[OpenWrt-Devel] OpenWRT IPv6 firewall

Benjamin Cama benoar at dolka.fr
Thu Jul 17 14:08:45 EDT 2014

Hi Bill,

Le mercredi 16 juillet 2014 à 12:21 -0700, Bill Moffitt a écrit :
> All these routers today, of course, necessarily come NATted, meaning no 
> ports are open to the Internet. Users are accustomed to being able to 
> connect their computers to the router's network and be shielded from 
> unwanted intrusions from outside by the NAT "firewall."

No. Users are used to thing “just working”. They don't know what NAT or
a firewall is. They think they are secured because the vendor of their
devices did his job well.

Their Skype phone work because it uses some kludge that make it look
like a malware from a network security point-of-view. It is kind of
secure because you have allowed only one overlord (Microsoft) to access
your machine and your network. You have to trust Microsoft: no layer of
firewall or anything (apart from cutting yourself completely from the
Internet) will stop your computer from being tied to the Skype network.
So you have to trust them. If you didn't want to be reachable by Skype,
just don't use it, and you won't be reachable, even with no firewall at
all on your router.

Your game console “just work” because it uses a supplementary protocol
(UPnP) that make incoming connections to your console possible. This
doesn't render your console more secure: it would have been the same if
you had global reachability and no firewall. It is just a supplementary
layer that has only one advantage: software not implementing it can't be
globally reachable. So, every software that wants to be reachable has to
do so, or they just die as of yesterday. Every software that does not
just can stay as is; with IPv6, they just could have bound to some
link-local address: the one bound to a global address would have gotten
global reachability “magically”.

> 1.) In the IPv6 world, the firewall should rightfully migrate from the 
> router to the device, but that transition won't be simultaneous with the 
> availability of v6. For some transitional time, we'll have legacy 
> devices on the network that are v6-capable but not necessarily v6-safe - 
> and consumer-grade users will probably not realize it. At the least, 
> users won't be accustomed to having their printer "visible" to the whole 
> world and will need time to understand that they need to have strong 
> passwords on their printers, cameras, thermostats, dog feeders, etc. (or 
> explicitly block them)

If the use of such device is meant to be by default “local”, the
manufacturer should somehow restrict its use by default. But printers
may have reason to be globally reachable, if one wants to share it
between several networks. You can configure it (or your firewall) to
restrict its access once you have decided to make it global (as I
suggested, I don't think this would be a good default; I hope the
manufacturers get it…).

> 2.) I believe that the transition to v6 in the U.S. and Europe is not 
> going to be slow and orderly, but will be sudden and chaotic, driven by 
> emergent demand for some service that arises in a manner that 
> necessitates v6 access.

The demande has been their for decades (IP phones for everybody,
anyone?). But I agree that it may be chaotic anyway.

> For that reason, I think that maintaining 
> behavior similar to what consumers see today will be critical in user 
> satisfaction.

The “behavior” casual people are “seeing” today has nothing to do with
their device having global IPv6 reachability or not: they just want
things to work. One way of having IP phones everywhere is to find more
kludges to get through firewalls and praying for nice intermediaries not
to mess with your communications (like MS cited above), the other one is
to have it basically done at the IP level, with IPv6 and global
reachability by default.

> I expect that, over time, users will become accustomed to the 
> "end-to-end" nature of the v6 Internet and may demand that the firewall 
> be "open" by default,

No normal people ask for their firewall to be open by default: only
geeks do.

> and I would certainly propose that we have a 
> simple checkbox in LUCI that allows the firewall to be changed from "all 
> closed except explicitly open ports" to "all open" in one action. At 
> some point we would probably change the default behavior from "all 
> closed" to "all open."

“At some point” being too late.

openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list