Re: ipv6 question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2011-01-03 at 19:44 -0600, Robert Nichols wrote:
> The problem that I see is that any system to which I have ever made a
> connection now has a nice, routable IPv6 address back to the machine
> that made the connection and can start probing that machine to see if
> any vulnerable services might have been inadvertently left listening
> on that interface.  No problem if it's a well secured file server,
> but it could also be an internet-aware HDTV or video recorder where
> I have no control over the internal OS.  Sounds like all traffic will
> now have to have to be routed through an external IPv6 SPI firewall
> appliance.  You no doubt have one of those, but I certainly don't,
> and I suspect one would cost a bit more than my $35 NAT router, plus
> being a bit beyond the administrative abilities of the average home
> user.

And that potential problem is not unique to IPv6.  I've come across
enough "helpful" NAT devices which do nothing to block incoming traffic.
In fact, they deliberately try and help incoming connections come back
through, more so than you'd want.

e.g. When your device browses out, you expect the related traffic to
your query to get back in.  What you don't expect is for your gateway to
allow anything and everything back in, merely because it comes from the
same source.  But that's what some NAT devices do.  Browse a website,
and it can do an identd lookup on you, it can connect back to see if
you've got a webserver, it can see if you've got a mail server, etc.

It's considered necessary, by some manufacturers, because of changing
requirements.  Today, I could determine that for MSN to work, I might
have to allow through a few specific ports.  Next week, MSN might
require more "related" traffic to be allowed back through, and my
hardware would need changing or reprogramming for that to work.
Likewise, when something completely new gets invented.  But if they
build their hardware with a very simple rule, that if you spoke to an
outside service, you should listen to anything it sends back, they've
built a device that "just works" for a great number of completely
technically inept users.

Whether IPv4 or IPv6, you should use something that's meant to be a
firewall.  With a computer, that's easy, most have one that you can use.
With a dumb device, you need to slot a firewall between it and the
world.  It's not a new requirement, it's something that should have been
done all along, but some people just don't get it.

Many cheap consumer IPv4 routers already have SPI firewalls, mine does.
When IPv6 gets into gear, I expect it'll be a standard feature, too.
And I expect it'll be as easy, or as hard, to configure as the current
ones are.  With the type-in arcane rules options, and the simple tick
the enable firewall option (with the modem/router knowing which side of
the wall is inside and outside, and being able to apply a basic set of
rules on that basis).

I don't expect consumer router devices with a firewall to be any more
difficult to configure than the built in configurator that Fedora came
with:  There's a simple turn on the firewall, which would apply the
"ignore new unexpected connections" rule that does everything most
people need, when they're not actually running any servers.  And the
individual simple punch a hole through for HTTP, or SMTP, or IMAP, etc.,
for allowing common servers.

-- 
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.



-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux