Once upon a time, Tim <ignored_mailbox@xxxxxxxxxxxx> said: > How is your firewall set up? When you allow something for IPv4, does it > make a corresponding rule for IPv6, at the same time. Likewise, for if > you block something. And I mean that in two ways, dealing with ports, > and addresses. I may decide to block all port 80 traffic, and I'd hope > my firewall doesn't just put a block on IPv4 traffic, requiring me to > separately set up another rule for the IPv6. Or, I may find out that > I'm seeing unwanted traffic from www.example.com, I'll probably have to > find out their IPv4 and IPv6 IPs and individually block them. Except for trying to block things by hostname (which is always a problem, since DNS changes all the time), yes. My firewall does all of that. As far as I know, the CPE advertising IPv6 support does that. I'm pretty sure the Windows software firewall does that (don't know anything about Mac OS X). Does _every_ firewall that claims IPv4 and IPv6 support do that correctly? I don't know, probably not. But at the same time, does every firewall that claims IPv4 support handle all of the above correctly, 100% of the time? Probably not. There will always be bugs, design flaws, etc. > Then there's address range types. With IPv4 it's easy enough to have a > demarcation point between one side of my LAN and the WWW, and set rules > about it. IPv6 uses a different technique of addressing/subnetting, and > in some of my earlier readings of it, doesn't really work in a similar > way that you can do that kind of demarcation. There's not that level of > distinction between LAN and WAN. Yes, IPv4 and IPv6 addresses are different (that's kind of the point). The whole idea that somehow RFC1918 space is "magic" (I hear people call it "unroutable" all the time, which is flat wrong) came in with NAT and is bad, as anybody who has dealt with enterprise networks (and especially when companies merge, interconnect, etc.) can tell you. If you want something similar to RFC1918 space with IPv6, you can use ULA, but you really shouldn't. > So there's those basic levels of security, before anybody even worries > about flaws in IPv6, itself. I don't see anything here much other than "it is different and different is bad"; certinaly not any of the supposed "security flaws". -- Chris Adams <linux@xxxxxxxxxxx> -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
