[OpenWrt-Devel] OpenWRT IPv6 firewall

Bill Moffitt bmoffitt at ayrstone.com
Wed Jul 16 15:21:17 EDT 2014

I'd like to chime in to this thread as someone who has spent a fair bit 
of time supporting end users (primarily home and small office users) 
setting up and using "consumer grade" routers.

All these routers today, of course, necessarily come NATted, meaning no 
ports are open to the Internet. Users are accustomed to being able to 
connect their computers to the router's network and be shielded from 
unwanted intrusions from outside by the NAT "firewall." I believe the 
default behavior of an IPv6 "consumer-grade" router should be the same: 
all ports blocked.

Of course, it seems foolish to have global addressing and then have a 
router that blocks client devices, but here is my reasoning:

1.) In the IPv6 world, the firewall should rightfully migrate from the 
router to the device, but that transition won't be simultaneous with the 
availability of v6. For some transitional time, we'll have legacy 
devices on the network that are v6-capable but not necessarily v6-safe - 
and consumer-grade users will probably not realize it. At the least, 
users won't be accustomed to having their printer "visible" to the whole 
world and will need time to understand that they need to have strong 
passwords on their printers, cameras, thermostats, dog feeders, etc. (or 
explicitly block them)

2.) I believe that the transition to v6 in the U.S. and Europe is not 
going to be slow and orderly, but will be sudden and chaotic, driven by 
emergent demand for some service that arises in a manner that 
necessitates v6 access. For that reason, I think that maintaining 
behavior similar to what consumers see today will be critical in user 

I expect that, over time, users will become accustomed to the 
"end-to-end" nature of the v6 Internet and may demand that the firewall 
be "open" by default, and I would certainly propose that we have a 
simple checkbox in LUCI that allows the firewall to be changed from "all 
closed except explicitly open ports" to "all open" in one action. At 
some point we would probably change the default behavior from "all 
closed" to "all open."

However, for the moment, I would argue that the "rightness" of following 
expected behavior is greater than the "rightness" of delivering the true 
"end-to-end" nature of v6.


-Bill Moffitt
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list