[squid-users] Only listening to ipv6 (bug) still present? http_port IGNORE PEBCAK

[Amos Jeffries]

On 4/05/2016 3:22 p.m., Tory M Blue wrote:
> On Tue, May 3, 2016 at 5:58 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>> On 4/05/2016 11:12 a.m., Tory M Blue wrote:
>>> My configs have always consisted of http_port 80 accel vhost.. With
>>> the latest 3.5.17 (I guess) if you don't list 0.0.0.0:80 squid won't
>>> even attempt to listen, talk on ivp4..
>>>
>>> So adding 0.0.0.0:80 allows it to at least talk via ipv4.
>>>
>>> This seems wrong, odd.
>>>
>>> I understand you are removing methods to disable ipv6, however forcing
>>> folks to us only ipv6 seems like a stretch :)
>>>
>>> Thanks
>>> Tory
>>>
>>> CentOS 7
>>> squid-3.5.17-1.el7.centos.x86_64
>>
>>
>> What is Squid saying on startup about the stack type detected?
>>  (may have to set debug_options 3,2)
>>
>> Linux has a hybrid TCP stack. Which means IPv6 ports can receive IPv4
>> traffic unless you change something. Have you got any custom config in
>> your TCP/IP settings that might have changed the stacks v4-mapping
>> behaviour?
>>
>> Amos
>>
> 
> Hey Amos
> 
> Other than disabling ipv6, there are no other tweaks.

Um. "disabling ipv6" is not possible in any Linux or BSD based OS. All
the tutorials and advice that claim to mention ways to do so are
actually just screwing up the internal TCP stack state so the IPv6 fails
on various ways.

I think what is going on is that your chosen method of disable is/was
breaking the v4-mapping ability in the stack but not in a way Squid can
detect.

FYI: the "Right Way" to stop IPv6 being used is to configure ip6tables
firewall to REJECT all IPv6 traffic attempting to arrive or leave the
box. Treat v6 (and v6 variants of common protocols) as just another
protocol to block or permit at the firewall and you should be fine.

Some people like DROP in the firewall, but that is just another way to
cause breakage. It results in connections hanging.

Amos