/27 the new /24

tim at pelican.org tim at pelican.org
Wed Oct 7 14:18:11 UTC 2015


On Wednesday, 7 October, 2015 12:54, "Owen DeLong" <owen at delong.com> said:

> There are some important differences for ICMP (don’t break PMTU-D or ND),
> but otherwise, really not much difference between your IPv4 security policy and
> your IPv6 security policy.

The IPv4 world would have been nicer without quite so much of the "ICMP is eeeeeeeeevil!" nonsense, but agreed, it's somewhat more fundamental in IPv6.

> In fact, on my linux box, I generate my IPv4 iptables file using little more than
> a global search and replace on the IPv6 iptables configuration which replaces the
> IPv6 prefixes/addresses with the corresponding IPv4 prefixes/addresses. (My IPv6
> addresses for things that take incoming connections have an algorithmic map to
> IPv4 addresses for things that have them.)

Similarly for at least some supplied tools on top of iptables.  'ufw' Just Works with both - 'ufw allow 25/tcp' will insert the appropriate rule into both iptables and ip6tables, for example.

Regards,
Tim.





More information about the NANOG mailing list