[OpenWrt-Devel] OpenWRT IPv6 firewall

Fernando Frediani fhfrediani at gmail.com
Thu Jul 17 10:21:32 EDT 2014


Hello guys,

This discussion if becoming each day more confusing for something, which 
for me, is very simple assuming the following:

     - IPv6 as IPv4 should block *any incoming connection* on the WAN 
interface including those directed to the LAN IPs behind it.
     - If a client in the LAN initiates a connection to outsite, the 
return to the this connection will pass through just fine as it already 
does on IPv4 (assume NAT is not in use).
     - If a server in the LAN needs incoming connections it will be 
allowed in a per port or per IP basis on the router.
     - If one wants to use the OpenWRT router just as a router and not 
as router+firewall he can just disable the firewall role globally (all 
open X all closed) and let all traffic pass to the networks behind it.

What is making it more complicated than this ?

Regards,

Fernando

On 17/07/2014 09:25, Ondr(ej Caletka wrote:
> Dne 16.7.2014 22:41, Gui Iribarren napsal(a):
>>>> I expect that, over time, users will become accustomed to the
>>>> "end-to-end" nature of the v6 Internet and may demand that the firewall
>>>> be "open" by default, and I would certainly propose that we have a
>>>> simple checkbox in LUCI that allows the firewall to be changed from "all
>>>> closed except explicitly open ports" to "all open" in one action. At
>>>> some point we would probably change the default behavior from "all
>>>> closed" to "all open."
>> What about... at *this* point? :) (i.e. before BB rc2 freeze)
>>
>>
>>>> However, for the moment, I would argue that the "rightness" of following
>>>> expected behavior is greater than the "rightness" of delivering the true
>>>> "end-to-end" nature of v6.
>> At least Swisscom (according to Baptiste) and TP-Link seem to have
>> solved the dilemma by defining "expected behaviour" = the true
>> end-to-end nature of v6 :P hurray!
> +1 for having default firewall settings somewhat more open. IMO opening
> incoming connections to TCP/UDP ports greater than 1024 as well as all
> other protocols that don't use port numbers would be the best compromise
> between security and usability.
>
> Blocking ports lower than 1024 should be sufficient to protect legacy
> stuff with exploitable telnet, SSH or HTTP/S management interfaces, as
> well as it would block unintended file sharing from home NAS-es using
> CIFS/NFS/HTTP(S). On the other hand, it would still allow unrestricted
> flow of P2P traffic, as well as ad-hoc servers in home network (For
> instance, I like to share a file by running an ad-hoc HTTP server and
> sharing a link such as http://[2001:db8:123:456::2]:8080/).
>
> I think that reasonable default matters, because sometimes, you are not
> able to change the setting of home router (like visiting a friend or on
> public hotspot). It would be sad if you had to use some sort of VPN or
> IPv6-over-IPv6 tunnelling just to overcome the firewall.
>
> Cheers!
> Ondr(ej Caletka
>
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20140717/a7ca665a/attachment.htm>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list