Re: Disabling ipv6

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Once upon a time, Tim <ignored_mailbox@xxxxxxxxxxxx> said:
> How is your firewall set up?  When you allow something for IPv4, does it
> make a corresponding rule for IPv6, at the same time.  Likewise, for if
> you block something.  And I mean that in two ways, dealing with ports,
> and addresses.  I may decide to block all port 80 traffic, and I'd hope
> my firewall doesn't just put a block on IPv4 traffic, requiring me to
> separately set up another rule for the IPv6.  Or, I may find out that
> I'm seeing unwanted traffic from www.example.com, I'll probably have to
> find out their IPv4 and IPv6 IPs and individually block them.

Except for trying to block things by hostname (which is always a
problem, since DNS changes all the time), yes.  My firewall does all of
that.  As far as I know, the CPE advertising IPv6 support does that.
I'm pretty sure the Windows software firewall does that (don't know
anything about Mac OS X).

Does _every_ firewall that claims IPv4 and IPv6 support do that
correctly?  I don't know, probably not.  But at the same time, does
every firewall that claims IPv4 support handle all of the above
correctly, 100% of the time?  Probably not.  There will always be bugs,
design flaws, etc.

> Then there's address range types.  With IPv4 it's easy enough to have a
> demarcation point between one side of my LAN and the WWW, and set rules
> about it.  IPv6 uses a different technique of addressing/subnetting, and
> in some of my earlier readings of it, doesn't really work in a similar
> way that you can do that kind of demarcation.  There's not that level of
> distinction between LAN and WAN.

Yes, IPv4 and IPv6 addresses are different (that's kind of the point).
The whole idea that somehow RFC1918 space is "magic" (I hear people call
it "unroutable" all the time, which is flat wrong) came in with NAT and
is bad, as anybody who has dealt with enterprise networks (and
especially when companies merge, interconnect, etc.) can tell you.

If you want something similar to RFC1918 space with IPv6, you can use
ULA, but you really shouldn't.

> So there's those basic levels of security, before anybody even worries
> about flaws in IPv6, itself.

I don't see anything here much other than "it is different and different
is bad"; certinaly not any of the supposed "security flaws".
-- 
Chris Adams <linux@xxxxxxxxxxx>
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org




[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux