> > is it working on localhost or not???!!! it could be selinux problem also, > if context is not correct. It's working on localhost: [root at puppet:~] #telnet localhost 5666 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. I notice if I stop the firewall on the puppet host (for no more than 2 seconds) and hit NRPE from the monitoring host it works: [root at monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H puppet.mydomain.com NRPE v2.15 But as soon as the firewall has been enabled on the puppet host (a microsecond later) I get this result: [root at monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H puppet.mydomain.com connect to address 216.120.xxx.xxx port 5666: No route to host connect to host puppet.mydomain.com port 5666: No route to host And nmap from the monitoring host tells me that the port is closed: [root at monitor1:~] #nmap -p 5666 puppet.mydomain.com Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 23:20 UTC Nmap scan report for puppet.jokefire.com (216.120.250.140) Host is up (0.011s latency). PORT STATE SERVICE 5666/tcp filtered nrpe Back on the puppet host I verify that the port is open for UDP: [root at puppet:~] #firewall-cmd --list-ports 5666/udp That should be right AFAIK. Can anybody tell me what I'm doing wrong ? Thanks Tim On Sun, May 3, 2015 at 6:59 PM, Eero Volotinen <eero.volotinen at iki.fi> wrote: > is it working on localhost or not???!!! it could be selinux problem also, > if context is not correct. > > -- > Eero > > 2015-05-04 1:55 GMT+03:00 Tim Dunphy <bluethundr at gmail.com>: > > > > > > > It's listening on both IPv6 and IPv4. Specifically, why is that a > > problem? > > > > > > The central problem seems to be that the monitoring host can't hit nrpe > on > > port 5666 UDP. > > > > [root at monitor1:~] #/usr/local/nagios/libexec/check_nrpe -H > > puppet.mydomain.com > > CHECK_NRPE: Socket timeout after 10 seconds. > > > > It is listening on the puppet host on port 5666 > > > > [root at puppet:~] #lsof -i :5666 > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > > xinetd 2915 root 5u IPv6 24493 0t0 TCP *:nrpe (LISTEN) > > > > And the firewall is allowing that port: > > > > [root at puppet:~] #firewall-cmd --list-ports > > 5666/udp > > > > But if I check the port using nmap > > > > [root at monitor1:~] #nmap -p 5666 puppet.mydomain.com > > > > Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 22:51 UTC > > Nmap scan report for puppet.jokefire.com (216.120.250.140) > > Host is up (0.012s latency). > > PORT STATE SERVICE > > 5666/tcp filtered nrpe > > > > That port is closed despite the port being allowed on the firewall. > > > > So I thought that the problem was that xinetd was listening to port 5666 > > only on tcp v6. And when the monitoring host hits the puppet host using > tcp > > v4 it can't because only tcp v6 is active on that port. > > > > You mention that it's listening on both tcp v4 and v6. But I only see v6 > in > > that output. How are you determining that > > > > It's a problem because the port does not appear to be open from the > > monitoring host: > > > > [root at monitor1:~] #nmap -p 5666 puppet.mydomain.com > > > > Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-03 22:33 UTC > > Nmap scan report for puppet.jokefire.com (216.120.250.140) > > Host is up (0.011s latency). > > PORT STATE SERVICE > > 5666/tcp filtered nrpe > > > > > > > > > > > You could add "ipv6.disable=1" to your kernel args. > > > > What am I doing wrong? I need to be able to disable tcpv6 completely! > > > > > > > Worth a shot! > > > > On Sun, May 3, 2015 at 5:44 PM, Gordon Messmer <gordon.messmer at gmail.com > > > > wrote: > > > > > On 05/03/2015 02:18 PM, Tim Dunphy wrote: > > > > > >> Yet, xinetd/nrpe still seems to be listeing on TCP v6!! > > >> > > > > > > It's listening on both IPv6 and IPv4. Specifically, why is that a > > problem? > > > > > > What am I doing wrong? I need to be able to disable tcpv6 completely! > > >> > > > > > > You could add "ipv6.disable=1" to your kernel args. > > > _______________________________________________ > > > CentOS mailing list > > > CentOS at centos.org > > > http://lists.centos.org/mailman/listinfo/centos > > > > > > > > > > > -- > > GPG me!! > > > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > http://lists.centos.org/mailman/listinfo/centos > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B