think that Exim by default does listen on localhost:25
on Debian, so in order for yours to not do that you probably have
altered its config in some way. Or it could be the firewall.
> There is nothing I can find in the exim4 configuration that would inhibit IPv6.
fixation is with IPv6 (and why it must be disabled).
Christian Britz
Jul 9, 2022, 11:40:05 AM7/9/22
to
Am 09.07.22 um 15:52 schrieb Roger Price:
> because directory /proc/sys/net/ipv6 doesn't exist. What is the new way of
> disabling IPv6?
--
http://www.cb-fraggle.de
Christian Britz
Jul 9, 2022, 11:50:05 AM7/9/22
to
Am 09.07.22 um 16:14 schrieb Andy Smith:
> Sounds like you have a misconfiguration that should be fixed, rather
> than disabling IPv6 to work around it.
>
applications have problems with IPv6. For example the proprietary Citrix
client if you go online using the mobile phone.
> That directory exists for me on all of my Debian 11 machines, so I
--
http://www.cb-fraggle.de
gene heskett
Jul 9, 2022, 4:10:05 PM7/9/22
to
whatever gets
trained to auto switch to ipv4 if 6 fails, then we have no choice but to
disable it
if we want network connectivity of any kind outside of our own home
nets, in an address
block that does not get thru a router. Unless the FBI has a special wire
into their
facility 30 miles north of me, the nearest ipv6 connection is probably
150 miles
north of me. Until such time as our local ISP's offer it, we have no
choice but to
disable it. It really is that simple.
Take care and stay well Andy.
Cheers, Gene Heskett.
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis
Genes Web page <http://geneslinuxbox.net:6309/>
Charles Curley
Jul 9, 2022, 9:00:05 PM7/9/22
to
On Sat, 9 Jul 2022 15:59:48 -0400
gene heskett <ghes...@shentel.net> wrote:
> Andy, you obviously don't live in ipv4 only territory. Until n-m or
> whatever gets trained to auto switch to ipv4 if 6 fails, then we have
> no choice but to disable it if we want network connectivity of any
> kind outside of our own home nets, in an address block that does not
> get thru a router.
Gene, I also live at the end of an IPv4 only connection. By and large I
gene heskett <ghes...@shentel.net> wrote:
> Andy, you obviously don't live in ipv4 only territory. Until n-m or
> whatever gets trained to auto switch to ipv4 if 6 fails, then we have
> no choice but to disable it if we want network connectivity of any
> kind outside of our own home nets, in an address block that does not
> get thru a router.
simply ignore IPv6. You may have an oddball setup, but it is up to you
to housebreak your applications to use IPv4 first. I do it in part by
using my own resolver, BIND9, and having it return only IPv4 addresses.
--
Does anybody read signatures any more?
https://charlescurley.com
https://charlescurley.com/blog/
Greg Wooledge
Jul 9, 2022, 9:00:05 PM7/9/22
to
On Sat, Jul 09, 2022 at 06:51:22PM -0600, Charles Curley wrote:
> On Sat, 9 Jul 2022 15:59:48 -0400
> gene heskett <ghes...@shentel.net> wrote:
>
> > Andy, you obviously don't live in ipv4 only territory. Until n-m or
> > whatever gets trained to auto switch to ipv4 if 6 fails, then we have
> > no choice but to disable it if we want network connectivity of any
> > kind outside of our own home nets, in an address block that does not
> > get thru a router.
>
> Gene, I also live at the end of an IPv4 only connection. By and large I
> simply ignore IPv6. You may have an oddball setup, but it is up to you
> to housebreak your applications to use IPv4 first. I do it in part by
> using my own resolver, BIND9, and having it return only IPv4 addresses.
And every single piece of this discussion is irrelevant to the OP's
> On Sat, 9 Jul 2022 15:59:48 -0400
> gene heskett <ghes...@shentel.net> wrote:
>
> > Andy, you obviously don't live in ipv4 only territory. Until n-m or
> > whatever gets trained to auto switch to ipv4 if 6 fails, then we have
> > no choice but to disable it if we want network connectivity of any
> > kind outside of our own home nets, in an address block that does not
> > get thru a router.
>
> Gene, I also live at the end of an IPv4 only connection. By and large I
> simply ignore IPv6. You may have an oddball setup, but it is up to you
> to housebreak your applications to use IPv4 first. I do it in part by
> using my own resolver, BIND9, and having it return only IPv4 addresses.
issue, which is that their MTA is apparently not listening on 127.0.0.1;25.
IPv6 is a red herring.
gene heskett
Jul 10, 2022, 12:00:06 AM7/10/22
to
I agree with that too Greg, and its had it's 3 days in the fridge,
and is beginning to smell.
Take care & stay well.
local10
Jul 10, 2022, 12:50:05 AM7/10/22
to
Jul 10, 2022, 00:51 by charle...@charlescurley.com:
> I do it in part by
> using my own resolver, BIND9, and having it return only IPv4 addresses.
>
How did you do it? I tried to start named with "-4" option to use only ipv4 but it refused to start with that option, IIRC.
Regards,
> I do it in part by
> using my own resolver, BIND9, and having it return only IPv4 addresses.
>
Regards,
Charles Curley
Jul 10, 2022, 1:50:04 AM7/10/22
to
#
# run resolvconf?
RESOLVCONF=no
# startup options for the server
OPTIONS="-4 -u bind"
That should do it.
But all that does is tell named to use IPv4. It will still return IPv6
addresses. So maybe I'm wrong about returning only IPv4 addresses.
Hmmm....
