[OpenWrt-Devel] IPv6 firewall and Port Control Protocol (Was: Barrier Breaker 14.07-rc1)

Aaron Z aaronz at pls-net.org
Tue Jul 15 11:45:27 EDT 2014

----- Original Message -----
On Monday, July 14, 2014 5:36:09 PM "Benjamin Cama" <benoar at dolka.fr> wrote:
> Hi everyone,
> Le lundi 14 juillet 2014 à 22:17 +0900, Baptiste Jonglez a écrit :
> > On Mon, Jul 14, 2014 at 02:38:16PM +0200, Steven Barth wrote:
> > > Hi Baptiste,
> > > 
> > > in general our current firewalling approach is to keep defaults
> > > for IPv4 and
> > > IPv6 relatively close (not considering NAT here of course).
> > 
> > Could you detail the reasoning behind this approach?  "Don't
> > confuse the user"?
> > 
> > I'd rather have "Don't bother the user": things should generally
> > just
> > work, without having to configure anything (in this case, port
> > forwarding).  But there is an obvious tradeoff with security.
> I agree with Baptiste here. There is no equivalent in IPv4 of “global
> reachability” by default with the NATs we have today, so we can't
> have
> the same defaults. Global reachability is how IP in general was meant
> to
> be; please, do not make it broken again.
As I understand it, this is NOT adding NAT, but (by default) blocking unsolicited incoming connections from the outside world to devices on the internal network (which dont necessarily need to be accessible from the outside world). That is the whole point in using a firewall is it not? To keep people out of where they shouldn't be.

> > > Opening up the IPv6 firewall by default would be unexpected and I
> > > don't
> > > really like the approach for that matter and honestly I don't
> > > trust
> > > client devices that much.
> > 
> > At least opening UDP ports > 1024 seems pretty reasonable, and
> > covers most
> > use-cases regarding VoIP and video.  But it does indeed depart from
> > the
> > IPv4 case (not sure if it is such a bad idea though).
> This looks like a good compromise to me. Knowledgeable users can
> disable
> the firewall for needed hosts, while for others this “just work”. PCP
> may be coming one day, but it's still not there yet, so we need not
> to
> break the default configuration while waiting for it.
Opening access from the outside to the inside as a default rule goes against the "principle of least privilege" on which firewall rules are generally predicated.
As I understand it, if a device on the inside of the network initiates the connection to a device on the outside (say from a VOIP phone to a VOIP server), return connections from the server are allowed. What gets blocked are unsolicited connections from the outside which are generally unneeded (and can be a security risk) unless one is running a server (in which case, the users should know how to open ports on their firewall).

Aaron Z
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list