Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

"There is hopeful symbolism in the fact that flags do not wave in a vacuum." -- Arthur C. Clarke


computers / comp.os.linux.networking / Re: IPv6 Hardware Firewall

SubjectAuthor
* IPv6 Hardware FirewallMike Mocha
+* Re: IPv6 Hardware FirewallMarco Moock
|+- Re: IPv6 Hardware FirewallMarc Haber
|`* Re: IPv6 Hardware FirewallMike Scott
| `- Re: IPv6 Hardware FirewallMarco Moock
+- Re: IPv6 Hardware FirewallMarc Haber
+- Re: IPv6 Hardware FirewallDan Purgert
+* Re: IPv6 Hardware FirewallGrant Taylor
|+* Re: IPv6 Hardware FirewallMarco Moock
||`* Re: IPv6 Hardware FirewallGrant Taylor
|| `* Re: IPv6 Hardware FirewallDan Purgert
||  +* Re: IPv6 Hardware FirewallMarco Moock
||  |`* Re: IPv6 Hardware FirewallDan Purgert
||  | `* Re: IPv6 Hardware FirewallGrant Taylor
||  |  `- Re: IPv6 Hardware FirewallDan Purgert
||  `* Re: IPv6 Hardware FirewallGrant Taylor
||   `* Re: IPv6 Hardware FirewallDan Purgert
||    `- Re: IPv6 Hardware FirewallGrant Taylor
|`* Re: IPv6 Hardware FirewallMarc Haber
| `* Re: IPv6 Hardware FirewallGrant Taylor
|  `* Re: IPv6 Hardware FirewallDan Purgert
|   `* Re: IPv6 Hardware FirewallGrant Taylor
|    +* Re: IPv6 Hardware FirewallMarco Moock
|    |+* Re: IPv6 Hardware FirewallGrant Taylor
|    ||`* Re: IPv6 Hardware FirewallMarc Haber
|    || `* Re: IPv6 Hardware FirewallGrant Taylor
|    ||  `- Re: IPv6 Hardware FirewallMarc Haber
|    |`* Re: IPv6 Hardware FirewallJorgen Grahn
|    | +* Re: IPv6 Hardware FirewallMarco Moock
|    | |`- Re: IPv6 Hardware FirewallMarc Haber
|    | `* Re: IPv6 Hardware FirewallGrant Taylor
|    |  `* Re: IPv6 Hardware FirewallMarco Moock
|    |   `* Re: IPv6 Hardware FirewallGrant Taylor
|    |    `* Re: IPv6 Hardware FirewallMarco Moock
|    |     `- Re: IPv6 Hardware FirewallGrant Taylor
|    `* Re: IPv6 Hardware FirewallDan Purgert
|     `* Re: IPv6 Hardware FirewallGrant Taylor
|      +- Re: IPv6 Hardware FirewallDan Purgert
|      `* Re: IPv6 Hardware FirewallMarc Haber
|       +* Re: IPv6 Hardware FirewallMarco Moock
|       |`* Re: IPv6 Hardware FirewallGrant Taylor
|       | +* Re: IPv6 Hardware FirewallMarco Moock
|       | |`- Re: IPv6 Hardware FirewallGrant Taylor
|       | `* Re: IPv6 Hardware FirewallMarc Haber
|       |  `* Re: IPv6 Hardware FirewallGrant Taylor
|       |   +* Re: IPv6 Hardware FirewallMarco Moock
|       |   |`* Re: IPv6 Hardware FirewallBit Twister
|       |   | `* Re: IPv6 Hardware Firewalljrg
|       |   |  `* Re: IPv6 Hardware FirewallBit Twister
|       |   |   `* Re: IPv6 Hardware Firewalljrg
