[OpenWrt-Devel] IPv6 firewall and Port Control Protocol (Was: Barrier Breaker 14.07-rc1)

Benjamin Cama benoar at dolka.fr
Wed Jul 16 13:08:48 EDT 2014

Le mercredi 16 juillet 2014 à 10:53 +0200, Benjamin Cama a écrit :
> Well, if you didn't want them to be accessible, you have many
> possibilities: bind it on some non-global address (LL, ULA), restrict it
> locally (/etc/hosts.deny when appropriate, custom configuration that
> limit access to some range, etc), use some authentication, configure
> your firewall appropriately (on the targeted machine or on your router),
I will give some example of this kind of protection, as I have been
operating an open IPv6 home network for more than four years:

      * My NFS server has a DNS wildcard rule in /etc/exports to limit
        who can connect
      * One of my webserver (running nginx), which is not public
        (contrary to another one) is restricted with some allow/deny
        rule (à la Apache); I put my local /56. As I have separated LAN
        from wireless access (different /64), I could even choose not to
        authorize from wifi but let Ethernet through. Or VPN. Or
      * Same for rsync
      * Local SMTP who don't have to receive mail from outside are just
        bound to ::1…
      * My munin on several hosts also have some filters
      * My SSH is configured with public key only authentication (no
        password), but accept connections from everywhere

Even then, a lot of these services are below 1024, so they would be
“protected” by the proposed compromise.

On the other hand, I had to do nothing appart from starting the service
to offer web access, SMTP, ssh, imap, pop, XMPP, DNS, bittorrent (to
several clients), git server, and I even do mobile IPv6. On several
hosts; and every guest in my house can do the same. I wish anyone could
try this at home, as this gives really a different feeling of what a
real “inter-network” access can be.

Of course, on the bad side, you have to adapt to the configuration of
every software that you want to restrict access to. I wish more of them
offered the tcp-wrappers common restriction ability. If you don't want
to adapt, then you can go to your firewall config and do the same here.
Well, you could even do everything I told from your firewall
configuration if you wanted. I totally want people to be able to do
that. But forbidding every inbound flow *by default* is to me a bad

The advantage I have over other people, maybe, is that I control all the
end points I have (they all run free software), so I may be more
confident than others. But this is no real reasons to me: as Gert said,
every device should be configured in a way that it must be quite
resistant to most attacks. This is how the Internet is going to be
anyway; you will always find yourself one day on some network you don't
know, and your device should be prepared. If you want to be paranoid and
block everything on your own network, fine, do it. But the principle of
a remote communication through a network is to be reachable, so better
be reachable by default ;-)

BTW, if you fear being scanned, the IPv6 address space is so big that
host that are not publicly known don't risk much. Of course, we are not
immune to absolutely every risk, but so is any device, being protected
by a firewall or not.

openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list