[OpenWrt-Devel] OpenWRT IPv6 firewall

David Lang david at lang.hm
Fri Jul 18 19:01:18 EDT 2014 

 On Fri, 18 Jul 2014 10:21:56 -0700, Bill wrote:
> Gert Doering wrote:
>
> On Thu, Jul 17, 2014 at 10:20:09AM +0200, Steven Barth wrote:
>>> Regarding firewalling: I understand and support your point for
>>> end-to-end connectivity though there are still quite a few people
>>> (including myself) who have reservations about the security
>>> implications.
>> This discussion here is very much the same discussion as everywhere
>> when the topic pops up.
>>
>> There's basically 3 sides here:
>>
>>   - I want a firewall that mimics IPv4 NAT default-closed behaviour
>>
>>   - I want IPv6 to be end-to-end so applications can just work and 
>> not
>>     bother with PCP, firewall traversal, etc.
>>
>>   - I want a firewall but one that defaults to open for $somestuff 
>> and
>>     to close for $otherstuff (swisscom model)
>>
>> I don't think we will be able to agree here any more than on the 
>> IETF
>> lists or whatever.
>>
>> But what we (uh, Steven :) ) can do is: provide easily selectable
>> "firewall profiles" that match the 3 "common scenarios".  As of 
>> today,
>> OpenWRT routers are not "autoconfig" yet, but you need to put in 
>> some
>> config anyway (like, the protocol and username/password used to
>> connect to your ISP).
>>
>> If we could have a "basic firewall switch" there that has 4 settings
>> "closed", "fully open", "balanced (swisscom model)" or "customized",
>> this should enable users to get what they want without having to
>> really think about firewall rules, ports, etc.
> I agree - this is an excellent approach

 I also agree, this set of basic defaults is good.

>> Of course the question remains "what should the default be", and I'm
>> not sure we can come to an agreement on this.
> My own thoughts on this are evolving. In real life (whatever that
> is), I consider myself more a product manager (marketing guy) than a
> developer, so I'm interested in the customer experience of the final
> product. Of course, the final product is really a router, and OpenWRT
> would be a component of that router.
>
> In all fairness, as I'm building that router product, I'm going to
> modify OpenWRT to meet the needs of the market. So, the bottom line 
> is
> that, whatever the default is in OpenWRT, I'm going to go ahead and
> set it to what I need it to be in my build, before I blow it on to 
> the
> router (or whatever) that the customer sees.
>
> The end user of the router would be a random customer (let's just
> say, "someone's mom"), and I am responsible for that customer's
> experience. Being the experienced (some might say, "cynical")
> individual I am, I'd want it to be "idiot-friendly" - removing as 
> many
> opportunities for the end user to get into trouble as possible. So, 
> at
> least at this point in time, I'm going to close all the ports by
> default. I'd rather face the prospect of helping the customer open 
> the
> ports as they need that "end-to-end" connectivity than the prospect 
> of
> someone saying, "you sold me a router that's unexpectedly wide open 
> to
> the Internet and everyone in the world is sending all manner of nasty
> stuff to my printer."
>
> However, *I* am actually the end user of OpenWRT - it's reasonable to
> assume that anyone who is downloading OpenWRT or building it from
> source is sufficiently advanced in their knowledge (or at least wants
> to be) that they would expect it to be "expert-friendly," not
> "idiot-friendly."
>
> From that perspective, I still think that having the router block all
> ports (as is done in v4 "consumer-grade" routers today) is the
> "idiot-friendly" default, but, after thinking about it more, I think
> that Gert's "balanced" approach is probably the "expert-friendly"
> default and the one I would  want and expect in the OpenWRT builds.

 I think the default should be idiot-friendly. Having the easy knob to 
 toggle to make it 'expert-friendly' should be enough. If the 'expert' 
 can't flip that knob, they can't secure their network either.

> FWIW,
>
> Bill
>
> P.S. No, my printer is not v6-ready, either, but let's assume there
> are some that are...

 that's a real example that has been exploited in the past, especially 
 with the very expensive, high-end printer/copiers sold to businesses. 
 Again from companies that "should know better"

 David Lang
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list