Tim Woodall
Jul 10, 2022, 2:10:05 AM7/10/22
to
On Sat, 9 Jul 2022, Charles Curley wrote:
> On Sun, 10 Jul 2022 06:44:46 +0200 (CEST)
> local10 <loc...@tutanota.com> wrote:
>
>> Jul 10, 2022, 00:51 by charle...@charlescurley.com:
>>
>>> I do it in part by
>>> using my own resolver, BIND9, and having it return only IPv4
>>> addresses.
>>
>> How did you do it? I tried to start named with "-4" option to use
>> only ipv4 but it refused to start with that option, IIRC.
>>
>> Regards,
>>
>
> My /etc/default/named looks like:
>
> #
> # run resolvconf?
> RESOLVCONF=no
>
> # startup options for the server
> OPTIONS="-4 -u bind"
>
>
> That should do it.
>
> But all that does is tell named to use IPv4. It will still return IPv6
> addresses. So maybe I'm wrong about returning only IPv4 addresses.
> Hmmm....
>
I was a bit surprised. I've never had to disable ipv6 where the only
> On Sun, 10 Jul 2022 06:44:46 +0200 (CEST)
> local10 <loc...@tutanota.com> wrote:
>
>> Jul 10, 2022, 00:51 by charle...@charlescurley.com:
>>
>>> I do it in part by
>>> using my own resolver, BIND9, and having it return only IPv4
>>> addresses.
>>
>> How did you do it? I tried to start named with "-4" option to use
>> only ipv4 but it refused to start with that option, IIRC.
>>
>> Regards,
>>
>
> My /etc/default/named looks like:
>
> #
> # run resolvconf?
> RESOLVCONF=no
>
> # startup options for the server
> OPTIONS="-4 -u bind"
>
>
> That should do it.
>
> But all that does is tell named to use IPv4. It will still return IPv6
> addresses. So maybe I'm wrong about returning only IPv4 addresses.
> Hmmm....
>
public routes are ipv4. Do some people have a default route for ipv6
that doesn't work?
The default settings don't make it easy for radvd to publish anything
other than a /64 prefix and a default route.
I am using ipv6 but I think you need things like:
AdvDefaultLifetime 0;
to stop radvd providing a default route and
echo 64 >/proc/sys/net/ipv6/conf/eth0/accept_ra_rt_info_max_plen
to allow other routes to be configured.
this can mess up your day if there is any risk of rogue RAs on the
network
Tim
local10
Jul 10, 2022, 2:50:04 AM7/10/22
to
Jul 10, 2022, 05:43 by charle...@charlescurley.com:
> My /etc/default/named looks like:
>
> #
> # run resolvconf?
> RESOLVCONF=no
>
> # startup options for the server
> OPTIONS="-4 -u bind"
>
>
> That should do it.
>
> But all that does is tell named to use IPv4. It will still return IPv6
> addresses. So maybe I'm wrong about returning only IPv4 addresses.
> Hmmm....
>
I tried it, it looks like it's running fine with the "-4 -u bind" options, not sure why I was having issues before.
Thanks for your help.
> My /etc/default/named looks like:
>
> #
> # run resolvconf?
> RESOLVCONF=no
>
> # startup options for the server
> OPTIONS="-4 -u bind"
>
>
> That should do it.
>
> But all that does is tell named to use IPv4. It will still return IPv6
> addresses. So maybe I'm wrong about returning only IPv4 addresses.
> Hmmm....
>
Thanks for your help.
Roger Price
Jul 10, 2022, 10:40:05 AM7/10/22
to
I have successfully used fetchmail and the MTA exim4 to receive mail on a Debian
9 machine for several years. I am now trying to migrate this to Debian 11, but
fetchmail no longer talks to exim4.
systemctl status fetchmail reports
● fetchmail.service - LSB: init-Script for system wide fetchmail daemon
Loaded: loaded (/etc/init.d/fetchmail; generated)
Active: active (running) since Sun 2022-07-10 15:08:22 CEST; 24min ago
Process: 1113 ExecStart=/etc/init.d/fetchmail start (code=exited, status=0/SUCCESS)
...
Jul 10 15:31:06 titan fetchmail[1127]: pop.free.fr: upgrade to TLS failed.
Jul 10 15:31:06 titan fetchmail[1127]: Unknown login or authentication error on
roger...@free.fr@pop.free.fr
Jul 10 15:31:06 titan fetchmail[1127]: socket error while fetching from
roger...@free.fr@pop.free.fr
Jul 10 15:31:06 titan fetchmail[1127]: Query status=2 (SOCKET)
Jul 10 15:31:06 titan fetchmail[1127]: 6 messages for mai...@rogerprice.org
at mail.gandi.net (40156 octets).
Jul 10 15:31:06 titan fetchmail[1127]: reading message
mai...@rogerprice.org@mail.gandi.net:1 of 6 (8954 octets)
Jul 10 15:31:06 titan fetchmail[1127]: Connection errors for this poll:
Is anyone listening on port 25? On Debian 9 command ss -lnt | grep :25 reports
LISTEN 0 20 127.0.0.1:25 *:*
but on Debian 11 reports nothing. Try again with command telnet localhost 25.
On Debian 9 I saw:
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 maria ESMTP Exim 4.89 Sun, 10 Jul 2022 14:21:24 +0200
but on Debian 11 I get
Trying 127.0.0.1...
Trying ::1...
telnet: Unable to connect to remote host: Address family not supported by protocol
systemctl status exim4 reports
● exim4.service - LSB: exim Mail Transport Agent
Loaded: loaded (/etc/init.d/exim4; generated)
Active: active (exited) since Sun 2022-07-10 15:08:22 CEST; 25min ago
Process: 856 ExecStart=/etc/init.d/exim4 start (code=exited, status=0/SUCCESS)
...
Jul 10 15:08:22 titan systemd[1]: Starting LSB: exim Mail Transport Agent...
Jul 10 15:08:22 titan exim4[856]: Starting MTA: exim4.
Jul 10 15:08:22 titan exim4[856]: ALERT: exim paniclog /var/log/exim4/paniclog
has non-zero size, mail system possibly broken
Jul 10 15:08:22 titan systemd[1]: Started LSB: exim Mail Transport Agent.
Is exim4 listening on port 25? Configuration file /etc/defaults/exim4 shows:
# Options for the SMTP listener daemon. By default, it is listening on
# port 25 only. To listen on more ports, it is recommended to use
# -oX 25:587:10025 -oP /run/exim4/exim.pid
SMTPLISTENEROPTIONS=''
so exim4 is configured to listen on default port 25. The file
/var/log/exim4/paniclog contains multiple copies of the message
IPv6 socket creation failed: Address family not supported by protocol
Is this my problem? My file /etc/default/grub contained the line
GRUB_CMDLINE_LINUX="log_buf_len=1M ipv6.disable=1 net.ifnames=0 3"
I removed the ipv6.disable=1 and rebooted, but this made no difference.
Any hint as to why fetchmail cannot talk to exim4 will be much appreciated,
particularly since this has been running for several years on Debian 9.
Roger
9 machine for several years. I am now trying to migrate this to Debian 11, but
fetchmail no longer talks to exim4.
systemctl status fetchmail reports
● fetchmail.service - LSB: init-Script for system wide fetchmail daemon
Loaded: loaded (/etc/init.d/fetchmail; generated)
Active: active (running) since Sun 2022-07-10 15:08:22 CEST; 24min ago
Process: 1113 ExecStart=/etc/init.d/fetchmail start (code=exited, status=0/SUCCESS)
...
Jul 10 15:31:06 titan fetchmail[1127]: pop.free.fr: upgrade to TLS failed.
Jul 10 15:31:06 titan fetchmail[1127]: Unknown login or authentication error on
roger...@free.fr@pop.free.fr
Jul 10 15:31:06 titan fetchmail[1127]: socket error while fetching from
roger...@free.fr@pop.free.fr
Jul 10 15:31:06 titan fetchmail[1127]: Query status=2 (SOCKET)
Jul 10 15:31:06 titan fetchmail[1127]: 6 messages for mai...@rogerprice.org
at mail.gandi.net (40156 octets).
Jul 10 15:31:06 titan fetchmail[1127]: reading message
mai...@rogerprice.org@mail.gandi.net:1 of 6 (8954 octets)
Jul 10 15:31:06 titan fetchmail[1127]: Connection errors for this poll:
name 0: connection to localhost:smtp
[127.0.0.1/25] failed: Connection refused.
name 1: connection to localhost:smtp
[127.0.0.1/25] failed: Connection refused.
Jul 10 15:31:06 titan fetchmail[1127]: SMTP connect to localhost failed: Query status=10 (SMTP)
[127.0.0.1/25] failed: Connection refused.
name 1: connection to localhost:smtp
[127.0.0.1/25] failed: Connection refused.
Is anyone listening on port 25? On Debian 9 command ss -lnt | grep :25 reports
LISTEN 0 20 127.0.0.1:25 *:*
but on Debian 11 reports nothing. Try again with command telnet localhost 25.
On Debian 9 I saw:
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 maria ESMTP Exim 4.89 Sun, 10 Jul 2022 14:21:24 +0200
but on Debian 11 I get
Trying 127.0.0.1...
Trying ::1...
telnet: Unable to connect to remote host: Address family not supported by protocol
● exim4.service - LSB: exim Mail Transport Agent
Loaded: loaded (/etc/init.d/exim4; generated)
Active: active (exited) since Sun 2022-07-10 15:08:22 CEST; 25min ago
Process: 856 ExecStart=/etc/init.d/exim4 start (code=exited, status=0/SUCCESS)
...
Jul 10 15:08:22 titan systemd[1]: Starting LSB: exim Mail Transport Agent...
Jul 10 15:08:22 titan exim4[856]: Starting MTA: exim4.
Jul 10 15:08:22 titan exim4[856]: ALERT: exim paniclog /var/log/exim4/paniclog
has non-zero size, mail system possibly broken
Jul 10 15:08:22 titan systemd[1]: Started LSB: exim Mail Transport Agent.
Is exim4 listening on port 25? Configuration file /etc/defaults/exim4 shows:
# Options for the SMTP listener daemon. By default, it is listening on
# port 25 only. To listen on more ports, it is recommended to use
# -oX 25:587:10025 -oP /run/exim4/exim.pid
SMTPLISTENEROPTIONS=''
so exim4 is configured to listen on default port 25. The file
/var/log/exim4/paniclog contains multiple copies of the message
IPv6 socket creation failed: Address family not supported by protocol
Is this my problem? My file /etc/default/grub contained the line
GRUB_CMDLINE_LINUX="log_buf_len=1M ipv6.disable=1 net.ifnames=0 3"
Any hint as to why fetchmail cannot talk to exim4 will be much appreciated,
particularly since this has been running for several years on Debian 9.
Roger
Roger Price
Jul 10, 2022, 10:40:05 AM7/10/22
to
On Sat, 9 Jul 2022, Greg Wooledge wrote:
> And every single piece of this discussion is irrelevant to the OP's
> issue, which is that their MTA is apparently not listening on 127.0.0.1;25.
>
> IPv6 is a red herring.
