[OpenWrt-Devel] IPv6 firewall and Port Control Protocol (Was: Barrier Breaker 14.07-rc1)
Baptiste Jonglez
bjonglez at illyse.org
Mon Jul 14 09:17:14 EDT 2014
Hi Steven,
On Mon, Jul 14, 2014 at 02:38:16PM +0200, Steven Barth wrote:
> Hi Baptiste,
>
> in general our current firewalling approach is to keep defaults for IPv4 and
> IPv6 relatively close (not considering NAT here of course).
Could you detail the reasoning behind this approach? "Don't confuse the user"?
I'd rather have "Don't bother the user": things should generally just
work, without having to configure anything (in this case, port
forwarding). But there is an obvious tradeoff with security.
> Opening up the IPv6 firewall by default would be unexpected and I don't
> really like the approach for that matter and honestly I don't trust
> client devices that much.
At least opening UDP ports > 1024 seems pretty reasonable, and covers most
use-cases regarding VoIP and video. But it does indeed depart from the
IPv4 case (not sure if it is such a bad idea though).
> However the packaged version of miniupnpd does indeed support both UPNP
> WANIPv6FirewallControl and PCP. One of my colleague recently ran a test with
> PCP and said miniupnpd and it works fine.
Good news, thanks! PCP doesn't show up in the config file, so I guess PCP
is controlled by the NAT-PMP-related options.
> Cheers,
>
> Steven
Thank you,
Baptiste
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20140714/1d7e1ee5/attachment.sig>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list