Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
ipV6 SYN_RECV hang (after BIOS update ?)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3647
Location: Hamburg

PostPosted: Wed Mar 16, 2016 2:37 pm    Post subject: ipV6 SYN_RECV hang (after BIOS update ?) Reply with quote

Suddenly (tm) the IPv6 at my server won't work anymore. The only change so far is the replacement of the RAM and a BIOS upgrade.
The picture after booting the server is now :
Code:
ms-magpie ~ # netstat -6 -p -W -n
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp6       0      0 2a01:4f8:190:514a::2:5222 2a01:4f8:0:a101::6:3:43837 SYN_RECV    -
tcp6       0      0 5.9.158.75:5222         94.242.246.23:24237     ESTABLISHED 1633/beam
tcp6       0      0 2a01:4f8:190:514a::2:443 2001:638:a000:4140::ffff:189:55898 SYN_RECV    -
tcp6       0      0 5.9.158.75:5222         94.242.246.23:44793     ESTABLISHED 1633/beam
tcp6       0      0 5.9.158.75:5269         146.255.57.226:37717    ESTABLISHED 1633/beam
tcp6       0      0 2a01:4f8:190:514a::2:443 2001:858:2:2:aabb:0:563b:1526:54739 SYN_RECV    -
tcp6       0      0 5.9.158.75:5269         208.68.163.218:46377    ESTABLISHED 1633/beam
tcp6       0      0 2a01:4f8:190:514a::2:5269 2001:6f8:126f:11::26:37387 ESTABLISHED 1633/beam
tcp6       0      0 2a01:4f8:190:514a::2:443 2a01:4f8:0:a101::6:3:52584 SYN_RECV    -
No ping6 from outside is possible (I do have a monitor from my ISP which ping6 me every 3 min), no ping6 goes out.
If I comment out the line "$IPT -P INPUT DROP" of my firewall script
Code:
#!/bin/sh

IPT="/sbin/ip6tables"

startFirewall() {
  $IPT -P INPUT   DROP
  $IPT -P FORWARD DROP

  $IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  $IPT -A INPUT -i lo -j ACCEPT
  $IPT -A INPUT --source ::1 -j ACCEPT
  $IPT -A INPUT -m conntrack --ctstate INVALID -j DROP
  $IPT -A INPUT -s fe80::/10  -p ipv6-icmp                            -j ACCEPT
  $IPT -A INPUT               -p ipv6-icmp --icmpv6-type echo-request -j ACCEPT

...
and restart the firewall then it works.
What's wrong ?
UpdateThis change solved/circumvent it, but why it is now needed ? :
Code:
  #$IPT -A INPUT               -p ipv6-icmp --icmpv6-type echo-request -j ACCEPT
  $IPT -A INPUT               -p ipv6-icmp                            -j ACCEPT


Last edited by toralf on Sat Mar 19, 2016 6:35 pm; edited 1 time in total
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5592

PostPosted: Thu Mar 17, 2016 3:16 am    Post subject: Reply with quote

How does your server get its IPv6 routes configured?
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3647
Location: Hamburg

PostPosted: Thu Mar 17, 2016 12:53 pm    Post subject: Reply with quote

Ant P. wrote:
How does your server get its IPv6 routes configured?
Code:
tfoerste@ms-magpie ~ $ sudo su -
ms-magpie ~ # route -n -6
Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref Use If
::1/128                        ::                         Un   0   8    20 lo
2a01:4f8:190:514a::2/128       ::                         Un   0   9924591 lo
2a01:4f8:190:514a::/64         ::                         U    256 0     0 enp3s0
fe80::3285:a9ff:feed:1cb/128   ::                         Un   0   1     0 lo
fe80::/64                      ::                         U    256 0     0 enp3s0
ff00::/8                       ::                         U    256 0     0 enp3s0
::/0                           fe80::1                    UG   2   8917516 enp3s0
::/0                           ::                         !n   -1  1    25 lo

ms-magpie ~ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         5.9.158.65      0.0.0.0         UG    2      0        0 enp3s0
5.9.158.64      0.0.0.0         255.255.255.224 U     0      0        0 enp3s0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo

ms-magpie ~ # cat /etc/conf.d/net
config_enp3s0="5.9.158.75/27
2a01:4f8:190:514a::2/64
"

routes_enp3s0="default via 5.9.158.65
default via fe80::1
"

# prefer IPv6
#
dns_servers_enp3s0="127.0.0.1 2a01:4f8:0:a0a1::add:1010 2a01:4f8:0:a102::add:9999 2a01:4f8:0:a111::add:9898 213.133.98.98 213.133.99.99 213.133.100.100"

dns_domain_enp3s0="zwiebeltoralf.de"
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5592

PostPosted: Fri Mar 18, 2016 3:17 am    Post subject: Reply with quote

Everything looks consistent there. IPv6 uses ICMP for a lot more compared to IPv4 than ping requests though, it's generally a bad idea to block it.
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3647
Location: Hamburg

PostPosted: Fri Mar 18, 2016 9:01 am    Post subject: Reply with quote

Ant P. wrote:
Everything looks consistent there. IPv6 uses ICMP for a lot more compared to IPv4 than ping requests though, it's generally a bad idea to block it.
Thx Ant - but the question remains, why this don't work anow - worked here since 3/4 year. I tested older kernels too - the BIOS upgrade seems to be the trigger ...

Update
FWIW, looking into https://www.cert.org/downloads/IPv6/ip6table_rules.txt and allow 2 more ICMPv6 types makes it instead open it for all:
Code:
  $IPT -A INPUT -s fe80::/10  -p ipv6-icmp -j ACCEPT

  # Allow some other types in the INPUT chain, but rate limit.
  #
  $IPT -A INPUT -p icmpv6 --icmpv6-type echo-request  -m limit --limit 900/min -j ACCEPT
  $IPT -A INPUT -p icmpv6 --icmpv6-type echo-reply    -m limit --limit 900/min -j ACCEPT
 
  # Allow others ICMPv6 types but only if the hop limit field is 255.
  #
  $IPT -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT

And what's worth to mention: with the old config a ping6 from the server out to another works fine till a ping6 arrived from outside (usually from the monitoring solution of by AS). From that point in time the ping6 from the server to the remote lost 100% of it packages.
Back to top
View user's profile Send private message
Duncan Mac Leod
Apprentice
Apprentice


Joined: 02 May 2004
Posts: 251
Location: Germany

PostPosted: Sun Mar 20, 2016 5:45 pm    Post subject: Reply with quote

Today I had IPv6 trouble, too!

I did not change anything for weeks.

I noticed that I could not ping anything, even the default gateway. A reboot solved the problem, for now...

Never had this before! Using gentoo-sources -> 4.1.15-gentoo-r1

Anyone else with IPv6 problems recently?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum