Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Deactivating IPv6 in Smart Protection Server (SPS)

    • Updated:
    • 9 Mar 2015
    • Product/Version:
    • Smart Protection Server 3.0
    • Trend Micro Smart Protection Server 2.1
    • Trend Micro Smart Protection Server 2.5
    • Platform:
    • VMware ESXi 4.1
Summary

IPv6 is enabled starting on the stand-alone Smart Protection Server (SPS) 2.5 by default. However, IPv6 does not work properly in certain network environments and there are also company policies that prohibit running IPv6. These situations require administrators to disable IPv6 from SPS 2.5 or 3.0.

Details
Public

Perform the following steps to disable IPv6 in the Trend Micro Smart Protection Server using the command line.

  1. Modify the value of following parameter:

    -bash-3.2# vi /etc/modprobe.conf
    alias net-pf-10 off

  2. Modify the value of following parameter:

    -bash-3.2# vi /etc/sysconfig/network
    NETWORKING_IPV6=no

  3. Execute the following commands:

    -bash-3.2# /etc/init.d/ip6tables stop
    -bash-3.2# chkconfig --level 2345 ip6tables off
    -bash-3.2# modprobe -r -v ip6_tables

  4. Edit the value of following parameter:

    -bash-3.2# vi /etc/snmp/snmpd.conf
    agentaddress udp:161

  5. Comment the following sentences:

    -bash-3.2# vi /var/tmcss/cpmpatch/svaiptables
    # FW6_SYS = "/etc/init.d/ip6tables "
    # os.system("/sbin/ip6tables -F")

    # os.system("/sbin/ip6tables -X")
    # os.system("/sbin/ip6tables -Z")
    # os.system("iptables-save | grep -v icmp |grep -v
    SNMP_SERV_IN |grep -v CPM_SERV_IN |ip6tables-restore")
    # os.system("ip6tables -A LOCAL_SERV_IN -p icmpv6 -j ACCEPT")

    # os.system(SVAFirewall.FW6_SYS + "start")
    # os.system(SVAFirewall.FW6_SYS + "stop")

    # os.system("ip6tables -A INPUT -p tcp --tcp-flags ALL SYN,ACK -j ACCEPT")
    # os.system("ip6tables -A INPUT -p tcp --tcp-flags ALL ACK -j ACCEPT")
    # os.system("ip6tables -A INPUT -p tcp --tcp-flags ALL PSH,ACK -j ACCEPT")
    # os.system("ip6tables -A INPUT -p tcp --tcp-flags ALL FIN,ACK -j ACCEPT")
    # os.system("ip6tables -A INPUT -p tcp --tcp-flags ALL PSH,FIN,ACK -j ACCEPT")

    # os.system("/sbin/ip6tables -A LOCAL_SERV_IN -p tcp --dport " + self.ssh_port + " -j ACCEPT")
    # os.system("/sbin/ip6tables -I LOCAL_SERV_IN -p icmpv6 --icmpv6-type echo-request -j DROP > /dev/null 2>&1");
    # os.system("/sbin/ip6tables -A LOCAL_SERV_IN -p tcp --dport " + iwsva.port_service + " -j ACCEPT")
    # os.system("/sbin/ip6tables -A LOCAL_SERV_IN -p tcp --dport " + self.frs_http_port + " -j ACCEPT")
    # os.system("/sbin/ip6tables -A LOCAL_SERV_IN -p tcp --dport " + self.frs_https_port + " -j ACCEPT")
    # os.system("/sbin/ip6tables -A LOCAL_SERV_IN -p tcp --dport 546 -j ACCEPT")
    # os.system("/sbin/ip6tables -A LOCAL_SERV_IN -p udp --dport 546 -j ACCEPT")
    # os.system("/sbin/ip6tables -D SERV_GATE -p tcp --dport " + self.wrs_http_port + " -j DROP > /dev/null 2>&1");
    # os.system("/sbin/ip6tables -A SERV_GATE -p tcp --dport " + self.wrs_http_port + " -j DROP");

    -bash-3.2# cp /var/tmcss/cpmpatch/svaiptables /etc/init.d/svaiptables

  6. Comments the following sentences:

    -bash-3.2# vi /etc/lighttpd/lighttpd.conf
    # listen to ipv6
    #$SERVER["socket"] == "[::]:" + var.frs-http-port {
    # $HTTP["host"] =~ "^(.*)$" {
    # url.redirect = ( "^/$" => "https://%1:4343/",
    # "^/tmcss/$" => "http://%1/$1")
    # }
    #}

    #$SERVER["socket"] == "[::]:4343" {
    #ssl.engine = "enable"
    #ssl.pemfile = "/etc/lighttpd/server.pem"
    #ssl.cipher-list = ssl-cipher-list
    #accesslog.filename = "/var/log/lighttpd/mgt_access.log"
    #server.document-root = var.AdminUI.document-root
    #fastcgi.server = ( ".php" =>
    # ( "localhost" =>
    # (
    # "socket" => "/tmp/php-fastcgi.socket",
    # "bin-path" => "/usr/bin/php-cgi",
    # "max-procs" => 4,
    # "bin-environment" =>
    # (
    # "PHP_FCGI_CHILDREN" => "8",
    # "PHP_FCGI_MAX_REQUESTS" => "1000"
    # )
    # )
    # )
    # )
    #}

