Requirements for IPv6 Firewalls

Mark Andrews marka at
Thu Apr 17 22:38:13 UTC 2014

In message <53504C18.7050406 at>, Matthew Kaufman writes:
> On 4/17/2014 1:45 PM, George Herbert wrote:
> > This is why listening to operators is important. 
> Why start now? After all, most of the useful input operators could have 
> provided would have been much more useful at the beginning.
> Matthew Kaufman

NAT from a firewall perspective is "default deny in".  As far as I
can tell no one is arguing that a firewall should not support that.

Now mangling the addresses and ports is not a firewall's job.  Its
never has been a firewall's job.  That is what a NAT box does.

Now sometimes a NAT and Firewall are implemented in the same
hardware and people fail to make the distinction.

As for doing the same as v4 in a firewall for v6, only a idiot would
do that, as it will often break IPv6.  There are rules, often
deployed in v4, that are mostly harmless to IPv4 but will totally
break IPv6.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the NANOG mailing list