Hi Lee,
> So what does that mean for a client application (http/ftp,etc.) where
> you might have local firewalls permitting things for internal-subnet
> source ranges but you also have external targets that only accept
> pre-configured static sources?
Are you referring to the situation where you have several clients on the internal network that use NAT to appear as one single IPv4 host to an external server, which allows access based on that global outside NAT address?
The situation is a bit different without NAT. Instead of filtering on a single IPv4 address the external server would filter on a /64 IPv6 network. Security-wise there is no difference as you'll never get smaller allocations than /64 per site anyway, so what with respect to filtering was was a single IPv4 address with IPv4/NAT is a /64 subnet with IPv6: A unique identifier of the network connecting to the external server. Both with IPv4/NAT and IPv6 the server only knows which network you are coming from, not which specific host is trying to connect.
When there really is a requirement that the external server allows only a single address to access it and that can't be changed, you could resort to using a proxy.
If you're interested, RFC4864 expands on some of the aspects of IPv4/NAT vs. IPv6: <http://tools.ietf.org/html/rfc4864>
Best regards,
Peter.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