Yes, this is my fault for choosing an inappropriate Subject line. I will try
> And every single piece of this discussion is irrelevant to the OP's
> issue, which is that their MTA is apparently not listening on 127.0.0.1;25.
>
> IPv6 is a red herring.
again with, I hope, a better informed question and a better Subject.
Roger
gene heskett
Jul 10, 2022, 11:20:05 AM7/10/22
to
inhabited by the author/maintainer
of fetchmail, and that a knowledgeable reply by Mathias is usually
forthcoming in just an hour or so.
<https://lists.sourceforge.net/lists/listinfo/fetchmail-users>
Take care and stay well.
Gareth Evans
Jul 10, 2022, 12:20:06 PM7/10/22
to
On Sun 10 Jul 2022, at 15:38, Roger Price <deb...@rogerprice.org> wrote:
[...]
If not, does /etc/hosts currently contain
localhost ::1
?
If so, it seems ipv6 is still disabled while localhost is associated with an ipv6 address, which may have some bearing according to these [not entirely pertinent] sources:
https://stackoverflow.com/questions/67173756/socket-address-family-not-supported-by-protocol
https://unix.stackexchange.com/questions/407663/ipv6-socket-creation-failed-address-family-not-supported-by-protocol
https://github.com/netdata/netdata/issues/1282
Hope that helps.
Gareth
[...]
> I removed the ipv6.disable=1 and rebooted, but this made no difference.
I'm not sure if there may be other issues here too, but did you update-grub before rebooting?
If not, does /etc/hosts currently contain
localhost ::1
?
If so, it seems ipv6 is still disabled while localhost is associated with an ipv6 address, which may have some bearing according to these [not entirely pertinent] sources:
https://stackoverflow.com/questions/67173756/socket-address-family-not-supported-by-protocol
https://unix.stackexchange.com/questions/407663/ipv6-socket-creation-failed-address-family-not-supported-by-protocol
https://github.com/netdata/netdata/issues/1282
Hope that helps.
Gareth
Gareth Evans
Jul 10, 2022, 12:30:05 PM7/10/22
to
On Sun 10 Jul 2022, at 17:12, Gareth Evans <dono...@fastmail.fm> wrote:
> https://unix.stackexchange.com/questions/407663/ipv6-socket-creation-failed-address-family-not-supported-by-protocol
FWIMBW, this explains how to disable ipv6 for exim4 (albeit on Deb 9) though I'm not sure the advice re hosts file is universally applicable.
> https://unix.stackexchange.com/questions/407663/ipv6-socket-creation-failed-address-family-not-supported-by-protocol
FWIMBW, this explains how to disable ipv6 for exim4 (albeit on Deb 9) though I'm not sure the advice re hosts file is universally applicable.
Nicolas George
Jul 10, 2022, 12:40:06 PM7/10/22
to
Roger Price (12022-07-10):
a MTA. Sure, it can be useful in some cases, but most basic usage will
do much better directly sending to the MDA.
So my advice: unless you want incoming mail, get rid of exim and just
use the mda option of fetchmail.
Regards,
--
Nicolas George
> I have successfully used fetchmail and the MTA exim4 to receive mail on a
> Debian 9 machine for several years. I am now trying to migrate this to
> Debian 11, but fetchmail no longer talks to exim4.
I have never understood why fetchmail's default operation was to pass to
> Debian 9 machine for several years. I am now trying to migrate this to
> Debian 11, but fetchmail no longer talks to exim4.
a MTA. Sure, it can be useful in some cases, but most basic usage will
do much better directly sending to the MDA.
So my advice: unless you want incoming mail, get rid of exim and just
use the mda option of fetchmail.
Regards,
--
Nicolas George
Greg Wooledge
Jul 10, 2022, 1:30:06 PM7/10/22
to
On Sun, Jul 10, 2022 at 05:12:18PM +0100, Gareth Evans wrote:
> On Sun 10 Jul 2022, at 15:38, Roger Price <deb...@rogerprice.org> wrote:
> [...]
> > I removed the ipv6.disable=1 and rebooted, but this made no difference.
>
> I'm not sure if there may be other issues here too, but did you update-grub before rebooting?
>
> If not, does /etc/hosts currently contain
>
> localhost ::1
>
> ?
Mine contains these lines:
> On Sun 10 Jul 2022, at 15:38, Roger Price <deb...@rogerprice.org> wrote:
> [...]
> > I removed the ipv6.disable=1 and rebooted, but this made no difference.
>
> I'm not sure if there may be other issues here too, but did you update-grub before rebooting?
>
> If not, does /etc/hosts currently contain
>
> localhost ::1
>
> ?
unicorn:~$ grep ::1 /etc/hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
They were put there by Debian. I didn't touch them.
Gareth Evans
Jul 10, 2022, 6:00:06 PM7/10/22
to
On Sun 10 Jul 2022, at 18:28, Greg Wooledge <gr...@wooledge.org> wrote:
> Mine contains these lines:
>
> unicorn:~$ grep ::1 /etc/hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
>
> They were put there by Debian. I didn't touch them.
[I got the ::1 and localhost the wrong way around in my earlier reply.]
> Mine contains these lines:
>
> unicorn:~$ grep ::1 /etc/hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
>
> They were put there by Debian. I didn't touch them.
$ sudo fuser 25/tcp
25/tcp: 3778
$ ps -p 3778 -o comm=
exim4
$ cat /etc/hosts
127.0.0.1 localhost
127.0.0.1 hostname
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::1 ip6-allnodes
$ telnet localhost 25
Trying ::1...
Connected to localhost.
