nanog mailing list archives
Re: Google wants to be your Internet
From: Bernhard Schmidt <berni () birkenwald de>
Date: Tue, 30 Jan 2007 02:20:35 +0100
Henning Brauer <hb-nanog () bsws de> wrote:
IPv6 makes NAT obsolete because IPv6 firewalls can provide all the useful features of IPv4 NAT without any of the downsides.... IPv6 firewalls? Where? Good ones?OpenBSD's pf has support for v6 for years now.
Which works pretty well if you forget one tiny thing (from pf.conf(5)) | FRAGMENT HANDLING | [...] | Currently, only IPv4 fragments are supported and IPv6 fragments are | blocked unconditionally. which can bite you in the ass pretty hard if you don't expect it. Fragments are valid packets and crucial for many applications, so unconditional blocking (even with a "pass inet6 from any to any" policy) is bad. Other working solutions are - Linux + nf_conntrack (maybe in a few kernel versions, there was an OOPS in 2.6.20-rc5 with (tadaaa) fragment handling, fixed though) - Cisco ASA and FWSM - IIRC Juniper (Netscreen) firewalls and I guess some more. Regards, Bernhard
Current thread:
- RE: Google wants to be your Internet, (continued)
- RE: Google wants to be your Internet Jamie Bowden (Jan 24)
- Re: Google wants to be your Internet Joe Abley (Jan 24)
- RE: Google wants to be your Internet michael.dillon (Jan 24)
- Re: Google wants to be your Internet Roland Dobbins (Jan 24)
- Re: Google wants to be your Internet Joseph S D Yao (Jan 29)
- Re: Google wants to be your Internet Henning Brauer (Jan 29)
- Re: Google wants to be your Internet Brandon Galbraith (Jan 29)
- Re: Google wants to be your Internet Joe Abley (Jan 29)
- RE: Google wants to be your Internet Mark D. Kaye (Jan 30)
- Re: Google wants to be your Internet Joseph S D Yao (Jan 31)
- Re: Google wants to be your Internet Bernhard Schmidt (Jan 29)
- Re: Google wants to be your Internet Joel Jaeggli (Jan 29)
- Re: Google wants to be your Internet Steven M. Bellovin (Jan 29)
- IPv6 Firewalls J. Oquendo (Jan 30)
- Re: IPv6 Firewalls Joseph S D Yao (Jan 30)
- Re: IPv6 Firewalls J. Oquendo (Jan 30)
- Re: IPv6 Firewalls JORDI PALET MARTINEZ (Jan 31)
- RE: Google wants to be your Internet Crist Clark (Jan 30)
- Re: Google wants to be your Internet Joseph S D Yao (Jan 31)