[OpenWrt-Devel] IPv6 firewall and Port Control Protocol (Was: Barrier Breaker 14.07-rc1)

Gui Iribarren gui at altermundi.net
Wed Jul 16 14:10:53 EDT 2014

On 16/07/14 12:09, Gert Doering wrote:
> Hi,
> On Wed, Jul 16, 2014 at 08:41:50AM -0300, Gui Iribarren wrote:
>> then, what happens when those devices are deployed in a myriad of
>> real-world scenarios? hackers rejoice!
> This actually is a somewhat moot arguments.  Devices travel today, and
> while your home network and office network might be behind a firewall,
> the hotspot you're using while waiting for your train might not be.
> So with todays devices, every device needs to be able to protect itself
> (i.e.: host firewall, services only accepting connection from "local
> network", etc. - windows 7 doing a fairly good job with this today).
> The old model "strong firewall, weak devices behind it" is just a thing
> not matching reality anymore...

Ah, sorry if irony blurred my position:
your point, Gert, is exactly my point :)

in other words, we're both on the same side: my arguments are in favour
of openwrt having an open ipv6 firewall by default, so to put the policy
back into end-devices hands (where it always should have been)

Benjamin is giving some great examples of real-world scenarios where an
default-open firewall simplifies administration,
and where a default-closed firewall would be not only unnecessary
(provides no benefits), but would indeed complicate setting up things.

proprietary-software personal devices are a special case - granted.
putting that aside, i think it's insightful to consider that a person
that has admin access to all her mobile devices config (which carries
every day), so to publish (or restrict) services at her own will,
if and only if the network devices upstream (to which might have no
control over) have a default-open firewall.

in ipv4 world, there was no discussion: a default-open inbound policy in
routers that would let end-hosts decide, was simply not possible.
why carry that legacy restriction into the wonderful ipv6 world?



> gert
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list