As we live in different time-zones and some of us need to sleep sometimes, except Shawn.., I did some changes to disable IPV6 today.
Unbound is just an example, so you need to modify the ip addresses/network/ Domain mask where used
I still need to check the rpc ipv6, if its needed or not. EFA is up and running (Without IPV6)
disable ipv6 centos7 EFA
REMARK: I use the conventional naming on the interfaces aka eth(x) and not the ens(X) du the net.ifnames=0 boot kernel parameter
do not disable ipv6 in the boot options !!!
reboot when ready !!!
first check ipv6
Code: Select all
netstat -tunlp
ip addr show | grep net6
ifconfig -a | grep inet6
Chrony
# Command-line options for chronyd
#OPTIONS=""
OPTIONS="-4"
/etc/sysconfig/ntpdate
# Options for ntpdate
#OPTIONS="-p 2"
OPTIONS="-4 -p 2"
network
# Created by anaconda and henk
NETWORKING_IPV6=no
IPV6INIT=no
IPV6_AUTOCONF=no
DHCPV6=no
IPV6FORWARDING=no
interface
Code: Select all
/etc/sysconfig/network-scripts/ifcfg-eth0
# Generated by parse-kickstart
IPV6INIT=no
IPV6_AUTOCONF=no
BOOTPROTO="none"
DEVICE=eth0
ONBOOT=yes
UUID=blalalala
TYPE=Ethernet
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
NAME="eth0"
IPADDR="172.16.1.15"
NETMASK="255.255.0.0"
GATEWAY="172.16.1.1"
DNS1="127.0.0.1"
#DNS2="::1"
ZONE=public
Disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6= 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.all.accept_redirects = 0
set mailscanner to 443
Code: Select all
/var/www/html/mailscanner/.htaccess
Options -Indexes
Listen 0.0.0.0:443
Stil need to check if there are more ports or service needed and how to add dhcp bacula-client pop3 pop3s ntp
public
interfaces: eth0
public
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry docker-swarm dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls managesieve mdns minidlna mongodb mosh mountd ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
Code: Select all
firewall-cmd --zone=public --list-ports
443/tcp 587/tcp 80/tcp
Code: Select all
firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client http smtp
ports: 443/tcp 587/tcp 80/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Sellinux
Enforcing
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
SSH
# ssh_config(5) man page.
AddressFamily inet
# Host
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
AddressFamily inet
ListenAddress 0.0.0.0
#Listen 12.34.56.78:80
#Listen 80
Listen 0.0.0.0:80
Add Servertokens OS Signaure and TraceEnable to ssl conf
#
# When we also provide SSL we have to listen to the
# standard HTTPS port in addition.
#
Listen 443 https
ServerTokens OS
ServerSignature On
TraceEnable Off
SQLGREY
## Socket
# On which socket do SQLgrey wait for queries
# use the following if you need to bind on a public IP address
# inet = <public_ip>:2501
# to bind on a UNIX socket, use the following:
# unix = /path/to/socket
# default :
# inet = 2501 # bind to localhost:2501
inet = 127.0.0.1:2501
Postfix
inet_interfaces = $myhostname, localhost
# Enable IPv4, and IPv6 if supported
#inet_protocols = ipv4, ipv6
inet_protocols = ipv4
relayhost = [FQDN mail server]
#mynetworks = 127.0.0.0/8 [::1]/128
mynetworks = 127.0.0.0/8, 172.16.0.0/16
###### START eFa ADDED DOMAINS ######
private.lan smtp:[<<fqdn mail server>>]
HEADER_CHECKS(5)
/^Received:\ from\ sansspam.private.lan\ \(localhost\ \[127.0.0.1/ IGNORE
#/^Received:\ from\ sansspam.private.lan\ \(localhost\ \[::1/ IGNORE
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
#::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.1.15 sansspam.private.lan sansspam
dovecot
Decide what protocols to use.
# Protocols we want to be serving.!!!
#protocols = imap pop3 lmtp
protocols = pop3
# A comma separated list of IPs or hosts where to listen in for connections.
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
#listen = *, ::
listen = *
unbound
# The server clause sets the main parameters.
server:
interface: 127.0.0.1
outgoing-interface: 172.16.1.15
do-ip4: yes
do-ip6: no
cache-min-ttl: 900
hide-identity: yes
hide-version: yes
private-domain: "private.lan."
private-address: 172.16.0.0/16
domain-insecure: "private.lan."
# control which clients are allowed to make (recursive) queries
access-control: 127.0.0.0/8 allow
# (this now fails on all GoDaddy customer domains, so disabled)
use-caps-for-id: no
local-zone: "17.172.in-addr.arpa." transparent
remote-control:
control-interface: 127.0.0.1
# Stub and Forward zones
forward-zone:
name: "private.lan"
forward-addr: 172.16.1.17 # SAMBA AD
forward-first: yes
forward-zone:
name: "17.172.in-addr.arpa."
forward-addr: 172.16.1.17 # SAMBA AD
forward-first: yes
Code: Select all
/etc/unbound/conf.d/forwarders.conf
forward-zone:
name: "."
forward-addr: 172.16.1.1
forward-first: yes
RPC? Need to check
[root@sansspam NetworkManager]# systemctl cat rpcbind.socket
# /usr/lib/systemd/system/rpcbind.socket
[Unit]
Description=RPCbind Server Activation Socket
[Socket]
ListenStream=/var/run/rpcbind.sock
# RPC netconfig can't handle ipv6/ipv4 dual sockets
BindIPv6Only=ipv6-only
ListenStream=0.0.0.0:111
ListenDatagram=0.0.0.0:111
ListenStream=[::]:111
ListenDatagram=[::]:111
[Install]
WantedBy=sockets.target
systemctl reboot
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams