| View previous topic :: View next topic |
| Author |
Message |
freke
l33t
Joined: 23 Jan 2003
Posts: 977
Location: Somewhere in Denmark
|
 Posted: Fri Apr 09, 2021 2:00 pm Post subject: IPv6-MAC adresses |
 |
|
Hi,
I have 6 *identical* servers (same HW and running exactly same kernel) - the sysctl-values for IPv6 are the same, yet on two I somehow get an additional IPv6-address based on the interface-MAC, ie. | Code: | mail ~ # ifconfig
Eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.2 netmask 255.255.254.0 broadcast 10.0.1.255
inet6 2001:470:28:4a6::5 prefixlen 64 scopeid 0x0<global>
inet6 2001:470:28:4a6:20d:b9ff:fe42:5470 prefixlen 64 scopeid 0x0<global>
inet6 fe80::20d:b9ff:fe42:5470 prefixlen 64 scopeid 0x20<link>
ether 00:0d:b9:42:54:70 txqueuelen 1000 (Ethernet)
RX packets 379 bytes 45337 (44.2 KiB)
RX errors 0 dropped 1 overruns 0 frame 0
TX packets 391 bytes 132818 (129.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0xf7a00000-f7a1ffff |
I don't want the 2001:470:28:4a6:20d:b9ff:fe42:5470-address!
I believe I had it right at some point (because I noticed it when my mail-server suddenly got rejected on my mysql-server......) - what might I have overlooked/changed on my mail-server to cause getting this additional IPv6-address again?
For now - I'm running | Code: | | ip -6 addr del 2001:470:28:4a6:20d:b9ff:fe42:5470/64 dev Eth1 |
after reboot to get rid of that addres, so I can connect to my mysql-server and (to not have my mail marked as spam/rejected due to SPF on other mail-servers...)
Using netifrc  |
|
| Back to top |
|
 |
UberLord
Retired Dev
Joined: 18 Sep 2003
Posts: 6835
Location: Blighty
|
| Posted: Fri Apr 09, 2021 2:31 pm Post subject: |
|
|
We can see from your output that the additional address is formed from the ethernet address of the interface.
So it's very likely something on the server received a Router Advertisement saying "use this prefix to make an address with".
The best solution to solve the SPF issue is to bind your mail server to the addresses listed in the SPF record.
You should do this regardless of any other solution to the extra address to stop the mail rejection issue from happening.
The question now becomes what software puts the address there in the first place?
It could be the kernel - see here:
https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch11s02.html
You probably want to set autoconf to 0.
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool |
|
| Back to top |
|
|
freke
l33t
Joined: 23 Jan 2003
Posts: 977
Location: Somewhere in Denmark
|
| Posted: Fri Apr 09, 2021 2:40 pm Post subject: |
|
|
The kernel is identical on the 2 of my servers receiving this address AND the 4 servers which hasn't got this additional address. (the kernel is built on one of the servers and copied out to the others).
Autoconf is set to 0 on all machines....
ie. binhost is a *good* machine and only gets the ipv6-address I set in /etc/conf.d/net - and mail is one of the *bad* ones which get the additional ipv6-address (along with my lamp-server - those are the two oldest installations if that matters?)
| Code: | binhost ~ # sysctl -n net.ipv6.conf.Eth1.autoconf
0
mail ~ # sysctl -n net.ipv6.conf.Eth1.autoconf
0 |
| Code: | binhost ~ # cat /etc/sysctl.conf
# /etc/sysctl.conf
#
# For more information on how this file works, please see
# the manpages sysctl(8) and sysctl.conf(5).
#
# In order for this file to work properly, you must first
# enable 'Sysctl support' in the kernel.
#
# Look in /proc/sys/ for all the things you can setup.
#
...
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.log_martians=1
net.ipv4.tcp_timestamps=0
net.ipv6.conf.Eth1.autoconf=0
net.ipv6.conf.Eth1.accept_ra=1
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
...
mail ~ # cat /etc/sysctl.conf
# /etc/sysctl.conf
#
# For more information on how this file works, please see
# the manpages sysctl(8) and sysctl.conf(5).
#
# In order for this file to work properly, you must first
# enable 'Sysctl support' in the kernel.
#
# Look in /proc/sys/ for all the things you can setup.
#
...
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.log_martians=1
net.ipv4.tcp_timestamps=0
net.ipv6.conf.Eth1.autoconf=0
net.ipv6.conf.Eth1.accept_ra=1
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
... |
I know that I could just add the address to my SPF-entry, and allow it on my mysql-db, but I rather fix the issue of having this addres - that I don't want - on only two of my servers... 
I tried restarting all services in default-runlevel + net.Eth1 - none of them causes the address to reappear after manually deleting it after reboot.
The two servers exhibiting this behaviour is from 2017 while the four others are from 2018-2019 - I'm quite certain though, that they have not always gotten those MAC-based IPv6-addresses - because of the sudden inability of my mail-server to login on my mysql-server when my mail-server got that MAC-based address. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
