>>>>> "Randal" == Randal L Schwartz <mer...@stonehenge.com> writes:
Randal> Now, here's the scary part: Randal> Locohost.local:~ % nmap -6 -v 2001:470:a:4af::2 The one upside is that nmap'ing a /64 (if it even worked) is kind of a self-inflicted DOS attack. It might not complete in your lifetime! ;-) Once your private IPv6 address is exposed though, you are fully reachable *AND* have pretty much given away your macaddress (since it is embedded in your auto-self-configured address). There are solutions to the macaddr problem, but takes a little more work. There *are* implications. BTW, just to show how dumb I am, for a while I was under the impression that just plain old iptables -j MASQUERADE pretty much protected all the hosts behind it from being reachable from "outside". Gigantic impenetrably unreadable "firewall rule" sets seemed like probably more risk than they were worth. I tended to rely on just the -j MASQUERADE rule. I did finally test my assumption and found that at least in one limited instance, it did *not* provide the protection I thought it did. A host on the immediately upstream network side *could* set a route to the nat'ing gateway if they know the network on the private side of the gateway and packets get forwarded just fine. However, I believe that hosts further away won't be able to route that way if they don't control all the routers in between. -- Russell Senior, President russ...@personaltelco.net _______________________________________________ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
