[OpenWrt-Devel] OpenWRT IPv6 firewall
Gui Iribarren
gui at altermundi.net
Wed Jul 16 16:41:07 EDT 2014
On 16/07/14 16:21, Bill Moffitt wrote:
> I'd like to chime in to this thread as someone who has spent a fair bit
> of time supporting end users (primarily home and small office users)
> setting up and using "consumer grade" routers.
>
> All these routers today, of course, necessarily come NATted, meaning no
> ports are open to the Internet. Users are accustomed to being able to
> connect their computers to the router's network and be shielded from
> unwanted intrusions from outside by the NAT "firewall." I believe the
> default behavior of an IPv6 "consumer-grade" router should be the same:
> all ports blocked.
Does TP-Link routers qualify as "consumer-grade"?
I've just went back to stock firmware on a tl-wdr3500 to confirm, and
the result is attached in the screenshot.
tl;dr: TP-Link ships SOHO devices with a default-open ipv6 firewall.
"nogal" (top xterm) is on 2a00:1508:1:f002::/64, a network set up with
RA SLAAC. That network is connected to the WAN port of the stock
tl-wdr3500, which correctly gets the RA and autoconfigures
2a00:1508:1:f002:a2f3:c1ff:fe46:2837/64 on its WAN port.
then, i connected my laptop to a LAN port and set up the 2001:db8::/64
test network that can be seen in the webgui.
added a static route on nogal ("the Internet")
# ip -6 r add 2001:db8::/64 via fe80::a2f3:c1ff:fe46:2837 dev br-lan
and an static ip on guipc ("my personal device")
# sudo ip a add dev eth0 2001:db8::1/64
no port filtering on incoming ipv6 traffic WAN->LAN is done by TP-Link
stock firmware.
i can open inbound connections with nc on ports both <1024 and >1024
from outside to my laptop.
stock firmware is demoed at:
http://www.tp-link.com/en/support/emulators/?model=TL-WDR3500
> I expect that, over time, users will become accustomed to the
> "end-to-end" nature of the v6 Internet and may demand that the firewall
> be "open" by default, and I would certainly propose that we have a
> simple checkbox in LUCI that allows the firewall to be changed from "all
> closed except explicitly open ports" to "all open" in one action. At
> some point we would probably change the default behavior from "all
> closed" to "all open."
What about... at *this* point? :) (i.e. before BB rc2 freeze)
> However, for the moment, I would argue that the "rightness" of following
> expected behavior is greater than the "rightness" of delivering the true
> "end-to-end" nature of v6.
At least Swisscom (according to Baptiste) and TP-Link seem to have
solved the dilemma by defining "expected behaviour" = the true
end-to-end nature of v6 :P hurray!
Cheers!
>
> FWIW,
>
> -Bill Moffitt
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: TLWDR3500_IPv6_test_2014-07-16.png
Type: image/png
Size: 187815 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20140716/b06af274/attachment.png>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list