Once upon a time, Neal Becker <ndbecker2@xxxxxxxxx> said: > Let me say up front I'm not very knowledgeable about v6 yet. One reason I > don't want to enable it is the exact flip side of the address scarcity of > v4. Because of that, external connections are nat'd. That seems to me to > offer an additional layer of protection for devices on my network, they > don't have externally routeable addresses. I think that is not true if I > turn on v6. Is this correct? There is no NAT for IPv6, but that's a feature. NAT doesn't really add any security; NAT is a combination of two things: a stateful firewall (which gives you the protection) and a packet mangler (which causes no end of problems). You can still have a stateful firewall with IPv6, you just don't need the packet mangler anymore. Returning to end-to-end addressing is nice - for example, I can open up SSH on my home firewall and connect to home systems from my cell phone (because both my home and cell Internet providers have native IPv6). No more silly port mappings and having to remember which port is mapped to which device. On business networks, the death of NAT is way overdue - my company has VPN tunnels to a bunch of customer networks, and we're forever running into the same NAT networks (10.0.0.0, 192.168.1.0, etc.). If everybody would just get on the IPv6 train, address conflicts would be gone. NAT just gives the feeling of security, when it's just the firewall part that is the actual security layer. -- Chris Adams <linux@xxxxxxxxxxx> _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
