On 1-dec-04, at 1:06, Stephen Sprunk wrote:
With v6 we have the ability to fix this; through some magic function,
users should be able to get a PA (at a minimum) subnet behind their
local router/modem/whatever and have a decent interface to configure
inbound filters, similar to how they can configure evil NAT
port-forwarding today.
So what's the use of a firewall when the boxes behind it get to
configure it? If these boxes know what they should and shouldn't accept
from the evil internet in the first place, isn't it much easier to
accept/reject packets as per this knowledge?
A default filter that rejects packets for services that are generally
intended for local use only would probably be good enough for a
residential IPv6 router. Other services are either not enabled and/or
firewalled in the host anyway, or the user actually wants them to
work.
Default filters are a pain, because inevitably they end up blocking
something that's useless today but a critical need tomorrow... For
instance, my @#%#^& Linksys not only doesn't understand native IPv6
(hello, wake up Cisco!) but it even blocks IP-in-IP packets so I can't
use an IPv6 tunnel.
Please reread. I said services that are generally intended for local
use. Unknown services can't be presumed to be intended for local use
and are thus not filtered by such a policy. Ideally, I wouldn't want to
filter anything, but systems like Windows come with all kinds of
services enabled that you really don't want to expose to the whole
world, but at the same time you want (some of) these services to be
available for local use.
At a minimum, vendors should document _everything_ the default filter
does and allow the user to disable it if necessary.
Of course. The funny thing is that NAT can generally not be disabled by
the user. :-) :-(
Note that a default stateful filter is much more harmful than filtering
out some obvious stuff such as SMB as you need to make specific
exceptions or use strange tricks in the application to allow incoming
sessions, for ALL protocols that use those.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf