Requirements for IPv6 Firewalls

• Previous message (by thread): Requirements for IPv6 Firewalls
• Next message (by thread): Requirements for IPv6 Firewalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <53504C18.7050406 at matthew.at>, Matthew Kaufman writes:
> On 4/17/2014 1:45 PM, George Herbert wrote:
> > This is why listening to operators is important. 
> 
> Why start now? After all, most of the useful input operators could have 
> provided would have been much more useful at the beginning.
> 
> Matthew Kaufman

NAT from a firewall perspective is "default deny in".  As far as I
can tell no one is arguing that a firewall should not support that.

Now mangling the addresses and ports is not a firewall's job.  Its
never has been a firewall's job.  That is what a NAT box does.

Now sometimes a NAT and Firewall are implemented in the same
hardware and people fail to make the distinction.

As for doing the same as v4 in a firewall for v6, only a idiot would
do that, as it will often break IPv6.  There are rules, often
deployed in v4, that are mostly harmless to IPv4 but will totally
break IPv6.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

• Previous message (by thread): Requirements for IPv6 Firewalls
• Next message (by thread): Requirements for IPv6 Firewalls
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]