|       |   |    `* Re: IPv6 Hardware FirewallBit Twister
|       |   |     `* Re: IPv6 Hardware Firewalljrg
|       |   |      `- Re: IPv6 Hardware FirewallDavid W. Hodgins
|       |   `* Re: IPv6 Hardware FirewallMarc Haber
|       |    `* Re: IPv6 Hardware FirewallGrant Taylor
|       |     `- Re: IPv6 Hardware FirewallMarco Moock
|       `* Re: IPv6 Hardware FirewallGrant Taylor
|        `* Re: IPv6 Hardware FirewallMarc Haber
|         `* Re: IPv6 Hardware FirewallGrant Taylor
|          +* Re: IPv6 Hardware FirewallMarc Haber
|          |`* Re: IPv6 Hardware FirewallGrant Taylor
|          | `* Re: IPv6 Hardware FirewallMarc Haber
|          |  `* Re: IPv6 Hardware FirewallGrant Taylor
|          |   +- Re: IPv6 Hardware FirewallMarco Moock
|          |   `- Re: IPv6 Hardware FirewallMarc Haber
|          `* Re: IPv6 Hardware FirewallMarco Moock
|           `* Re: IPv6 Hardware FirewallGrant Taylor
|            +* Re: IPv6 Hardware FirewallMarco Moock
|            |`- Re: IPv6 Hardware FirewallGrant Taylor
|            `* Re: IPv6 Hardware FirewallMarc Haber
|             `* Re: IPv6 Hardware FirewallGrant Taylor
|              `- Re: IPv6 Hardware FirewallMarc Haber
`* Re: IPv6 Hardware FirewallRoger Blake
 +* Re: IPv6 Hardware FirewallMarco Moock
 |+* Re: IPv6 Hardware FirewallGrant Taylor
 ||+* Re: IPv6 Hardware FirewallMarco Moock
 |||`* Re: IPv6 Hardware FirewallGrant Taylor
 ||| `- Re: IPv6 Hardware Firewallmeff
 ||`* Re: IPv6 Hardware FirewallVincent Coen
 || `* Re: IPv6 Hardware FirewallGrant Taylor
 ||  `* Re: IPv6 Hardware FirewallVincent Coen
 ||   +- Re: IPv6 Hardware FirewallMarco Moock
 ||   `* Re: IPv6 Hardware FirewallGrant Taylor
 ||    `* Re: IPv6 Hardware FirewallMarco Moock
 ||     `- Re: IPv6 Hardware FirewallGrant Taylor
 |`* Re: IPv6 Hardware FirewallRoger Blake
 | `* Re: IPv6 Hardware FirewallMarco Moock
 |  +* Re: IPv6 Hardware FirewallMarc Haber
 |  |+* Re: IPv6 Hardware FirewallMarco Moock
 |  ||`* OT Re: IPv6 Hardware Firewalljrg
 |  || `* Re: OT Re: IPv6 Hardware FirewallMarco Moock
 |  ||  `- Re: OT Re: IPv6 Hardware Firewalljrg
 |  |`- Re: IPv6 Hardware FirewallRoger Blake
 |  `* Re: IPv6 Hardware FirewallRoger Blake
 |   `- Re: IPv6 Hardware Firewalljrg
 `* Re: IPv6 Hardware FirewallMarc Haber
  +* Re: IPv6 Hardware FirewallMike Mocha
  |+* Re: IPv6 Hardware FirewallMarco Moock
  ||+- Re: IPv6 Hardware FirewallRoger Blake
  ||`* Re: IPv6 Hardware FirewallDavid Brown
  || `* Re: IPv6 Hardware FirewallMarco Moock
  |+- Re: IPv6 Hardware Firewallmeff
  |`- Re: IPv6 Hardware FirewallDan Purgert
  `* Re: IPv6 Hardware FirewallRoger Blake

