Hello guys,
This discussion if becoming each day more confusing for something, which
for me, is very simple assuming the following:
- IPv6 as IPv4 should block *any incoming connection* on the WAN
interface including those directed to the LAN IPs behind it.
- If a client in the LAN initiates a connection to outsite, the
return to the this connection will pass through just fine as it already
does on IPv4 (assume NAT is not in use).
- If a server in the LAN needs incoming connections it will be
allowed in a per port or per IP basis on the router.
- If one wants to use the OpenWRT router just as a router and not
as router+firewall he can just disable the firewall role globally (all
open X all closed) and let all traffic pass to the networks behind it.
What is making it more complicated than this ?
Regards,
Fernando
On 17/07/2014 09:25, Ondr(ej Caletka wrote:
Dne 16.7.2014 22:41, Gui Iribarren napsal(a):
I expect that, over time, users will become accustomed to the
"end-to-end" nature of the v6 Internet and may demand that the firewall
be "open" by default, and I would certainly propose that we have a
simple checkbox in LUCI that allows the firewall to be changed from "all
closed except explicitly open ports" to "all open" in one action. At
some point we would probably change the default behavior from "all
closed" to "all open."
What about... at *this* point? :) (i.e. before BB rc2 freeze)
However, for the moment, I would argue that the "rightness" of following
expected behavior is greater than the "rightness" of delivering the true
"end-to-end" nature of v6.
At least Swisscom (according to Baptiste) and TP-Link seem to have
solved the dilemma by defining "expected behaviour" = the true
end-to-end nature of v6 :P hurray!
+1 for having default firewall settings somewhat more open. IMO opening
incoming connections to TCP/UDP ports greater than 1024 as well as all
other protocols that don't use port numbers would be the best compromise
between security and usability.
Blocking ports lower than 1024 should be sufficient to protect legacy
stuff with exploitable telnet, SSH or HTTP/S management interfaces, as
well as it would block unintended file sharing from home NAS-es using
CIFS/NFS/HTTP(S). On the other hand, it would still allow unrestricted
flow of P2P traffic, as well as ad-hoc servers in home network (For
instance, I like to share a file by running an ad-hoc HTTP server and
sharing a link such as http://[2001:db8:123:456::2]:8080/).
I think that reasonable default matters, because sometimes, you are not
able to change the setting of home router (like visiting a friend or on
public hotspot). It would be sad if you had to use some sort of VPN or
IPv6-over-IPv6 tunnelling just to overcome the firewall.
Cheers!
Ondr(ej Caletka
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
