Re: disabling ipv6 kernel module
Hello:- I have ipv6 and net-pf-10 disabled in /etc/modules.conf, deleted the ipv6 module from /lib/modules and rebooted to unload the module. HOWEVER, some programs (telnet, ssh) still look for records in DNS and only when this fails look for A records. This slows everything down. How can I disable the lookup? Walter -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: disabling ipv6 kernel module
Jason Martens wrote: Jörg Harmuth wrote: Sorry, forgot to send it to the list, my fault. btb schrieb: On Nov 18, 2004, at 14.22, Jörg Harmuth wrote: Hi Ben, what is the proper approach to achieving this? I don't know what the proper approach is, but if everything works correctly without ipv6 (I had problem without ipv6 some time ago, but I can't really recall what was up there) why not compile a kernel without ipv6 support ? This defenitely works, if it is a possibility at all. And it gives you the chance to remove more things you don't need from your kernel. Have a nice time Joerg hi joerg- thanks for replying. i did start down that road a bit - and found out i am not yet comfortable enough with that process to trust myself (very very new to debian). besides, isn't the idea of loading and unloading (or not loading) modules that you don't have to recompile your kernel for this type of thing? -ben Hi Ben, yes and no in my opinion. It is convenient to be able to disable kernel features at load time (and of course rub´n-time). But they still exist and an successful attacker could exploid one or more of them. For me the better choice is to _realy_ disable them (those I don't need) in the kernel configuration. If it's not there - what can you do with it ? If you have never done kernel configuration it is hard work. I mean understanding all the things you should know for this. But in Debian there is a convenient way to do this (it is said to be convenient, but I never tried it - sorry, I don't even know the name of the package :( Hey list, can you help ?) But in my opinion it's worth while. It serves a lot of purposes. make-kpkg is what you are looking for. Install the package "kernel-package" and do a man make-kpkg. Should get you started. Jason kernel-package was not created to simplify things for new users, and it really does make things slightly more complicated. It might be better to try the old fasioned way until you're confident. kernel-package is great for people who know what they're doing, it aids in kernel redistribution, upgrades, removal, etc -- things mostly irrelevant to those who have never compiled the kernel before. It does help by being slightly more intelligent in regards to adding the kernel to boot menus/etc, but overall it will probably make things more hairy since 95% of all documentation about kernel compilation will be innacurate. I could be wrong.. I did things this way, others may have started with kernel-package and have had no problems whatsoever. Neither way is the right way, but it might be wise to learn how the screwdriver works before attempting the power drill. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: disabling ipv6 kernel module
btb wrote: On Nov 18, 2004, at 14.22, Jörg Harmuth wrote: Hi Ben, what is the proper approach to achieving this? I don't know what the proper approach is, but if everything works correctly without ipv6 (I had problem without ipv6 some time ago, but I can't really recall what was up there) why not compile a kernel without ipv6 support ? This defenitely works, if it is a possibility at all. And it gives you the chance to remove more things you don't need from your kernel. Have a nice time Joerg hi joerg- thanks for replying. i did start down that road a bit - and found out i am not yet comfortable enough with that process to trust myself (very very new to debian). besides, isn't the idea of loading and unloading (or not loading) modules that you don't have to recompile your kernel for this type of thing? -ben The greatest advantage of a modular kernel is that it is portable. Modules are necessary for 'standard kernels' as they are indented to work on a large audience. Linux becomes much more attractive to new users when they don't have to build the system themselves to get the hardware support they need. Not that modules don't provide a quicker way to 'turn off' unnecessary protocols/etc, but that was possible before modules, so it isn't likely why they were implemented. IMO, once a system is set up the novelty of modules quickly wears off, and then its time to build a kernel with the stuff thats always used built in, while the stuff that's never used is removed. Building the kernel can be hairy at first, but it is the best overall solution, as you can tailor everything to fit your needs. Turning off ipv6 is overall unnecessary, but since you want to anyway, its obvious you want to fine tune your system. So why not do it properly and build yourself a kernel? There are many who can and will help you on this list if you decide to and run into trouble. Michael Spang -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: disabling ipv6 kernel module
Jörg Harmuth wrote: Sorry, forgot to send it to the list, my fault. btb schrieb: On Nov 18, 2004, at 14.22, Jörg Harmuth wrote: Hi Ben, what is the proper approach to achieving this? I don't know what the proper approach is, but if everything works correctly without ipv6 (I had problem without ipv6 some time ago, but I can't really recall what was up there) why not compile a kernel without ipv6 support ? This defenitely works, if it is a possibility at all. And it gives you the chance to remove more things you don't need from your kernel. Have a nice time Joerg hi joerg- thanks for replying. i did start down that road a bit - and found out i am not yet comfortable enough with that process to trust myself (very very new to debian). besides, isn't the idea of loading and unloading (or not loading) modules that you don't have to recompile your kernel for this type of thing? -ben Hi Ben, yes and no in my opinion. It is convenient to be able to disable kernel features at load time (and of course rub´n-time). But they still exist and an successful attacker could exploid one or more of them. For me the better choice is to _realy_ disable them (those I don't need) in the kernel configuration. If it's not there - what can you do with it ? If you have never done kernel configuration it is hard work. I mean understanding all the things you should know for this. But in Debian there is a convenient way to do this (it is said to be convenient, but I never tried it - sorry, I don't even know the name of the package :( Hey list, can you help ?) But in my opinion it's worth while. It serves a lot of purposes. make-kpkg is what you are looking for. Install the package "kernel-package" and do a man make-kpkg. Should get you started. Jason -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: disabling ipv6 kernel module
On Thu, 2004-11-18 at 21:56 +0100, Jörg Harmuth wrote: > btb schrieb: > > > > > On Nov 18, 2004, at 14.22, Jörg Harmuth wrote: > > > >> Hi Ben, > >> > >>> > >>> what is the proper approach to achieving this? > >>> > >> I don't know what the proper approach is, but if everything works > >> correctly without ipv6 (I had problem without ipv6 some time ago, but > >> I can't really recall what was up there) why not compile a kernel > >> without ipv6 support ? This defenitely works, if it is a possibility > >> at all. And it gives you the chance to remove more things you don't > >> need from your kernel. > >> > >> Have a nice time > >> > >> Joerg > > > > > > hi joerg- > > > > thanks for replying. > > > > i did start down that road a bit - and found out i am not yet > > comfortable enough with that process to trust myself (very very new to > > debian). besides, isn't the idea of loading and unloading (or not > > loading) modules that you don't have to recompile your kernel for this > > type of thing? > > > > -ben > > Hi Ben, > > yes and no in my opinion. It is convenient to be able to disable kernel > features at load time (and of course rub´n-time). But they still exist > and an successful attacker could exploid one or more of them. For me > the better choice is to _realy_ disable them (those I don't need) in the > kernel configuration. If it's not there - what can you do with it ? > > If you have never done kernel configuration it is hard work. I mean > understanding all the things you should know for this. But in Debian > there is a convenient way to do this (it is said to be convenient, but I > never tried it - sorry, I don't even know the name of the package :( > Hey list, can you help ?) But in my opinion it's worth while. It serves > a lot of purposes. I just let everything go. IPv6 is one of those troublesome modules. I just delete all the ipv6 modules (clearly there are other alternatives) and it works for me, I get 2 error messages during boot caused by them being gone. Not really a problem though. As it was deliberate. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: disabling ipv6 kernel module