    #Setting for LWCS
    #$SERVER["socket"] == "[::]:" + var.wrs-http-port {
    #server.document-root = "/var/www/iCRC/tmcss/"
    #accesslog.filename = "/var/log/lighttpd/lwcs_access.log"
    #server.indexfiles = ("lwcsfcgi")
    #server.error-handler-404 = "/lwcsfcgi"
    #fastcgi.server = ( "" =>
    # ( "" =>
    # (
    # "socket" => "/tmp/lwcsfcgi-fastcgi.socket",
    # "bin-path" => "/var/www/iCRC/tmcss/lwcsfcgi",
    # "max-procs" => 90,
    # "idle-timeout" => 30
    # )
    # )
    # )
    #}

    #$SERVER["socket"] == "[::]:" + var.frs-https-port {
    #ssl.engine = "enable"
    #ssl.pemfile = "/etc/lighttpd/server.pem"
    #ssl.cipher-list = ssl-cipher-list
    # $HTTP["host"] =~ "^(.*)$" {
    # url.redirect = ( "^/$" => "https://%1:4343/",
    # "^/tmcss/$" => "https://%1/$1")
    # }
    #}

  7. Comment the following sentences:

    -bash-3.2# vi /usr/tmcss/bin/snmp_set.sh
    #IP6TABLES='/sbin/ip6tables'
    # $IP6TABLES -F $SNMP_CHAIN 2> /dev/null
    # $IP6TABLES -D INPUT -j $SNMP_CHAIN 2> /dev/null
    # $IP6TABLES -X $SNMP_CHAIN 2> /dev/null

    # $IP6TABLES -N $SNMP_CHAIN
    # $IP6TABLES -A INPUT -j $SNMP_CHAIN
    # $IP6TABLES -A $SNMP_CHAIN -p udp --dport $SNMP_PORT -s $1/$2 -j ACCEPT
    # $IP6TABLES -A $SNMP_CHAIN -p udp --dport $SNMP_PORT -s $1/$2 -j ACCEPT

  8. Comment the following sentences:

    -bash-3.2# vi /usr/tmcss/bin/patchcpm_set.sh
    #IP6TABLES='/sbin/ip6tables'

    # $IP6TABLES -F $CPM_CHAIN > /dev/null 2>&1
    # $IP6TABLES -D INPUT -j $CPM_CHAIN > /dev/null 2>&1
    # $IP6TABLES -X $CPM_CHAIN > /dev/null 2>&1

    # $IP6TABLES -N $CPM_CHAIN
    # $IP6TABLES -A INPUT -j $CPM_CHAIN

    # $IP6TABLES -A $CPM_CHAIN -p tcp --dport $1 -j ACCEPT
    # $IP6TABLES -A $CPM_CHAIN -p udp --dport $1 -j ACCEPT

  9. Comment the following sentences:

    -bash-3.2# vi /usr/tmcss/bin/CollectSystemInfo.sh
    # echo -e "\n[ip6table] (Run Command \"ip6tables -L\")" >> $target_file_location/$target_file_name

    # echo "`date` [$Module_Name] > ip6tables -L" | tee -a $CDT_LOG_FILE_NAME | more
    # ip6tables -L >> $target_file_location/$target_file_name 2>>$CDT_LOG_FILE_NAME

  10. Comment and modify the following sentences:

    -bash-3.2# vi /usr/tmcss/bin/tlogger
    #cmdip6tables = "/sbin/ip6tables"

    tin = long(getTraffic(cmdiptables, "WCS_SERV_IN")) + long(getTraffic(cmdip6tables, "WCS_SERV_IN"))
    tout= long(getTraffic(cmdiptables, "WCS_SERV_OUT")) + long(getTraffic(cmdip6tables, "WCS_SERV_OUT"))
    --->>>
    tin = long(getTraffic(cmdiptables, "WCS_SERV_IN"))
    tout= long(getTraffic(cmdiptables, "WCS_SERV_OUT"))

  11. Reboot the SPS.
  1. Log in to the Trend Smart Protection Server server using SSH connection using root account.
  2. Execute the following commands to disable IPv6:

    # service ip6tables stop
    # chkconfig ip6tables off

  3. Comment out all IPv6-related settings in /etc/lighttpd/lighttpd.conf with the following:
    1. Execute the command:

      # vi /etc/lighttpd/lighttpd.conf

    2. Press INSERT key to enter Edit mode.
    3. Uncomment line 153 and change it to:

      server.use-ipv6 = "disable"

  4. Comment all IPv6 configurations on these lines:

    lines 157 through 163
    lines 290 through 309
    lines 330 through 346
    lines 370 through 377

  5. Press the ESC key then press ":wq!"" to save and close the file.
  6. Comment out all IPv6-related settings in the /etc/snmp/snmpd.conf.
    1. Execute the following command:

      # vi /etc/snmp/snmpd.conf

    2. Press the INSERT key to enter Edit mode.
    3. Change line 465 from "agentaddress udp:161,udp6:161" to:

      agentaddress    udp:161

    4. Press the ESC key, then press ":wq!"" to save and close the file.
  7. Change the value of NETWORKING_IPV6 inside the /etc/sysconfig/network file.
    1. Execute the following command:

      # vi /etc/sysconfig/network

    2. Press the INSERT key to enter Edit mode.
    3. Set NETWORKING_IPV6=no.
    4. Press the ESC key, then press ":wq!"" to save and close the file.
  8. Run the following commands to restart the lighttpd and snmpd daemons to apply the new settings.

    # service lighttpd restart
    # service snmpd restart

Premium
Internal
Rating:
Category:
Configure; Deploy; Install; Uninstall
Solution Id:
1060382
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.