[OpenWrt-Devel] OpenWRT IPv6 firewall
Gert Doering
gert at greenie.muc.de
Fri Jul 18 05:03:14 EDT 2014
Hi,
On Thu, Jul 17, 2014 at 10:20:09AM +0200, Steven Barth wrote:
> Regarding firewalling: I understand and support your point for
> end-to-end connectivity though there are still quite a few people
> (including myself) who have reservations about the security
> implications.
This discussion here is very much the same discussion as everywhere
when the topic pops up.
There's basically 3 sides here:
- I want a firewall that mimics IPv4 NAT default-closed behaviour
- I want IPv6 to be end-to-end so applications can just work and not
bother with PCP, firewall traversal, etc.
- I want a firewall but one that defaults to open for $somestuff and
to close for $otherstuff (swisscom model)
I don't think we will be able to agree here any more than on the IETF
lists or whatever.
But what we (uh, Steven :) ) can do is: provide easily selectable
"firewall profiles" that match the 3 "common scenarios". As of today,
OpenWRT routers are not "autoconfig" yet, but you need to put in some
config anyway (like, the protocol and username/password used to
connect to your ISP).
If we could have a "basic firewall switch" there that has 4 settings
"closed", "fully open", "balanced (swisscom model)" or "customized",
this should enable users to get what they want without having to
really think about firewall rules, ports, etc.
Of course the question remains "what should the default be", and I'm
not sure we can come to an agreement on this.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 291 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20140718/8c7e09fc/attachment.sig>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list