NAT firewall for IPv6?

Octavio Alvarez octalnanog at alvarezp.org
Tue Jul 5 19:47:36 UTC 2016


On 07/01/2016 07:28 PM, Edgar Carver wrote:
> Is there some kind of NAT-based IPv6 firewall I can setup on the router
> that can help block viruses?

You need layer-7 firewalls for this. NAT-based "firewalls"
(pseudo-firewalls, really) are layer-4 only. Those will not help you
block typical viruses, as people will usually get infected from
connecting to a compromised Website, or from an e-mail attachments. And
even more, if connections are encrypted, an L7 firewall will not be able
to do anything (whether IPv4 or v6) unless... better not open a can of
worms.

They will just help you block *some* attack vectors, though: those that
rely on starting connections to your hosts from the outside.

My guess is that, with regard to e-mail attachments and compromised
Websites, IPv4 hosts are still attacked more than IPv6 ones, so, even if
you turn off IPv6 you will still get attacked through IPv4.

Everything else has been already said by others: fixing the Palo Alto is
still your best bet.

Good luck!



More information about the NANOG mailing list