[nzlug] Arm your firewalls (Was: SixXS PoP in New Zealand provided by ACSData: free IPv6 connectivity)

Jeroen Massar jeroen at unfix.org
Sat Jul 21 09:28:01 NZST 2007 

Daniel Lawson wrote:
>> This thus allows one to make one box into a true router, setup a tunnel
>> to the PoP, and get a subnet over it and then provide IPv6 to all your
>> machines in the house. This means: no firewalls, no NAT tricks, full
>> connectivity to everything, thus ssh'ing in can be done without tricks
>> and also things like VoIP will work much easier and from the box.
>> Also check the "Cool IPv6 Stuff" page on the site for a list of other
>> things.
>>   
> And just remember, of course, that as your internal network is no longer
> behind a NAT device, you no longer have a naive firewall blocking
> external access to your internal machines, so make sure you set up a
> suitable firewall with ip6tables. Your iptables firewall is ipv4 only,
> and won't protect you.

Very good point indeed and something that I tend to sort of forget from
time to time. It is also something which is still a hot topic of sorts;
IPv6* does return the whole end-to-end idea and NAT's won't be needed.
But one still has to have good firewalling, thus the deep packet
inspection and connection tracking remain. When a new protocol comes out
next the firewall also needs to know about it if the correct ports have
to be opened for it, eg as needs to be done for FTP. As such firewalling
is still not an easy thing to do. There are some ideas circulating about
this though to resolve those issues.

Iljitsch van Beijnum (who wrote both the "O'Reilly BGP" and the "Running
IPv6" books) wrote a couple of excellent articles about it:

http://arstechnica.com/articles/paedia/ipv6-firewall-mixed-blessing.ars
http://arstechnica.com/articles/paedia/IPv6.ars

Should be a good read on that.

(* IPv4 does of course also, but most consumer ISPs won't give you
multiple addresses without much hassle or huge pay increases)

Greets,
 Jeroen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 311 bytes
Desc: OpenPGP digital signature
Url : http://www.linux.net.nz/pipermail/nzlug/attachments/20070720/a0d84f64/signature.pgp

More information about the NZLUG mailing list