$ sudo ss -lnt | grep :25
LISTEN 0 20 127.0.0.1:25 0.0.0.0:*
LISTEN 0 20 [::1]:25 [::]:*
$ sudo reboot
- set boot arg ipv6.disable=1
- NB ipv6 addresses still in /etc/hosts
$ telnet localhost 25
Trying 127.0.0.1...
Trying ::1...
telnet: Unable to connect to remote host: Address family not supported by protocol
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Trying ::1...
telnet: Unable to connect to remote host: Address family not supported by protocol
$ sudo ss -lnt | grep :25
$
Just out of interest:
Now, comment out ipv6 in /etc/hosts
$ cat /etc/hosts
127.0.0.1 localhost
127.0.0.1 hostname
#::1 localhost ip6-localhost ip6-loopback
#ff02::1 ip6-allnodes
#ff02::2 ip6-allrouters
$ sudo reboot
- set boot arg ipv6.disable=1
$ telnet localhost 25
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
^^^^^^^^^^^^^^^^^^ ???
$ sudo nft list ruleset
$
$ ss -lnt | grep :25
$
$ ps -aux | grep exim
gives only "grep exim" - exim4 is not running
Does exim4 require ipv6?
I can't find any obvious such config with
sudo grep -Ri ipv6 /etc/exim4
sudo grep -Ri ip6 /etc/exim4
etc. etc.
In Roger's case, telnet seems to be outputting the same error as exim4 is panic logging, which occurs when ipv6 is disabled and "::1 ..." exists in /etc/hosts. Coincidence?
"When certain serious errors occur, Exim writes entries to its panic log. If the error is sufficiently disastrous, Exim bombs out afterwards"
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-log_files.html
This suggests exim4 may not be listening having written to the panic log even if my ipv6 requirement is the result of some oddity.
Again:
On Sun 10 Jul 2022, at 15:38, Roger Price <deb...@rogerprice.org> wrote:
> I removed the ipv6.disable=1 and rebooted, but this made no difference.
$ sudo update-grub
before reboot, ipv6 is still disabled, assuming Roger described exactly what he did there.
Does this seem a reasonable assessment?
Best wishes,
Gareth
Greg Wooledge
Jul 10, 2022, 6:10:05 PM7/10/22
to
On Sun, Jul 10, 2022 at 10:57:40PM +0100, Gareth Evans wrote:
> $ sudo reboot
> - set boot arg ipv6.disable=1
> - NB ipv6 addresses still in /etc/hosts
>
> $ telnet localhost 25
> Trying 127.0.0.1...
> Trying ::1...
> telnet: Unable to connect to remote host: Address family not supported by protocol
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> $ sudo ss -lnt | grep :25
> $
> Does exim4 require ipv6?
> $ sudo reboot
> - set boot arg ipv6.disable=1
> - NB ipv6 addresses still in /etc/hosts
>
> $ telnet localhost 25
> Trying 127.0.0.1...
> Trying ::1...
> telnet: Unable to connect to remote host: Address family not supported by protocol
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> $ sudo ss -lnt | grep :25
> $
Check its log file to be sure. The snippet you posted earlier seems
to say that it really does want to bind to loopback on both IPv4 and
IPv6.
Letting it do so seems like the path of least resistance.
Andy Smith
Jul 10, 2022, 6:50:07 PM7/10/22
to
Hi Gene,
Before we go any further let's just remember that this thread was
started by someone wanting to disable IPv6 for no specific reason.
They had decided they needed to do so to fix some problem they were
having, when in fact they had ALREADY disabled IPv6, so there is no
possibility whatsoever that IPv6 was responsible for whatever
problem they were seeing.
This kind of mindset is counter productive, even if you have found a
brother in IPv6-hating arms.
Your advocacy of disabling IPv6 "just because" is wrong on every
level; it is necessary in virtually no circumstanceน. But you're
also doing it on a thread which conclusively has nothing to do with
IPv6. Hopefully you can see why this seems like a bit of a theme
with you.
On Sat, Jul 09, 2022 at 03:59:48PM -0400, gene heskett wrote:
> Andy, you obviously don't live in ipv4 only territory.
I travel a lot so am often on networks with no external IPv6.
Nothing breaks for me.
> Until n-m or whatever gets trained to auto switch to ipv4 if 6
> fails,
Nothing should break when there is no IPv6 connectivity. If it does,
you almost certainly have something misconfigured. You have spent a
lot of time telling this list how you disable IPv6 but have never
managed to demonstrate an actual problem that required you to do
so.
> Until such time as our local ISP's offer it, we have no choice but
> to disable it. It really is that simple.
Things can seem very simple when you have a completely incorrect
understanding.
I started typing this email in a client's house on a network I don't
control, that does not have IPv6. My laptop has no special
configuration to either make IPv6 work nor to disable it. Since then
I returned home, to my network which does have IPv6, and carried on
typing the email.
This is the default behaviour of Linux for a decade or more. You are
very unlikely to have to change any setting to have things work this
way. It really is that simple.
Of course, on your systems which will stay on your network, with an
Internet service provider that does not offer IPv6, there may be
very little point to having IPv6 be a thing. You're probably losing
very little by disabling itฒ. But your claims that it routinely
breaks things or causes problems when there's no external IPv6
connectivity are just wrong. This is all designed to be used when
it's available and not really be noticed either way.
Cheers,
Andy
น It is certainly possible for some site's IPv6 to break while its
IPv4 has not, and it's possible for that situation to stay in
effect longer because fewer people use IPv6, so it can go on for
longer before it's noticed.
