[OpenWrt-Devel] OpenWRT IPv6 firewall

David Lang david at lang.hm
Mon Jul 21 03:18:46 EDT 2014

On Mon, 21 Jul 2014, Gert Doering wrote:

> Hi,
> On Sun, Jul 20, 2014 at 03:50:24PM -0700, David Lang wrote:
>>> I'm well aware of all the bullshit that is knocking on my doors all
>>> day.  Point is, firewalls on the *routers* are not goint to help the
>>> laptop that moves around, attaches to a Wifi Hotspot, is hacked there,
>>> gets moved back behind your firewall, and starts hacking others from
>>> there.  And it doesn't help the desktop PC that neglected to do any
>>> updates, gets infected by flash/pdf/word exploit, and starts scanning
>>> your network, behind the firewall.
>> The problem here isn't with laptops, it's with TVs, light Bulbs,
>> Thermostats, digital picture frames, etc.
>> These are the types of devices that I'm worried about protecting.
> Yes, so how do you protect them from the malware on your PC and Laptop,
> which both are behind the firewall?
> A hacker "from the wild" is likely to not even *find* the device if it's
> using EUI64 IPv6 addressing and not registered in DNS, while an attacker
> on the same LAN just needs to ping ff02::1 to see them all, wide open...

The argument was that laptops are better protected nowdays because they 
routinely get exposed outside the home network.

I agree that they are far better than they used to be, but I am saying that 
there is this other class of devices that is not benefiting from the attention 
that the desktop OSs are getting, and these devices are absolutly quality.

no, having a default-deny permiter doesn't protect you from a laptop on the 
inside, but it does protect you from everyone else's laptops outside.

While it is nice to say that IPv6 has a large address space and so nobody 
will ever scan it, I don't believe it. When IPv4 started out, people didn't 
believe that scanning it was going to be practical either. And since common 
methods of assigning IPv6 addresses are either sequential (DHCP) or based on MAC 
addresses (fairly predictable per vendor), I expect that scanning is going to 

As for the "doing a scan against someone else's IPv6 address space is a DoS 
against your service", remember that these people aren't doing the scan from 
_their_ internet connection, they are doing it from botnets, so they are using 
"free bandwidth"

David Lang
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list