<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hello guys,<br>
<br>
This discussion if becoming each day more confusing for something,
which for me, is very simple assuming the following:<br>
<br>
- IPv6 as IPv4 should block <b>any incoming connection</b> on
the WAN interface including those directed to the LAN IPs behind it.<br>
- If a client in the LAN initiates a connection to outsite, the
return to the this connection will pass through just fine as it
already does on IPv4 (assume NAT is not in use).<br>
- If a server in the LAN needs incoming connections it will be
allowed in a per port or per IP basis on the router.<br>
- If one wants to use the OpenWRT router just as a router and
not as router+firewall he can just disable the firewall role
globally (all open X all closed) and let all traffic pass to the
networks behind it.<br>
<br>
What is making it more complicated than this ?<br>
<br>
Regards,<br>
<br>
Fernando<br>
<br>
<div class="moz-cite-prefix">On 17/07/2014 09:25, Ondřej Caletka
wrote:<br>
</div>
<blockquote cite="mid:53C78861.1080902@caletka.cz" type="cite">
<pre wrap="">Dne 16.7.2014 22:41, Gui Iribarren napsal(a):
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">I expect that, over time, users will become accustomed to the
"end-to-end" nature of the v6 Internet and may demand that the firewall
be "open" by default, and I would certainly propose that we have a
simple checkbox in LUCI that allows the firewall to be changed from "all
closed except explicitly open ports" to "all open" in one action. At
some point we would probably change the default behavior from "all
closed" to "all open."
</pre>
</blockquote>
</blockquote>
<pre wrap="">What about... at *this* point? :) (i.e. before BB rc2 freeze)
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">However, for the moment, I would argue that the "rightness" of following
expected behavior is greater than the "rightness" of delivering the true
"end-to-end" nature of v6.
</pre>
</blockquote>
</blockquote>
<pre wrap="">At least Swisscom (according to Baptiste) and TP-Link seem to have
solved the dilemma by defining "expected behaviour" = the true
end-to-end nature of v6 :P hurray!
</pre>
</blockquote>
<pre wrap="">
+1 for having default firewall settings somewhat more open. IMO opening
incoming connections to TCP/UDP ports greater than 1024 as well as all
other protocols that don't use port numbers would be the best compromise
between security and usability.
Blocking ports lower than 1024 should be sufficient to protect legacy
stuff with exploitable telnet, SSH or HTTP/S management interfaces, as
well as it would block unintended file sharing from home NAS-es using
CIFS/NFS/HTTP(S). On the other hand, it would still allow unrestricted
flow of P2P traffic, as well as ad-hoc servers in home network (For
instance, I like to share a file by running an ad-hoc HTTP server and
sharing a link such as <a class="moz-txt-link-freetext" href="http://[2001:db8:123:456::2]:8080/">http://[2001:db8:123:456::2]:8080/</a>).
I think that reasonable default matters, because sometimes, you are not
able to change the setting of home router (like visiting a friend or on
public hotspot). It would be sad if you had to use some sort of VPN or
IPv6-over-IPv6 tunnelling just to overcome the firewall.
Cheers!
Ondřej Caletka
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
openwrt-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:openwrt-devel@lists.openwrt.org">openwrt-devel@lists.openwrt.org</a>
<a class="moz-txt-link-freetext" href="https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel">https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel</a>
</pre>
</blockquote>
<br>
</body>
</html>