nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Requirements for IPv6 Firewalls

From: Mark Andrews <marka () isc org>
Date: Fri, 18 Apr 2014 08:38:13 +1000

In message <53504C18.7050406 () matthew at>, Matthew Kaufman writes:

On 4/17/2014 1:45 PM, George Herbert wrote:

This is why listening to operators is important. 


Why start now? After all, most of the useful input operators could have 
provided would have been much more useful at the beginning.

Matthew Kaufman


NAT from a firewall perspective is "default deny in".  As far as I
can tell no one is arguing that a firewall should not support that.

Now mangling the addresses and ports is not a firewall's job.  Its
never has been a firewall's job.  That is what a NAT box does.

Now sometimes a NAT and Firewall are implemented in the same
hardware and people fail to make the distinction.

As for doing the same as v4 in a firewall for v6, only a idiot would
do that, as it will often break IPv6.  There are rules, often
deployed in v4, that are mostly harmless to IPv4 but will totally
break IPv6.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org
Previous By Date Next
Previous By Thread Next

Current thread: