Requirements for IPv6 Firewalls
Jim Clausing
jim.clausing at acm.org
Fri Apr 18 19:49:36 UTC 2014
And maybe I'm just dense, but ho one has been able to tell me how I
accomplish this in IPv6 without NAT, I have the requirement in certain
circumstances to transparently redirect all outbound DNS (well, on TCP or
UDP port 53) and/or SMTP (TCP ports 25 and 587) to my own servers. No,
simply blocking it at the firewall and making the user "fix" the problem
is not an option (especially when the problem is created by malware). It
is a simple rule in IPTABLES for IPv4, but how do I accomplish it in IPv6?
Not flaming or anything, but I really want to know how I'm supposed to
accomplish that in the ideal IPv6 world with no NAT?
--
Jim Clausing
GIAC GSE #26, GREM(G), CISSP
GPG fingerprint = A507 774A 39D6 A702 9F7C 8808 3D13 77B8 AACD 848D
On or about Fri, 18 Apr 2014, Simon Perreault pontificated thusly:
> Le 2014-04-18 14:57, William Herrin a écrit :
>> Excluding references and remarks RFC 6888 is 8 pages long with 15
>> total requirements. Short.
>
> Given the trend toward ever-fluffier RFCs, I'll take that as a
> compliment. :)
>
>> I'll let the firewall document's authors speak for themselves about
>> their document's purpose. In the abstract, they said: ''This has
>> typically been a problem for network operators, who typically have to
>> produce a "Request for Proposal" from scratch that describes such
>> features.''
>>
>> That says, "discriminator for potential purchases" to me. What's your take?
>
> I agree with your interpretation, and I disagree with the intent.
>
>> I agree that a "don't break the Internet' firewall requirements
>> document could have utility. But that doesn't appear to be this
>> document. And if done well, such a document would be short just like
>> RFC 6888.
>
> Full agreement.
>
> Simon
>
>
More information about the NANOG
mailing list