[clug] Bridge setup without IP address configuration turn off end station autoconfiguration
Robert Edwards
bob at cs.anu.edu.au
Thu Apr 9 22:52:42 UTC 2020
Hi George,
Do you actually need IPv6 on this system? I usually disable it on all my
systems that don't need it as it is still a potential security hole if
not separately managed to IPv4 security (firewall rules, various service
configurations etc. etc.).
I add:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
to the end of /etc/sysctl.conf and then run:
sudo sysctl -p
(happens automatically on reboot).
IPv6 is immediately disabled and will go away on all interfaces.
cheers,
Bob Edwards.
On 9/4/20 11:51 pm, George at Clug via linux wrote:
> Hi,
>
> I wanted a KVM host server with an isolated network bridge without IP
> address configuration for both IPv4 and IPv6.
>
>
> I am interested if anyone can explain how to achieve this. Setting
> up IPv4 bridge without IP addresses was not too difficult, however
> getting IPv6 not to auto configure IPv6 addresses was challenging.
> Sadly I don't understand linux networking enough to truly be confident
> that I have been successful or not.
>
>
> If you understand the below /etc/network/interfaces lines, please let
> me know which lines you believe are correct, which are incorrect and
> why.
>
> My understanding is that I need to " turn off end station
> autoconfiguration" by setting "autoconf 0", and "accept_ra 0", however
> the bridge was still being assigned an IP address.
>
>
> Two examples that I have tried:
> 1)
>
> auto br1
> iface br1 inet manual
> bridge_ports eth4
> bridge_stp on
> bridge_fd 0
> bridge_maxwait 0
> bridge_waitport 0
>
> iface br1 inet6 manual
> autoconf 0
> accept_ra 0
> bridge_ports eth4
> bridge_stp on
> bridge_fd 0
> bridge_maxwait 0
> bridge_waitport 0
>
> ===============================================
> 2)
> I found this link, which was for IPv4 but the IPv6 address was still
> being assigned assigned, even when I duplicated the details for IPv6.
> Adding "autoconf 0", and "accept_ra 0" did not stopan IPv6 address
> being assigned.
>
> https://wiki.debian.org/NetworkConfiguration#Network_Interface_Names
> Example: Bridge setup without IP address configuration (use "manual"
> instead of "static") to "forward" an interface to a guest VM. (The
> static bridge config contains only 1 physical interface. The virtual
> interface will be added to the bridge when the VM is started.)
>
> auto br1
> iface br1 inet manual
> bridge_ports eth4
> up /usr/sbin/brctl setageing br1 0
> up /usr/sbin/brctl stp br1 off
>
> iface br1 inet6 manual
> bridge_ports eth4
> up /usr/sbin/brctl setageing br1 0
> up /usr/sbin/brctl stp br1 off
>
> ===============================================
>
> Below are some links I used for information.
>
> https://www.rmv6tf.org/wp-content/uploads/2013/04/2-End-Station-Addressing.pdf
> Stateless Address Autoconfiguration (SLAAC) is the default method IPv6
> hosts obtain an IPv6 address. End stations automatically generate the
> Interface ID (lower 64 bits) of their address as an EUI-64 address
> based on the station MAC address. The Prefix is provided to the end
> station via a Router Advertisement (RA).
>
> https://howdoesinternetwork.com/2013/slaac
> As a result, an IPv6 host can configure for itself complete or part of
> the address settings automatically, which depends on the type and
> method it uses for autoconfiguration. The method types include:
> Stateful autoconfiguration
> Stateless autoconfiguration using EUI-64 addressing process
> (SLAAC)
> Stateful autoconfiguration is a method in which a host or router is
> assigned its entire 128-bit IPv6 address with the help of
> DHCP.Stateless autoconfiguration or SLAAC is that second method in
> which the host or router interface is assigned a 64-bit prefix, and
> then the last 64 bits of its address are derived by the host or router
> with help of EUI-64 process.
>
> https://www.cyberciti.biz/faq/ubuntu-ipv6-networking-configuration/
>
>
> https://hackingandsecurity.blogspot.com/2016/06/ip-address-configuration-in-kali-linux.html?view=classic
>
>
> https://sumguy.com/proxmox-ip-bridge-for-single-public-ip/
>
>
> http://rockhoppervpn.sourceforge.net/ref_bridge_v6_2.html
>
>
> https://wiki.debian.org/NetworkConfiguration#Network_Interface_Names
>
>
> https://www.ionos.com/help/server-cloud-infrastructure/ip-addresses/adding-a-public-ipv6-address-to-a-server/adding-a-public-ipv6-address-to-a-linux-server-ubuntu/
> accept_ra int
> Accept router advertisements
> (0=off, 1=on)
> autoconf int
> Perform stateless
> autoconfiguration (0=off, 1=on). Default value: "0"
>
More information about the linux
mailing list