Le mercredi 16 juillet 2014 à 10:53 +0200, Benjamin Cama a écrit : > Well, if you didn't want them to be accessible, you have many > possibilities: bind it on some non-global address (LL, ULA), restrict it > locally (/etc/hosts.deny when appropriate, custom configuration that > limit access to some range, etc), use some authentication, configure > your firewall appropriately (on the targeted machine or on your router), > …
I will give some example of this kind of protection, as I have been operating an open IPv6 home network for more than four years: * My NFS server has a DNS wildcard rule in /etc/exports to limit who can connect * One of my webserver (running nginx), which is not public (contrary to another one) is restricted with some allow/deny rule (à la Apache); I put my local /56. As I have separated LAN from wireless access (different /64), I could even choose not to authorize from wifi but let Ethernet through. Or VPN. Or whatever. * Same for rsync * Local SMTP who don't have to receive mail from outside are just bound to ::1… * My munin on several hosts also have some filters * My SSH is configured with public key only authentication (no password), but accept connections from everywhere Even then, a lot of these services are below 1024, so they would be “protected” by the proposed compromise. On the other hand, I had to do nothing appart from starting the service to offer web access, SMTP, ssh, imap, pop, XMPP, DNS, bittorrent (to several clients), git server, and I even do mobile IPv6. On several hosts; and every guest in my house can do the same. I wish anyone could try this at home, as this gives really a different feeling of what a real “inter-network” access can be. Of course, on the bad side, you have to adapt to the configuration of every software that you want to restrict access to. I wish more of them offered the tcp-wrappers common restriction ability. If you don't want to adapt, then you can go to your firewall config and do the same here. Well, you could even do everything I told from your firewall configuration if you wanted. I totally want people to be able to do that. But forbidding every inbound flow *by default* is to me a bad idea. The advantage I have over other people, maybe, is that I control all the end points I have (they all run free software), so I may be more confident than others. But this is no real reasons to me: as Gert said, every device should be configured in a way that it must be quite resistant to most attacks. This is how the Internet is going to be anyway; you will always find yourself one day on some network you don't know, and your device should be prepared. If you want to be paranoid and block everything on your own network, fine, do it. But the principle of a remote communication through a network is to be reachable, so better be reachable by default ;-) BTW, if you fear being scanned, the IPv6 address space is so big that host that are not publicly known don't risk much. Of course, we are not immune to absolutely every risk, but so is any device, being protected by a firewall or not. -- benjamin _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel