[OpenWrt-Devel] OpenWRT IPv6 firewall

Ondřej Caletka ondrej at caletka.cz
Thu Jul 17 04:25:05 EDT 2014

Dne 16.7.2014 22:41, Gui Iribarren napsal(a):
>> > I expect that, over time, users will become accustomed to the
>> > "end-to-end" nature of the v6 Internet and may demand that the firewall
>> > be "open" by default, and I would certainly propose that we have a
>> > simple checkbox in LUCI that allows the firewall to be changed from "all
>> > closed except explicitly open ports" to "all open" in one action. At
>> > some point we would probably change the default behavior from "all
>> > closed" to "all open."
> What about... at *this* point? :) (i.e. before BB rc2 freeze)
>> > However, for the moment, I would argue that the "rightness" of following
>> > expected behavior is greater than the "rightness" of delivering the true
>> > "end-to-end" nature of v6.
> At least Swisscom (according to Baptiste) and TP-Link seem to have
> solved the dilemma by defining "expected behaviour" = the true
> end-to-end nature of v6 :P hurray!

+1 for having default firewall settings somewhat more open. IMO opening
incoming connections to TCP/UDP ports greater than 1024 as well as all
other protocols that don't use port numbers would be the best compromise
between security and usability.

Blocking ports lower than 1024 should be sufficient to protect legacy
stuff with exploitable telnet, SSH or HTTP/S management interfaces, as
well as it would block unintended file sharing from home NAS-es using
CIFS/NFS/HTTP(S). On the other hand, it would still allow unrestricted
flow of P2P traffic, as well as ad-hoc servers in home network (For
instance, I like to share a file by running an ad-hoc HTTP server and
sharing a link such as http://[2001:db8:123:456::2]:8080/).

I think that reasonable default matters, because sometimes, you are not
able to change the setting of home router (like visiting a friend or on
public hotspot). It would be sad if you had to use some sort of VPN or
IPv6-over-IPv6 tunnelling just to overcome the firewall.

Ondřej Caletka

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4287 bytes
Desc: Elektronicky podpis S/MIME
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20140717/9f26e07c/attachment.p7s>
-------------- next part --------------
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list