For many years web browsers have used a thing called Happy
Eyeballs where they try both v6 and v4 and use the one that works
first/better, so it has to be a quite specific failure mode to
make just v6 bad. But it can happen.
Similarly as another poster pointed out, all software can have
bugs, and sometimes some specific thing just doesn't behave
correctly over IPv6.
So I can't say it NEVER EVER breaks in ANY way for ANYONE, but
what I can say is that it's almost always a bad idea to disable it
"just because", and neither this thread nor anything you have ever
posted here has described a specific instance where IPv6 broke
anything.
If you're going to dispute this, it would be good to come up with
a specific reproducible example. I'm not saying such examples
don't exist - they've happened to me. But if it does happen then
we can help work out how to fix it without just disabling IPv6.
Otherwise I'm afraid your claims about IPv6 so far have been quite
bizarre, on the level of "IPv6 ate my homework" or "my father was
killed by a 128-bit integer", and can't be taken seriously.
ฒ Not nothing though. At some point your ISP might enable IPv6 or
you might change to one that does, at which point if you had not
taken steps to disable it, your machines would start using it
without you noticing. There would be some advantages to that
happening, though usually not big ones.
Before we go any further let's just remember that this thread was
started by someone wanting to disable IPv6 for no specific reason.
They had decided they needed to do so to fix some problem they were
having, when in fact they had ALREADY disabled IPv6, so there is no
possibility whatsoever that IPv6 was responsible for whatever
problem they were seeing.
This kind of mindset is counter productive, even if you have found a
brother in IPv6-hating arms.
Your advocacy of disabling IPv6 "just because" is wrong on every
level; it is necessary in virtually no circumstanceน. But you're
also doing it on a thread which conclusively has nothing to do with
IPv6. Hopefully you can see why this seems like a bit of a theme
with you.
On Sat, Jul 09, 2022 at 03:59:48PM -0400, gene heskett wrote:
> Andy, you obviously don't live in ipv4 only territory.
Nothing breaks for me.
> Until n-m or whatever gets trained to auto switch to ipv4 if 6
> fails,
you almost certainly have something misconfigured. You have spent a
lot of time telling this list how you disable IPv6 but have never
managed to demonstrate an actual problem that required you to do
so.
> Until such time as our local ISP's offer it, we have no choice but
> to disable it. It really is that simple.
understanding.
I started typing this email in a client's house on a network I don't
control, that does not have IPv6. My laptop has no special
configuration to either make IPv6 work nor to disable it. Since then
I returned home, to my network which does have IPv6, and carried on
typing the email.
This is the default behaviour of Linux for a decade or more. You are
very unlikely to have to change any setting to have things work this
way. It really is that simple.
Of course, on your systems which will stay on your network, with an
Internet service provider that does not offer IPv6, there may be
very little point to having IPv6 be a thing. You're probably losing
very little by disabling itฒ. But your claims that it routinely
breaks things or causes problems when there's no external IPv6
connectivity are just wrong. This is all designed to be used when
it's available and not really be noticed either way.
Cheers,
Andy
น It is certainly possible for some site's IPv6 to break while its
IPv4 has not, and it's possible for that situation to stay in
effect longer because fewer people use IPv6, so it can go on for
longer before it's noticed.
For many years web browsers have used a thing called Happy
Eyeballs where they try both v6 and v4 and use the one that works
first/better, so it has to be a quite specific failure mode to
make just v6 bad. But it can happen.
Similarly as another poster pointed out, all software can have
bugs, and sometimes some specific thing just doesn't behave
correctly over IPv6.
So I can't say it NEVER EVER breaks in ANY way for ANYONE, but
what I can say is that it's almost always a bad idea to disable it
"just because", and neither this thread nor anything you have ever
posted here has described a specific instance where IPv6 broke
anything.
If you're going to dispute this, it would be good to come up with
a specific reproducible example. I'm not saying such examples
don't exist - they've happened to me. But if it does happen then
we can help work out how to fix it without just disabling IPv6.
Otherwise I'm afraid your claims about IPv6 so far have been quite
bizarre, on the level of "IPv6 ate my homework" or "my father was
killed by a 128-bit integer", and can't be taken seriously.
ฒ Not nothing though. At some point your ISP might enable IPv6 or
you might change to one that does, at which point if you had not
taken steps to disable it, your machines would start using it
without you noticing. There would be some advantages to that
happening, though usually not big ones.
Andy Smith
Jul 10, 2022, 7:00:05 PM7/10/22
to
Hi Charles,
On Sat, Jul 09, 2022 at 06:51:22PM -0600, Charles Curley wrote:
broken. Broken things do exist, but it is really quite rare. What
you've written here makes it seem more like a given that everyone
will face problems. In reality most people don't even notice, which
is how it's designed to work.
Amazon, Facebook and Google all have IPv6 addresses for all their
various Internet properties. If there were any widespread issue with
software on v4-only networks getting v6 DNS answers then they would
not do this.
> I do it in part by using my own resolver, BIND9, and having it
> return only IPv4 addresses.
What application do you have where this is necessary? This is a bug
because when an application asks for DNS records for foo.example.com
it can get back all sorts of records besides 'A' (IPv4 address),
most of which have nothing to do with IPv6. So anything that
complains that it got an 'AAAA' record (IPv6 address) as well as an
'A' record is really very broken.
If we dig into this I think it's likely we'll find this is not
necessary and at worst a misconfiguration exists somewhere else.
DNS is designed to work on IPv4-only networks.
On Sat, Jul 09, 2022 at 06:51:22PM -0600, Charles Curley wrote:
> it is up to you to housebreak your applications to use IPv4 first.
