[squid-users] Only listening to ipv6 (bug) still present? http_port IGNORE PEBCAK

Tory M Blue tmblue at gmail.com
Wed May 4 04:00:44 UTC 2016 

Interesting,

I do the sysctl settings and have no ipv6 interfaces showing up under
eth0/em0 or anything.. Been doing that for years, because I don't have
not taken the time to fix my DNS infrastructure and the pauses due to
ipv6 resolution attempts kill me

Thank you sir

Tory

On Tue, May 3, 2016 at 8:57 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 4/05/2016 3:22 p.m., Tory M Blue wrote:
>> On Tue, May 3, 2016 at 5:58 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>>> On 4/05/2016 11:12 a.m., Tory M Blue wrote:
>>>> My configs have always consisted of http_port 80 accel vhost.. With
>>>> the latest 3.5.17 (I guess) if you don't list 0.0.0.0:80 squid won't
>>>> even attempt to listen, talk on ivp4..
>>>>
>>>> So adding 0.0.0.0:80 allows it to at least talk via ipv4.
>>>>
>>>> This seems wrong, odd.
>>>>
>>>> I understand you are removing methods to disable ipv6, however forcing
>>>> folks to us only ipv6 seems like a stretch :)
>>>>
>>>> Thanks
>>>> Tory
>>>>
>>>> CentOS 7
>>>> squid-3.5.17-1.el7.centos.x86_64
>>>
>>>
>>> What is Squid saying on startup about the stack type detected?
>>>  (may have to set debug_options 3,2)
>>>
>>> Linux has a hybrid TCP stack. Which means IPv6 ports can receive IPv4
>>> traffic unless you change something. Have you got any custom config in
>>> your TCP/IP settings that might have changed the stacks v4-mapping
>>> behaviour?
>>>
>>> Amos
>>>
>>
>> Hey Amos
>>
>> Other than disabling ipv6, there are no other tweaks.
>
> Um. "disabling ipv6" is not possible in any Linux or BSD based OS. All
> the tutorials and advice that claim to mention ways to do so are
> actually just screwing up the internal TCP stack state so the IPv6 fails
> on various ways.
>
> I think what is going on is that your chosen method of disable is/was
> breaking the v4-mapping ability in the stack but not in a way Squid can
> detect.
>
> FYI: the "Right Way" to stop IPv6 being used is to configure ip6tables
> firewall to REJECT all IPv6 traffic attempting to arrive or leave the
> box. Treat v6 (and v6 variants of common protocols) as just another
> protocol to block or permit at the firewall and you should be fine.
>
> Some people like DROP in the firewall, but that is just another way to
> cause breakage. It results in connections hanging.
>
> Amos

More information about the squid-users mailing list