How to disable ipv6 system-wide?

NethServer Version: 7.9.2009
Module: System

Hello world!

Having to use IPv6 has caused me nothing but headaches. From servers being unreachable to (in this case), not being able to configure Smart Hosts. Is there a way to disable ipv6 permanently on nethserver so I can use the features as normal? IPv6 is not supported/enabled in my internal network.

Maybe it’s enough to disable ipv6 for postfix?

In the following thread you’ll also find disabling ipv6 completely. In this case you need an unbound fix.

1 Like

I’ve followed the instructions you gave me (with the unbound fix) but when I try to setup a smart host I’m still getting these errors:

Mar 07 12:16:08 cockpit-bridge[31934]: *** Error connecting to smtp.mail.provider:25:
Mar 07 12:16:08 cockpit-bridge[31934]: *** IO::Socket::INET6: connect: timeout

To disable system wide ie centos7 iirc

echo "net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf && sysctl -p

Should work

Almost forgot to avoid SSH issues

echo "AddressFamily inet" >> /etc/ssh/sshd_config && systemctl restart sshd
1 Like

I’ve followed MrMarkuz about creating a postfix template. When that didn’t work I followed this:

After that didn’t work I rebooted the machine and now I cannot access the webUI anymore (ERR_CONNECTION_REFUSED) on port 9090.

Port 80 works fine though, but as soon as I click on Server Manager I get above error.
I’m using the internal IP of the server so its not a DNS issue or something like that.

Check that cockpit is up
systemctl status cockpit

Thanks for the tip.

The service was unable to start, running journalctl -xe gives me this:

[root@proxy ~]# journalctl -xe
Mar 07 13:47:23 rspamd[3086]: <i46iun>; lua; bayes_expiry.lua:447: tokens occurrences, in spam: {nil}
Mar 07 13:47:23 rspamd[3086]: <i46iun>; lua; bayes_expiry.lua:447: tokens occurrences, total: {nil}
Mar 07 13:47:27 rspamd[3086]: <1u5hdp>; map; http_map_finish: data is not modified for server maps.rspamd.com, next check at Mon, 07 Mar 2022 16:47:27 GMT (http cache based: Mon, 07 Mar
Mar 07 13:47:27 kernel: Shorewall:net2fw:DROP:IN=enp4s0 OUT= MAC=bc:5f:f4:0b:86:1a:18:35:d1:09:b0:48:08:00 SRC=88.198.198.21 DST=192.168.2.236 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=4788 D
Mar 07 13:47:27 kernel: Shorewall:net2fw:DROP:IN=enp4s0 OUT= MAC=bc:5f:f4:0b:86:1a:18:35:d1:09:b0:48:08:00 SRC=88.198.198.21 DST=192.168.2.236 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=4789 D
Mar 07 13:47:28 rspamd[3086]: <dyatkr>; map; http_map_finish: data is not modified for server maps.rspamd.com, next check at Mon, 07 Mar 2022 16:47:28 GMT (http cache based: Mon, 07 Mar
Mar 07 13:47:28 rspamd[3086]: <o33omj>; map; http_map_finish: data is not modified for server maps.rspamd.com, next check at Mon, 07 Mar 2022 16:42:55 GMT (http cache based: Mon, 07 Mar
Mar 07 13:47:28 kernel: Shorewall:net2fw:DROP:IN=enp4s0 OUT= MAC=bc:5f:f4:0b:86:1a:18:35:d1:09:b0:48:08:00 SRC=88.198.198.21 DST=192.168.2.236 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=5586 D
Mar 07 13:47:28 kernel: Shorewall:net2fw:DROP:IN=enp4s0 OUT= MAC=bc:5f:f4:0b:86:1a:18:35:d1:09:b0:48:08:00 SRC=151.115.41.123 DST=192.168.2.236 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=26586
Mar 07 13:47:28 kernel: Shorewall:net2fw:DROP:IN=enp4s0 OUT= MAC=bc:5f:f4:0b:86:1a:18:35:d1:09:b0:48:08:00 SRC=151.115.41.123 DST=192.168.2.236 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=26587
Mar 07 13:47:31 polkitd[827]: Registered Authentication Agent for unix-process:10010:440942 (system bus name :1.26 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freed
Mar 07 13:47:31 systemd[1]: cockpit.socket failed to listen on sockets: Address family not supported by protocol
Mar 07 13:47:31 systemd[1]: Starting Cockpit Web Service Socket.
-- Subject: Unit cockpit.socket has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit cockpit.socket has begun starting up.
Mar 07 13:47:31 systemd[1]: Failed to listen on Cockpit Web Service Socket.
-- Subject: Unit cockpit.socket has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit cockpit.socket has failed.
--
-- The result is failed.
Mar 07 13:47:31 systemd[1]: Dependency failed for Cockpit Web Service.
-- Subject: Unit cockpit.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit cockpit.service has failed.
--
-- The result is dependency.
Mar 07 13:47:31 systemd[1]: Job cockpit.service/start failed with result 'dependency'.
Mar 07 13:47:31 polkitd[827]: Unregistered Authentication Agent for unix-process:10010:440942 (system bus name :1.26, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale
Mar 07 13:47:31  systemd[1]: Unit cockpit.socket entered failed state.
Mar 07 13:47:31  systemd[1]: Starting Cockpit motd updater service...
-- Subject: Unit cockpit-motd.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit cockpit-motd.service has begun starting up.
Mar 07 13:47:31 systemd[1]: Started Cockpit motd updater service.
-- Subject: Unit cockpit-motd.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit cockpit-motd.service has finished starting up.
--
-- The start-up result is done.
[root@proxy ~]#

