Re: Looking for comments

[Franck Martin <franck () genius com>]

----- Original Message -----
> From: "Karl Auer" <kauer () biplane com au>
> To: nanog () nanog org
> Sent: Thursday, 22 July, 2010 4:24:59 PM
> Subject: Re: Looking for comments
> On Wed, 2010-07-21 at 20:37 -0700, Owen DeLong wrote:
> > I can throw a COTS d-link box with
> > > address-overloaded NAT on a connection and have reasonably
> > > effective
> > > network security and anonymity in IPv4. Achieving comparable
> > > results
> > > in the IPv6 portion of the dual stack on each of those hosts is
> > > complicated at best.
> > Actually, it isn't particularly hard at all... Turn on privacy
> > addressing
> > on each of the hosts (if it isn't on by default) and then put a
> > linux
> > firewall in front of them with a relatively simple ip6tables
> > configuration
> > for outbound only.
>
> All respect to someone that knows his stuff, and I do realise that the
> OP mentioned small-scale hardware, but in the wider world (and even
> the
> world of home users as seen from the carrier side) any solution that
> says "do <whatever> on every host" is just not workable. As for the
> Linux packet filter, that's an exercise for the advanced home user.

On Mac Airport Extreme it is "disallow outside to access internal machines", tick and it is done!