Requirements for IPv6 Firewalls
eugen at imacandi.net
Fri Apr 18 22:26:27 UTC 2014
On Fri, Apr 18, 2014 at 10:49 PM, Jim Clausing <jim.clausing at acm.org> wrote:
> And maybe I'm just dense, but ho one has been able to tell me how I
> accomplish this in IPv6 without NAT, I have the requirement in certain
> circumstances to transparently redirect all outbound DNS (well, on TCP or
> UDP port 53) and/or SMTP (TCP ports 25 and 587) to my own servers. No,
> simply blocking it at the firewall and making the user "fix" the problem is
> not an option (especially when the problem is created by malware). It is a
> simple rule in IPTABLES for IPv4, but how do I accomplish it in IPv6? Not
> flaming or anything, but I really want to know how I'm supposed to
> accomplish that in the ideal IPv6 world with no NAT?
Nothing stops you from using NAT :)
This discussion got a bit off track. I'm not saying NAT should be banned
completely, I'm saying that with IPv6 we can actually simplify things a lot
get rid of all hacks we had to do in the network do get services up and
running (e.g. using a firewall's public ip address to hide several distinct
services behind it on different hosts, like web, dns, smtp etc).
I believe in simplicity, and now IPv6 for me makes things simple: I can
have all the IP addresses I want and do not need to use hacks to get things
working because no one would give 2048 IPv4 addresses just to do stuff with
them and run lots of servers with "public" IP addresses.
More information about the NANOG