1 problem phenomenon
When IPV6 is enabled, the NetworkManager service will listen to all 0 addresses by default. Here 58 is not a port, but a protocol number, indicating icmpv6. The phenomenon is as follows:
# netstat -anp | grep Network raw6 0 0 :::58 :::* 7 2581242/NetworkMana
2 cause analysis
2.1 raw6 what is it?
raw6 is the RAW SOCKET of IPV6,
You can confirm by viewing the / proc/net/sockstat6 file:
[root@localhost:~ ]# cat /proc/net/sockstat6 TCP6: inuse 1 UDP6: inuse 0 UDPLITE6: inuse 0 RAW6: inuse 1 FRAG6: inuse 0 memory 0 [root@localhost:~ ]#
2.2: what's the address?
In ipv6,::: means 0 address, which means all ip addresses here
2.3 what service port is 58?
58 is not a port, but a protocol number. It corresponds to the icmp6 protocol, that is, the ICMP Protocol on IPV6. You can use the following command to query the protocol type corresponding to the port:
[root@localhost:~ ]# ss -l -6 -p -e -n Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process icmp6 UNCONN 0 0 *:58 *:* users:(("NetworkManager",pid=229210,fd=21)) ino:685747 sk:1 v6only:0 <-> tcp LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=2780,fd=4)) ino:45366 sk:2 v6only:1 <->
When the NetworkManager service is started, it calls libndp for setting. By default, it listens to all 0 network segments, and cannot be specified through command line parameters or modified through configuration files.
2.4 what is the purpose of protocol 58 monitoring all addresses?
For DAD detection
In IPv6 environment, when a host attempts to configure an IPv6 address, it will first conduct address repeatability detection to confirm the uniqueness of the address on the link. This process is called DAD (Duplicate Address Detection).
For example, when starting a network card with IPv6 enabled, the network card will be automatically configured with a link local address - the address starting with fe80. DAD detection will be carried out before this address takes effect.
The key of DAD detection is NS message. Note that the source address of the message is all 0, the destination address is a multicast address, and the Target points to the IPv6 address to be configured. For a period of time, if no one replies to NA on the link or receives NS messages with the same structure on the link, the address is considered unique on the link and the configuration takes effect
The NS and NA messages used in the whole process are icmpv6 protocol
In the scenario where IPV6 is not used, you can disable IPV6 to turn off all zero listening. Otherwise, the product should decide to use firewall and other means for network isolation according to the actual business networking situation and usage scenario.
Method 1: turn off the ipv6 function of the network card
/Configure IPv6 with / etc / sysconfig / network scripts / ifcfg ethx_ Autoconf = "yes" enable listening on this port and configure it as IPV6_AUTOCONF="no" turns off Port 58 listening
Modify the configuration file and restart the network card to take effect:
root localhost:~ $ cat /etc/sysconfig/network-scripts/ifcfg-eth6 TYPE="Ethernet" PROXY_METHOD="none" BROWSER_ONLY="no" BOOTPROTO="static" DEFROUTE="yes" IPV4_FAILURE_FATAL="yes" IPADDR=10.137.55.254 IPV6INIT="yes" IPV6_AUTOCONF="no" IPV6_DEFROUTE="yes" IPV6_FAILURE_FATAL="no" NAME="eth6" DEVICE="eth6" ONBOOT="yes" root localhost:~ $ ifdown eth6 && ifup eth6
Method 2: Firewall
When NetworkManager.service has usage scenarios, add firewalld rules to restrict access to specific networks. For example, using the following configuration, the address request with port 58 (involving ipv6) will be deleted:
firewall-cmd --permanent --add-rich-rule="rule family=ipv6 port protocol=tcp port=58 drop"
Method 3: close the NetworkManager service
Shut down service:
systemctl stop NetworkManager
systemctl disable NetworkManager