Sorry, forgot to send it to the list, my fault. btb schrieb: On Nov 18, 2004, at 14.22, Jörg Harmuth wrote: Hi Ben, what is the proper approach to achieving this? I don't know what the proper approach is, but if everything works correctly without ipv6 (I had problem without ipv6 some time ago, but I can't really recall what was up there) why not compile a kernel without ipv6 support ? This defenitely works, if it is a possibility at all. And it gives you the chance to remove more things you don't need from your kernel. Have a nice time Joerg hi joerg- thanks for replying. i did start down that road a bit - and found out i am not yet comfortable enough with that process to trust myself (very very new to debian). besides, isn't the idea of loading and unloading (or not loading) modules that you don't have to recompile your kernel for this type of thing? -ben Hi Ben, yes and no in my opinion. It is convenient to be able to disable kernel features at load time (and of course rub´n-time). But they still exist and an successful attacker could exploid one or more of them. For me the better choice is to _realy_ disable them (those I don't need) in the kernel configuration. If it's not there - what can you do with it ? If you have never done kernel configuration it is hard work. I mean understanding all the things you should know for this. But in Debian there is a convenient way to do this (it is said to be convenient, but I never tried it - sorry, I don't even know the name of the package :( Hey list, can you help ?) But in my opinion it's worth while. It serves a lot of purposes. Have a nice time Joerg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: disabling ipv6 kernel module
On Nov 18, 2004, at 14.49, Niall Sheridan wrote: On Thu, 2004-11-18 at 13:44 -0600, Jason Martens wrote: The logic seems kind of backward, but it works. Just remember to run update-modules (as root) after you edit this file. For 2.4 yes. For 2.6 no - edit /etc/modprobe.d/aliases. Jason Niall does it strike anyone else that if this is in fact the proper way to achieve this, maybe the file shouldn't say "don't edit"? -ben -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: disabling ipv6 kernel module
On Nov 18, 2004, at 14.44, Jason Martens wrote: btb wrote: hello- i have kernel 2.6.8 - and am having difficulty understanding how to properly keep the ipv6 module from loading. initially, i included it in the hotplug blacklist, along with a few others, but this didn't work. the other modules were not loaded, but ipv6 still was. i believe, if i understand correctly, this is because if something asks for it, it will load, even if it's blacklisted w/ hotplug. my problem is that i know there are plenty of process asking for it simply because they can, not because they need to. after many hours of reading about modutils, module-init-tools, rmmod, modprobe.d, modprob.conf, and many others, the only thing i could come up with was to change the line in /etc/modprobe.d/aliases to: alias net-pf-10 off and did an update-modules and a depmod. this did indeed work, but i believe it is not the correct way to do this. especially since the aliases file i had to edit says right at the top 'this file does not need to be modified' what is the proper approach to achieving this? I think you can do this by editing /etc/modutils/aliases: # Aliases to tell insmod/modprobe which modules to use # Uncomment the network protocols you don't want loaded: # alias net-pf-1 off# Unix # alias net-pf-2 off# IPv4 # alias net-pf-3 off# Amateur Radio AX.25 # alias net-pf-4 off# IPX # alias net-pf-5 off# DDP / appletalk # alias net-pf-6 off# Amateur Radio NET/ROM # alias net-pf-9 off# X.25 # alias net-pf-10 off # IPv6 # alias net-pf-11 off # ROSE / Amateur Radio X.25 PLP # alias net-pf-19 off # Acorn Econet The logic seems kind of backward, but it works. Just remember to run update-modules (as root) after you edit this file. Jason thanks jason- i don't actually have a /etc/modutils/aliases file. that appears to be part of modutils, which according to packages.debian.org is superseded by module-init-tools for kernel 2.5.48 and above. in fact, the only file i have in /etc/modutil is setserial. i do have, in /etc, a modules.conf.old, that contain lines similar to those (in fact identical), but obviously some package decided that it shouldn't be used any longer... (it seems also to be part of modutils) what's also weird, is that there have been many suggestions to use update-modules, yet the man page says "update-modules is an obsolete command." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: disabling ipv6 kernel module
On Nov 18, 2004, at 14.22, Jörg Harmuth wrote: Hi Ben, what is the proper approach to achieving this? I don't know what the proper approach is, but if everything works correctly without ipv6 (I had problem without ipv6 some time ago, but I can't really recall what was up there) why not compile a kernel without ipv6 support ? This defenitely works, if it is a possibility at all. And it gives you the chance to remove more things you don't need from your kernel. Have a nice time Joerg hi joerg- thanks for replying. i did start down that road a bit - and found out i am not yet comfortable enough with that process to trust myself (very very new to debian). besides, isn't the idea of loading and unloading (or not loading) modules that you don't have to recompile your kernel for this type of thing? -ben
Re: disabling ipv6 kernel module
On Thu, 2004-11-18 at 13:44 -0600, Jason Martens wrote: > The logic seems kind of backward, but it works. Just remember to run > update-modules (as root) after you edit this file. > For 2.4 yes. For 2.6 no - edit /etc/modprobe.d/aliases. > Jason > Niall -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: disabling ipv6 kernel module
btb wrote: hello- i have kernel 2.6.8 - and am having difficulty understanding how to properly keep the ipv6 module from loading. initially, i included it in the hotplug blacklist, along with a few others, but this didn't work. the other modules were not loaded, but ipv6 still was. i believe, if i understand correctly, this is because if something asks for it, it will load, even if it's blacklisted w/ hotplug. my problem is that i know there are plenty of process asking for it simply because they can, not because they need to. after many hours of reading about modutils, module-init-tools, rmmod, modprobe.d, modprob.conf, and many others, the only thing i could come up with was to change the line in /etc/modprobe.d/aliases to: alias net-pf-10 off and did an update-modules and a depmod. this did indeed work, but i believe it is not the correct way to do this. especially since the aliases file i had to edit says right at the top 'this file does not need to be modified' what is the proper approach to achieving this? I think you can do this by editing /etc/modutils/aliases: # Aliases to tell insmod/modprobe which modules to use # Uncomment the network protocols you don't want loaded: # alias net-pf-1 off# Unix # alias net-pf-2 off# IPv4 # alias net-pf-3 off# Amateur Radio AX.25 # alias net-pf-4 off# IPX # alias net-pf-5 off# DDP / appletalk # alias net-pf-6 off# Amateur Radio NET/ROM # alias net-pf-9 off# X.25 # alias net-pf-10 off # IPv6 # alias net-pf-11 off # ROSE / Amateur Radio X.25 PLP # alias net-pf-19 off # Acorn Econet The logic seems kind of backward, but it works. Just remember to run update-modules (as root) after you edit this file. Jason -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: disabling ipv6 kernel module
Hi Ben, what is the proper approach to achieving this? I don't know what the proper approach is, but if everything works correctly without ipv6 (I had problem without ipv6 some time ago, but I can't really recall what was up there) why not compile a kernel without ipv6 support ? This defenitely works, if it is a possibility at all. And it gives you the chance to remove more things you don't need from your kernel. Have a nice time Joerg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
disabling ipv6 kernel module
hello- i have kernel 2.6.8 - and am having difficulty understanding how to properly keep the ipv6 module from loading. initially, i included it in the hotplug blacklist, along with a few others, but this didn't work. the other modules were not loaded, but ipv6 still was. i believe, if i understand correctly, this is because if something asks for it, it will load, even if it's blacklisted w/ hotplug. my problem is that i know there are plenty of process asking for it simply because they can, not because they need to. after many hours of reading about modutils, module-init-tools, rmmod, modprobe.d, modprob.conf, and many others, the only thing i could come up with was to change the line in /etc/modprobe.d/aliases to: alias net-pf-10 off and did an update-modules and a depmod. this did indeed work, but i believe it is not the correct way to do this. especially since the aliases file i had to edit says right at the top 'this file does not need to be modified' what is the proper approach to achieving this? any insight is greatly appreciated -ben -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