If you find yourself having to do this, something is probably
broken. Broken things do exist, but it is really quite rare. What
you've written here makes it seem more like a given that everyone
will face problems. In reality most people don't even notice, which
is how it's designed to work.
Amazon, Facebook and Google all have IPv6 addresses for all their
various Internet properties. If there were any widespread issue with
software on v4-only networks getting v6 DNS answers then they would
not do this.
> I do it in part by using my own resolver, BIND9, and having it
> return only IPv4 addresses.
because when an application asks for DNS records for foo.example.com
it can get back all sorts of records besides 'A' (IPv4 address),
most of which have nothing to do with IPv6. So anything that
complains that it got an 'AAAA' record (IPv6 address) as well as an
'A' record is really very broken.
If we dig into this I think it's likely we'll find this is not
necessary and at worst a misconfiguration exists somewhere else.
DNS is designed to work on IPv4-only networks.
Roger Price
Jul 11, 2022, 8:10:05 AM7/11/22
to
On Sun, 10 Jul 2022 17:12:18 +0100, Gareth Evans <dono...@fastmail.fm> wrote:
> On Sun 10 Jul 2022, at 15:38, Roger Price <deb...@rogerprice.org> wrote:
> [...]
> On Sun 10 Jul 2022, at 15:38, Roger Price <deb...@rogerprice.org> wrote:
>> I removed the ipv6.disable=1 and rebooted, but this made no difference.
>
>
> I'm not sure if there may be other issues here too, but did you update-grub
> before rebooting?
No, I forgot. I am ashamed. I ran update-grub and command grep ipv6
> before rebooting?
/boot/grub/grub.cfg | wc -l now returns 0. No more mention of ipv6.
I re-booted and fetchmail now talks to exim4 correctly. Command ss -lnt | grep
:25 now reports
I can now read my mail on my Debian 11 machine. Many thanks to Gareth and all
those who commented.
Roger
rhkr...@gmail.com
Jul 11, 2022, 10:40:06 PM7/11/22
to
On Sunday, July 10, 2022 06:48:10 PM Andy Smith wrote:
> Otherwise I'm afraid your claims about IPv6 so far have been quite
> bizarre, on the level of "IPv6 ate my homework" or "my father was
> killed by a 128-bit integer", and can't be taken seriously.
From the peanut gallery: I disabled IPv6 quite some time ago. I don't recall
> Otherwise I'm afraid your claims about IPv6 so far have been quite
> bizarre, on the level of "IPv6 ate my homework" or "my father was
> killed by a 128-bit integer", and can't be taken seriously.
how I did it, but I might have that information in my notes, somewhere.
The reason that I disabled it (which might not be totally logical) is that in
IPv4, I have always had my computers (and LAN) behind a NAT device.
I could not find (in the searching I did) equivalent functionality for IPv6, so
I disabled IPv6 in hopes of keeping my systems (fairly) secure.
I'm not sure that makes a lot of sense, and I'm sure [some | many | most |
maybe almost all] will disagree, especially based on the 128(?)-bit address
space in IPv6, but that was the reason I disabled IPv6.
--
rhk
If you reply: snip, snip, and snip again; leave attributions; avoid top
posting; and keep it "on list". (Oxford comma included at no charge.) If you
change topics, change the Subject: line.
A picture is worth a thousand words -- divide by 10 for each minute of video
(or audio) or create a transcript and edit it to 10% of the original.
Anssi Saari
Jul 12, 2022, 10:00:06 AM7/12/22
to
rhkr...@gmail.com writes:
> I could not find (in the searching I did) equivalent functionality for IPv6, so
> I disabled IPv6 in hopes of keeping my systems (fairly) secure.
The equivalent to NAT in IPv6 is NAT, of course. It's not usually spoken
> I could not find (in the searching I did) equivalent functionality for IPv6, so
> I disabled IPv6 in hopes of keeping my systems (fairly) secure.
of much but for example my VPN provider does just that, I get a
non-routable FC00: address and they convert it to something else. Kind
of important for the P in VPN. Rules for NAT in IPv6 and nftables or
ip6tables look much the same as IPv4. I've never tried it though.
> I'm not sure that makes a lot of sense, and I'm sure [some | many | most |
> maybe almost all] will disagree, especially based on the 128(?)-bit address
> space in IPv6, but that was the reason I disabled IPv6.
router then my internal devices are quite safe from external access (and
the ones that are actual computers have firewalls too.) Currently I have
things setup so that only related and established connections are
forwarded. Normal stateful firewall in other words. Basically all my nft
rules in the forward chain are just this:
chain forward {
type filter hook forward priority 0; policy drop;
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
# connections from the internal net to the internet or to other
# internal nets are allowed
iifname $DEV_PRIVATE accept
# the rest is dropped by the above policy
}
Lee
Jul 12, 2022, 10:20:05 AM7/12/22
to
On 7/11/22, rhkramer wrote:
>
> From the peanut gallery: I disabled IPv6 quite some time ago. I don't
> recall how I did it, but I might have that information in my notes, somewhere.
>
> The reason that I disabled it (which might not be totally logical) is that
> in IPv4, I have always had my computers (and LAN) behind a NAT device.
A NAT device does not necessarily act like a stateful firewall.
>
> From the peanut gallery: I disabled IPv6 quite some time ago. I don't
> recall how I did it, but I might have that information in my notes, somewhere.
>
> The reason that I disabled it (which might not be totally logical) is that
> in IPv4, I have always had my computers (and LAN) behind a NAT device.
Years ago I ran a TOR middle node ... and noticed someone scanning my
internal network!! Turns out they were using loose source routing to
get around NAT:
https://en.wikipedia.org/wiki/Loose_Source_Routing
Loose Source Routing is an IP option which can be used for address
translation.
