[OpenWrt-Devel] OpenWRT IPv6 firewall
Bill Moffitt
bmoffitt at ayrstone.com
Wed Jul 16 15:21:17 EDT 2014
I'd like to chime in to this thread as someone who has spent a fair bit
of time supporting end users (primarily home and small office users)
setting up and using "consumer grade" routers.
All these routers today, of course, necessarily come NATted, meaning no
ports are open to the Internet. Users are accustomed to being able to
connect their computers to the router's network and be shielded from
unwanted intrusions from outside by the NAT "firewall." I believe the
default behavior of an IPv6 "consumer-grade" router should be the same:
all ports blocked.
Of course, it seems foolish to have global addressing and then have a
router that blocks client devices, but here is my reasoning:
1.) In the IPv6 world, the firewall should rightfully migrate from the
router to the device, but that transition won't be simultaneous with the
availability of v6. For some transitional time, we'll have legacy
devices on the network that are v6-capable but not necessarily v6-safe -
and consumer-grade users will probably not realize it. At the least,
users won't be accustomed to having their printer "visible" to the whole
world and will need time to understand that they need to have strong
passwords on their printers, cameras, thermostats, dog feeders, etc. (or
explicitly block them)
2.) I believe that the transition to v6 in the U.S. and Europe is not
going to be slow and orderly, but will be sudden and chaotic, driven by
emergent demand for some service that arises in a manner that
necessitates v6 access. For that reason, I think that maintaining
behavior similar to what consumers see today will be critical in user
satisfaction.
I expect that, over time, users will become accustomed to the
"end-to-end" nature of the v6 Internet and may demand that the firewall
be "open" by default, and I would certainly propose that we have a
simple checkbox in LUCI that allows the firewall to be changed from "all
closed except explicitly open ports" to "all open" in one action. At
some point we would probably change the default behavior from "all
closed" to "all open."
However, for the moment, I would argue that the "rightness" of following
expected behavior is greater than the "rightness" of delivering the true
"end-to-end" nature of v6.
FWIW,
-Bill Moffitt
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list