I’m not in front of a pc now but I’m going to check later.
In the meanwhile you could revert the changes to make cockpit work again.

Could you please share the exact error you get with ipv6?

Does your WAN connection use an ipv6 address?

Do you use an IPv6 router? You may try to disable ipv6 there too.

When I re-enable ipv6 by modifying /etc/sysctl.conf and removing the added directives and rebooting afterwards the cockpit service comes back online.

But as soon as I either follow

or

and reboot the cockpit service dies again with the
cockpit.socket failed to listen on sockets: Address family not supported by protocol
error message.

My WAN interface is getting a DHCP address from my router which does not support IPv6.

The reason I want to disable IPv6 entirely is that it is of no use in my internal network for the reason stated above and in my original post.

When I try to enable the smart host the logs don’t show anything except timeout for the INET6 reason.

I’m sorry, it seems disabling IPv6 completely is not an option anymore. Usually it should work with ipv6 enabled, maybe there’s another issue.

Does mailing work? Are there errors in /var/log/maillog?

Can you ping the host? Does it use port 25?

What if you choose another smarthost, do you get the same error?

Maybe there are firewall rules blocking the traffic?

Ah that’s a shame.

I wouldn’t know if mailing would work because both the Smart Host options and configuring the Email package does not work. /var/log/maillog does not show any errors so that’s a good sign I think.

The host does not use port 25 I noticed but when I tried the correct port number it also didn’t work.
I also tried a different smart host (both are pingable from Neth) but that just gives the same weird behavior.

The firewall that is installed on Nethserver isn’t configured yet (doesn’t have any interfaces as I only use a green interface).

Ok, I just changed my only network interface to a wan interface. now the firewall is picking up the interface.

When I look at the services rules I see that both dovecot and postfix are allowed so I don’t think this is a firewall issue

I think I figured it out, trying a different host on the same port gave me nothing in the logs.

Changing the port from 465 to 587 however revealed that the smart host I’m using uses a cipher which is not supported by Nethserver. Changing the smart host to my work email worked.

The cipher that doesn’t work is ECDHE-RSA-AES256-GCM-SHA384
The cipher that does work is ECDHE-RSA-AES128-GCM-SHA256

Is there any plan to start supporting the first cipher?

Closing this as my original question was answered and now we know why the smart host didn’t work.

Thanks for the help all! :slight_smile:

3 Likes

It should be supported, see Enhance security, TLS policy, harden apache, maybe you need to set a newer TLS policy?

1 Like