On Fri, 18 Jul 2014 10:21:56 -0700, Bill wrote:
Gert Doering wrote:
On Thu, Jul 17, 2014 at 10:20:09AM +0200, Steven Barth wrote:
Regarding firewalling: I understand and support your point for
end-to-end connectivity though there are still quite a few people
(including myself) who have reservations about the security
implications.
This discussion here is very much the same discussion as everywhere
when the topic pops up.
There's basically 3 sides here:
- I want a firewall that mimics IPv4 NAT default-closed behaviour
- I want IPv6 to be end-to-end so applications can just work and
not
bother with PCP, firewall traversal, etc.
- I want a firewall but one that defaults to open for $somestuff
and
to close for $otherstuff (swisscom model)
I don't think we will be able to agree here any more than on the
IETF
lists or whatever.
But what we (uh, Steven :) ) can do is: provide easily selectable
"firewall profiles" that match the 3 "common scenarios". As of
today,
OpenWRT routers are not "autoconfig" yet, but you need to put in
some
config anyway (like, the protocol and username/password used to
connect to your ISP).
If we could have a "basic firewall switch" there that has 4 settings
"closed", "fully open", "balanced (swisscom model)" or "customized",
this should enable users to get what they want without having to
really think about firewall rules, ports, etc.
I agree - this is an excellent approach
I also agree, this set of basic defaults is good.
Of course the question remains "what should the default be", and I'm
not sure we can come to an agreement on this.
My own thoughts on this are evolving. In real life (whatever that
is), I consider myself more a product manager (marketing guy) than a
developer, so I'm interested in the customer experience of the final
product. Of course, the final product is really a router, and OpenWRT
would be a component of that router.
In all fairness, as I'm building that router product, I'm going to
modify OpenWRT to meet the needs of the market. So, the bottom line
is
that, whatever the default is in OpenWRT, I'm going to go ahead and
set it to what I need it to be in my build, before I blow it on to
the
router (or whatever) that the customer sees.
The end user of the router would be a random customer (let's just
say, "someone's mom"), and I am responsible for that customer's
experience. Being the experienced (some might say, "cynical")
individual I am, I'd want it to be "idiot-friendly" - removing as
many
opportunities for the end user to get into trouble as possible. So,
at
least at this point in time, I'm going to close all the ports by
default. I'd rather face the prospect of helping the customer open
the
ports as they need that "end-to-end" connectivity than the prospect
of
someone saying, "you sold me a router that's unexpectedly wide open
to
the Internet and everyone in the world is sending all manner of nasty
stuff to my printer."
However, *I* am actually the end user of OpenWRT - it's reasonable to
assume that anyone who is downloading OpenWRT or building it from
source is sufficiently advanced in their knowledge (or at least wants
to be) that they would expect it to be "expert-friendly," not
"idiot-friendly."
From that perspective, I still think that having the router block all
ports (as is done in v4 "consumer-grade" routers today) is the
"idiot-friendly" default, but, after thinking about it more, I think
that Gert's "balanced" approach is probably the "expert-friendly"
default and the one I would want and expect in the OpenWRT builds.
I think the default should be idiot-friendly. Having the easy knob to
toggle to make it 'expert-friendly' should be enough. If the 'expert'
can't flip that knob, they can't secure their network either.
FWIW,
Bill
P.S. No, my printer is not v6-ready, either, but let's assume there
are some that are...
that's a real example that has been exploited in the past, especially
with the very expensive, high-end printer/copiers sold to businesses.
Again from companies that "should know better"
David Lang
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
