[OpenWrt-Devel] IPv6 firewall and Port Control Protocol (Was: Barrier Breaker 14.07-rc1)

Benjamin Cama benoar at dolka.fr
Mon Jul 14 17:36:09 EDT 2014


Hi everyone,

Le lundi 14 juillet 2014 à 22:17 +0900, Baptiste Jonglez a écrit :
> On Mon, Jul 14, 2014 at 02:38:16PM +0200, Steven Barth wrote:
> > Hi Baptiste,
> > 
> > in general our current firewalling approach is to keep defaults for IPv4 and
> > IPv6 relatively close (not considering NAT here of course).
> 
> Could you detail the reasoning behind this approach?  "Don't confuse the user"?
> 
> I'd rather have "Don't bother the user": things should generally just
> work, without having to configure anything (in this case, port
> forwarding).  But there is an obvious tradeoff with security.

I agree with Baptiste here. There is no equivalent in IPv4 of “global
reachability” by default with the NATs we have today, so we can't have
the same defaults. Global reachability is how IP in general was meant to
be; please, do not make it broken again.

> > Opening up the IPv6 firewall by default would be unexpected and I don't
> > really like the approach for that matter and honestly I don't trust
> > client devices that much.
> 
> At least opening UDP ports > 1024 seems pretty reasonable, and covers most
> use-cases regarding VoIP and video.  But it does indeed depart from the
> IPv4 case (not sure if it is such a bad idea though).

This looks like a good compromise to me. Knowledgeable users can disable
the firewall for needed hosts, while for others this “just work”. PCP
may be coming one day, but it's still not there yet, so we need not to
break the default configuration while waiting for it.

Regards,
--
benjamin
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list