My cable modem was quite willing to forward packets addressed to the
publicly addressable outside IP address of the box to my internal LAN
with the RFC-1918 address space .. that I thought was unreachable from
the public Internet because NAT :(
So lesson learned - get a firewall or router that will drop packets
that have IP options set.
Regards,
Lee
gene heskett
Jul 12, 2022, 2:30:05 PM7/12/22
to
If you want that sort of protection, get a reflashable router and put
dd-wrt in it.
Only one person in about18 years has come thru dd-wrt, and I had to give
him
the credentials on the phone. I would estimate that dd-wrt has blocked a
billion
attacks or more in that some time frame. The exceptions are a NAT
that allows me to serve my own web page. No tracking other than the logs
apache2
keeps. No commercials, just me blowing my own horn. Boring...
Andy Smith
Jul 12, 2022, 6:40:05 PM7/12/22
to
Hello,
On Mon, Jul 11, 2022 at 10:31:36PM -0400, rhkr...@gmail.com wrote:
> On Sunday, July 10, 2022 06:48:10 PM Andy Smith wrote:
> > Otherwise I'm afraid your claims about IPv6 so far have been quite
> > bizarre, on the level of "IPv6 ate my homework" or "my father was
> > killed by a 128-bit integer", and can't be taken seriously.
>
> From the peanut gallery: I disabled IPv6 quite some time ago. I don't recall
> how I did it, but I might have that information in my notes, somewhere.
Are you sure you've done it then? 😀
I don't care whether you disable IPv6 or not, but you seem to care
yet also not remember how you did it, so maybe is worth checking
that you really did.
After all, in this thread we've already seen:
- one person who forgot they had disabled IPv6 one way and tried to
do so again in another way, and
- another who thought they had turned off all AAAA (IPv6 address)
DNS responses, but hadn't.
As mentioned, it is in the nature of this thing to try to work
without you noticing it.
> The reason that I disabled it (which might not be totally logical) is that in
> IPv4, I have always had my computers (and LAN) behind a NAT device.
Some people do indeed seem to miss NAT in IPv6. Others say NAT is an
abomination and a proper firewall is what's called for. I'm not
going to bite. 😀
You could maybe just learn how to use ip6tables or nft (or one of
the higher-level tools like firewalld) to block off IPv6 coming in
on your WAN interface while still leaving it working on your local
network. If you care.
The main reason for an eyeball network (one that hosts users that
mainly look at things on the Internet) to make use of IPv6, once
their service providers support it, is for better performance. As
the scarcity of IPv4 addresses bites, more resources on IPv4 are
forced to be behind NAT sharing a small pool of globally routed v4
adresses. This is called Carrier Grade NAT (CGNAT).
CGNAT devices add latency and are expensive to scale. They also lump
misbehaviour of users together. Content networks save money on
scaling and operating CGNAT by putting resources behind IPv6, and
eyeball networks get better performance. Secondarily they get that
separation of reputation from other users of their ISP.
It's not a huge deal yet for those in the American and European IP
regions, but it is increasingly becoming so. Just today I saw an ad
for a new local ISP on Facebook here in UK, and there were several
angry comments on the ad from gamers saying "latency sucks" and
"they use CGNAT", so already there is increasing awareness of this.
Cheers,
Andy
On Mon, Jul 11, 2022 at 10:31:36PM -0400, rhkr...@gmail.com wrote:
> On Sunday, July 10, 2022 06:48:10 PM Andy Smith wrote:
> > Otherwise I'm afraid your claims about IPv6 so far have been quite
> > bizarre, on the level of "IPv6 ate my homework" or "my father was
> > killed by a 128-bit integer", and can't be taken seriously.
>
> From the peanut gallery: I disabled IPv6 quite some time ago. I don't recall
> how I did it, but I might have that information in my notes, somewhere.
I don't care whether you disable IPv6 or not, but you seem to care
yet also not remember how you did it, so maybe is worth checking
that you really did.
After all, in this thread we've already seen:
- one person who forgot they had disabled IPv6 one way and tried to
do so again in another way, and
- another who thought they had turned off all AAAA (IPv6 address)
DNS responses, but hadn't.
As mentioned, it is in the nature of this thing to try to work
without you noticing it.
> The reason that I disabled it (which might not be totally logical) is that in
> IPv4, I have always had my computers (and LAN) behind a NAT device.
abomination and a proper firewall is what's called for. I'm not
going to bite. 😀
You could maybe just learn how to use ip6tables or nft (or one of
the higher-level tools like firewalld) to block off IPv6 coming in
on your WAN interface while still leaving it working on your local
network. If you care.
The main reason for an eyeball network (one that hosts users that
mainly look at things on the Internet) to make use of IPv6, once
their service providers support it, is for better performance. As
the scarcity of IPv4 addresses bites, more resources on IPv4 are
forced to be behind NAT sharing a small pool of globally routed v4
adresses. This is called Carrier Grade NAT (CGNAT).
CGNAT devices add latency and are expensive to scale. They also lump
misbehaviour of users together. Content networks save money on
scaling and operating CGNAT by putting resources behind IPv6, and
eyeball networks get better performance. Secondarily they get that
separation of reputation from other users of their ISP.
It's not a huge deal yet for those in the American and European IP
regions, but it is increasingly becoming so. Just today I saw an ad
for a new local ISP on Facebook here in UK, and there were several
angry comments on the ad from gamers saying "latency sucks" and
"they use CGNAT", so already there is increasing awareness of this.
Cheers,
Andy
0 new messages