[OpenWrt-Devel] OpenWRT IPv6 firewall

Fernando Frediani fhfrediani at gmail.com
Thu Jul 17 12:14:59 EDT 2014 

Hello Baptiste,

Clarifying my point "should" I meant "From common sense" and also "From 
Widely accepted practice".

One that may use applications that may need to be reachable from outside 
can adjust the firewall manually to reflect that for the desired ports 
which is not a big deal, or even by UPnP which is even simpler.
I would say more that depending on the environment if a specific user 
prefers, the firewall in the router can allow any traffic to his IP only 
and he can control it locally in his machine.

Therefore there are possibilities and these in my opinion are less 
costly and more secure to have by default.

Best regards,

Fernando

On 17/07/2014 16:23, Baptiste Jonglez wrote:
> On Thu, Jul 17, 2014 at 03:21:32PM +0100, Fernando Frediani wrote:
>> Hello guys,
>>
>> This discussion if becoming each day more confusing for something, which for
>> me, is very simple assuming the following:
>>
>>      - IPv6 as IPv4 should block *any incoming connection* on the WAN
>> interface including those directed to the LAN IPs behind it.
> As explained before: this is a mostly unavoidable fact for IPv4, because
> of NAT.
>
> Now, if this is avoidable, such as with IPv6, does it have any
> justification?  Does your "should" comes from a RFC?  From common sense?
>  From a widely accepted practice?  Security comes into mind, but the
> proposal is *not* about disabling the firewall completely.
>
> As for the usage, any application that is not purely client/server needs
> to be reachable from the outside.  You may want to use peer-to-peer
> applications (voice chat, video chat, file sharing, etc) without having to
> explicitely configure your firewall.  Btw, this is why protocols such as
> UPnP, NAT-PMP, or PCP have been developped.
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20140717/a5fd70ff/attachment.htm>

More information about the openwrt-devel mailing list