[OpenWrt-Devel] IPv6 firewall and Port Control Protocol (Was: Barrier Breaker 14.07-rc1)

Baptiste Jonglez bjonglez at illyse.org
Mon Jul 14 09:17:14 EDT 2014


Hi Steven,

On Mon, Jul 14, 2014 at 02:38:16PM +0200, Steven Barth wrote:
> Hi Baptiste,
> 
> in general our current firewalling approach is to keep defaults for IPv4 and
> IPv6 relatively close (not considering NAT here of course).

Could you detail the reasoning behind this approach?  "Don't confuse the user"?

I'd rather have "Don't bother the user": things should generally just
work, without having to configure anything (in this case, port
forwarding).  But there is an obvious tradeoff with security.

> Opening up the IPv6 firewall by default would be unexpected and I don't
> really like the approach for that matter and honestly I don't trust
> client devices that much.

At least opening UDP ports > 1024 seems pretty reasonable, and covers most
use-cases regarding VoIP and video.  But it does indeed depart from the
IPv4 case (not sure if it is such a bad idea though).

> However the packaged version of miniupnpd does indeed support both UPNP
> WANIPv6FirewallControl and PCP. One of my colleague recently ran a test with
> PCP and said miniupnpd and it works fine.

Good news, thanks!  PCP doesn't show up in the config file, so I guess PCP
is controlled by the NAT-PMP-related options.

> Cheers,
> 
> Steven

Thank you,
Baptiste
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20140714/1d7e1ee5/attachment.sig>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list