Forum: Cfengine Help Subject: Re: Cfengine Help: Re: allowconntect, trustkeysfrom and admit syntax Author: gusto Link to topic: https://cfengine.com/forum/read.php?3,20444,20455#msg-20455
Hi folks, I was one of the folks who was seeing the issues on the root-.pub keys back on 3.1.2. So I put a policy in place to tidy it. Seemed to work well. Changelog fix for 3.1.3/3.1.4 *) Reading and writing of key name "root-.pub" eliminated (bug #442, #453). Then when I moved to 3.1.4 I ran into auth issues. One suggestion back on Feb 1st was: >From the server, "Denying repeated connection from "::ffff:10.10.10.11" means that your client is trying to make two connections at the same time. If you want that to be allowed, see allowallconnects: http://www.cfengine.org/manuals/cf3-reference.html#allowallconnects-in-server This worked. I left it out on the forum of why this was needed? Thread was: cfengine 3.1.4 Client/Server Protocol transaction broken off I see it in the email but not the online forum. (Side topic: confused on this still should email be syncing up right with the online forum?) body server control { allowconnects => { "127.0.0.1" , "::1" , "10." }; allowallconnects => { "127.0.0.1" , "::1" , "10." }; trustkeysfrom => { "127.0.0.1" , "::1" , "10." }; ... What I wrote back on Feb 1 as: When I added the ::ffff:. as in ::ffff:10. I was able to get self connect to the server socket. To test this further I added another test network "without" putting in the ::ffff:. and it is answering. This is still a mystery as I don't disable IPv6 but I also am not "using" it as the main tcp base I am still on ipv4 for everything. Are there options or such that have been introduced? As of eariler today I did not see anything posted in th change log for 3.1.4 but the 3.1.3 did not list anything which would effect which TCP network should be used. Follow on question: What does the ::ffff: actually mean? I thought IPv4 compatablity was :: I am guessing this is true: http://www.tcpipguide.com/free/t_IPv6IPv4AddressEmbedding-2.htm So why does this happen here and not on 3.1.2 and below? All these configs I have had working on 3.0.4 -> 3.1.2. Any thoughts? This is working for me in my logs I see that all connections to the server are listed as ::ffff: Like most of us I am in the process of updating and have 1/4 of my env moved to 3.1.4 Let me know if there are things to review as I would prefer to find them now then after 100% moved... :-) regards Gusto _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
