[OpenWrt-Devel] OpenWRT IPv6 firewall
david at lang.hm
Mon Jul 21 03:18:46 EDT 2014
On Mon, 21 Jul 2014, Gert Doering wrote:
> On Sun, Jul 20, 2014 at 03:50:24PM -0700, David Lang wrote:
>>> I'm well aware of all the bullshit that is knocking on my doors all
>>> day. Point is, firewalls on the *routers* are not goint to help the
>>> laptop that moves around, attaches to a Wifi Hotspot, is hacked there,
>>> gets moved back behind your firewall, and starts hacking others from
>>> there. And it doesn't help the desktop PC that neglected to do any
>>> updates, gets infected by flash/pdf/word exploit, and starts scanning
>>> your network, behind the firewall.
>> The problem here isn't with laptops, it's with TVs, light Bulbs,
>> Thermostats, digital picture frames, etc.
>> These are the types of devices that I'm worried about protecting.
> Yes, so how do you protect them from the malware on your PC and Laptop,
> which both are behind the firewall?
> A hacker "from the wild" is likely to not even *find* the device if it's
> using EUI64 IPv6 addressing and not registered in DNS, while an attacker
> on the same LAN just needs to ping ff02::1 to see them all, wide open...
The argument was that laptops are better protected nowdays because they
routinely get exposed outside the home network.
I agree that they are far better than they used to be, but I am saying that
there is this other class of devices that is not benefiting from the attention
that the desktop OSs are getting, and these devices are absolutly quality.
no, having a default-deny permiter doesn't protect you from a laptop on the
inside, but it does protect you from everyone else's laptops outside.
While it is nice to say that IPv6 has a large address space and so nobody
will ever scan it, I don't believe it. When IPv4 started out, people didn't
believe that scanning it was going to be practical either. And since common
methods of assigning IPv6 addresses are either sequential (DHCP) or based on MAC
addresses (fairly predictable per vendor), I expect that scanning is going to
As for the "doing a scan against someone else's IPv6 address space is a DoS
against your service", remember that these people aren't doing the scan from
_their_ internet connection, they are doing it from botnets, so they are using
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
More information about the openwrt-devel