On Mon, 2011-01-03 at 19:44 -0600, Robert Nichols wrote: > The problem that I see is that any system to which I have ever made a > connection now has a nice, routable IPv6 address back to the machine > that made the connection and can start probing that machine to see if > any vulnerable services might have been inadvertently left listening > on that interface. No problem if it's a well secured file server, > but it could also be an internet-aware HDTV or video recorder where > I have no control over the internal OS. Sounds like all traffic will > now have to have to be routed through an external IPv6 SPI firewall > appliance. You no doubt have one of those, but I certainly don't, > and I suspect one would cost a bit more than my $35 NAT router, plus > being a bit beyond the administrative abilities of the average home > user. And that potential problem is not unique to IPv6. I've come across enough "helpful" NAT devices which do nothing to block incoming traffic. In fact, they deliberately try and help incoming connections come back through, more so than you'd want. e.g. When your device browses out, you expect the related traffic to your query to get back in. What you don't expect is for your gateway to allow anything and everything back in, merely because it comes from the same source. But that's what some NAT devices do. Browse a website, and it can do an identd lookup on you, it can connect back to see if you've got a webserver, it can see if you've got a mail server, etc. It's considered necessary, by some manufacturers, because of changing requirements. Today, I could determine that for MSN to work, I might have to allow through a few specific ports. Next week, MSN might require more "related" traffic to be allowed back through, and my hardware would need changing or reprogramming for that to work. Likewise, when something completely new gets invented. But if they build their hardware with a very simple rule, that if you spoke to an outside service, you should listen to anything it sends back, they've built a device that "just works" for a great number of completely technically inept users. Whether IPv4 or IPv6, you should use something that's meant to be a firewall. With a computer, that's easy, most have one that you can use. With a dumb device, you need to slot a firewall between it and the world. It's not a new requirement, it's something that should have been done all along, but some people just don't get it. Many cheap consumer IPv4 routers already have SPI firewalls, mine does. When IPv6 gets into gear, I expect it'll be a standard feature, too. And I expect it'll be as easy, or as hard, to configure as the current ones are. With the type-in arcane rules options, and the simple tick the enable firewall option (with the modem/router knowing which side of the wall is inside and outside, and being able to apply a basic set of rules on that basis). I don't expect consumer router devices with a firewall to be any more difficult to configure than the built in configurator that Fedora came with: There's a simple turn on the firewall, which would apply the "ignore new unexpected connections" rule that does everything most people need, when they're not actually running any servers. And the individual simple punch a hole through for HTTP, or SMTP, or IMAP, etc., for allowing common servers. -- [tim@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