Pages:1234567
IPv6 Hardware Firewall

<VLKMJ.19775$iK66.8601@fx46.iad>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=266&group=comp.os.linux.networking#266

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!newsreader4.netcologne.de!news.netcologne.de!peer01.ams1!peer.ams1.xlned.com!news.xlned.com!peer02.iad!feed-me.highwinds-media.com!news.highwinds-media.com!fx46.iad.POSTED!not-for-mail
From: moc...@mailexcite.com (Mike Mocha)
Subject: IPv6 Hardware Firewall
Newsgroups: comp.os.linux.networking
MIME-Version: 1.0
Organization: --==RHW==--
x-no-archive: yes
User-Agent: Pan/0.147 (Sweet Solitude; 0d77554
gitlab.gnome.org/dgraef/pan.git)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Lines: 23
Message-ID: <VLKMJ.19775$iK66.8601@fx46.iad>
X-Complaints-To: abuse@frugalusenet.com
NNTP-Posting-Date: Wed, 09 Feb 2022 08:16:53 UTC
Date: Wed, 09 Feb 2022 08:16:53 GMT
X-Received-Bytes: 2049
 by: Mike Mocha - Wed, 9 Feb 2022 08:16 UTC

I noticed something interesting the other day. If you are a typical home
user with cable or DSL Internet service, and your provider gives you
native IPv6 addresses and you desire to firewall the devices on your home
network; since IPv6 is not using NAT, every device behind your router
gets a unique IP address, so you basically have to either close down all
IPv6 ports at the main router, OR open all IPv6 ports at the router, and
then run a software firewall on each device on the network! This is not
practical or possible on many devices (gaming consoles, smart phones, IoT
devices, etc).

I can prove this by opening and closing the IPv6 firewall settings on my
provider's router. It's different with IPv4 of course. With IPv4, you
only have one IP address for ALL the devices on your network. So you can
setup the firewall to forward specific ports, and then setup services on
individual devices using those ports.

The point of this post, and my question, is there any consumer grade
router available that allows you to manage IPv6 ports on a device basis,
such as by individual IP or MAC address? There must be, otherwise how
can devices using IPv6 ever be effectively firewalled? If you want to
expose only certain services over IPv6 (SSH for example) on one device in
your network, how do you do this with consumer grade routers?

Re: IPv6 Hardware Firewall

<20220209100111.6b4b869a@ryz>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=267&group=comp.os.linux.networking#267

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: mo0...@posteo.de (Marco Moock)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Wed, 9 Feb 2022 10:01:11 +0100
Organization: A noiseless patient Spider
Lines: 46
Message-ID: <20220209100111.6b4b869a@ryz>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Info: reader02.eternal-september.org; posting-host="978a40d0a7a775aaabb5603f4c83b898";
logging-data="30300"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+jbIuj3Kq02X53hwZqRj1C"
Cancel-Lock: sha1:Z97OyTvcY7JqfzWLDG8YxrLKaGI=
X-Newsreader: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
 by: Marco Moock - Wed, 9 Feb 2022 09:01 UTC

Am Mittwoch, 09. Februar 2022, um 08:16:53 Uhr schrieb Mike Mocha:

> I noticed something interesting the other day. If you are a typical
> home user with cable or DSL Internet service, and your provider gives
> you native IPv6 addresses and you desire to firewall the devices on
> your home network; since IPv6 is not using NAT, every device behind
> your router gets a unique IP address, so you basically have to either
> close down all IPv6 ports at the main router, OR open all IPv6 ports
> at the router, and then run a software firewall on each device on the
> network! This is not practical or possible on many devices (gaming
> consoles, smart phones, IoT devices, etc).

It is only a security issue if a service listens on a TCP or UDP port.
If that is the case the problem is not IPv6, nor a missing firewall, it
is the device that runs a software that listens on the TCP/UDP port.

> I can prove this by opening and closing the IPv6 firewall settings on
> my provider's router. It's different with IPv4 of course. With
> IPv4, you only have one IP address for ALL the devices on your
> network. So you can setup the firewall to forward specific ports,
> and then setup services on individual devices using those ports.

For IPv4 with stateful NAT44, you have to enable a static NAT rule
(called port forwarding). Stateful NAT44 acts like an SPI firewall. If
you additionally operate a firewall, you also need to create a specific
rule there. For IPv6 without NAT, you only need to configure your
firewall, if enabled.

> The point of this post, and my question, is there any consumer grade
> router available that allows you to manage IPv6 ports on a device
> basis, such as by individual IP or MAC address? There must be,
> otherwise how can devices using IPv6 ever be effectively firewalled?
> If you want to expose only certain services over IPv6 (SSH for
> example) on one device in your network, how do you do this with
> consumer grade routers?

I know that some cable modem routers from Technicolor offer that
possibility. The default is an enabled SPI firewall. You can either
disable it completely or allow certain ports for IPv6 addresses.
The German Fritz devices also support such a firewall.

If you want a secure network, make sure not network services are
running you don't want.
Additionally, you can use a normal hardware firewall that is fully
configurable.

Re: IPv6 Hardware Firewall

<su04a3$1c1h1$1@news1.tnib.de>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=268&group=comp.os.linux.networking#268

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news1.tnib.de!feed.news.tnib.de!news.tnib.de!.POSTED.torres.zugschlus.de!not-for-mail
From: mh+usene...@zugschl.us (Marc Haber)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Wed, 09 Feb 2022 11:16:35 +0100
Organization: private site, see http://www.zugschlus.de/ for details
Message-ID: <su04a3$1c1h1$1@news1.tnib.de>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Date: Wed, 9 Feb 2022 10:16:36 -0000 (UTC)
Injection-Info: news1.tnib.de; posting-host="torres.zugschlus.de:85.214.160.151";
logging-data="1443361"; mail-complaints-to="abuse@tnib.de"
X-Newsreader: Forte Agent 6.00/32.1186
 by: Marc Haber - Wed, 9 Feb 2022 10:16 UTC

Mike Mocha <mocha@mailexcite.com> wrote:
>The point of this post, and my question, is there any consumer grade
>router available that allows you to manage IPv6 ports on a device basis,
>such as by individual IP or MAC address?

The AVM Fritzbox can of course do this. It even has sensible default:
Outgoing accepts everything, incoming blocks everything.

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Re: IPv6 Hardware Firewall

<su04d7$1c1hl$1@news1.tnib.de>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=269&group=comp.os.linux.networking#269

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news1.tnib.de!feed.news.tnib.de!news.tnib.de!.POSTED.torres.zugschlus.de!not-for-mail
From: mh+usene...@zugschl.us (Marc Haber)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Wed, 09 Feb 2022 11:18:15 +0100
Organization: private site, see http://www.zugschlus.de/ for details
Message-ID: <su04d7$1c1hl$1@news1.tnib.de>
References: <VLKMJ.19775$iK66.8601@fx46.iad> <20220209100111.6b4b869a@ryz>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Date: Wed, 9 Feb 2022 10:18:16 -0000 (UTC)
Injection-Info: news1.tnib.de; posting-host="torres.zugschlus.de:85.214.160.151";
logging-data="1443381"; mail-complaints-to="abuse@tnib.de"
X-Newsreader: Forte Agent 6.00/32.1186
 by: Marc Haber - Wed, 9 Feb 2022 10:18 UTC

Marco Moock <mo01@posteo.de> wrote:
>If you want a secure network, make sure not network services are
>running you don't want.

Devices that allow you to control that are seldomly found. Not even
Windows gives this kind of control. Smart TVs, Gaming Consoles etc
don't either.

>Additionally, you can use a normal hardware firewall that is fully
>configurable.

Name one consumer grade "hardware" firewall, please. I bet it does
things in software still.

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Re: IPv6 Hardware Firewall

<su0ltj$gv4$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=270&group=comp.os.linux.networking#270

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: usenet...@scottsonline.org.uk.invalid (Mike Scott)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Wed, 9 Feb 2022 15:17:06 +0000
Organization: Scott family
Lines: 24
Message-ID: <su0ltj$gv4$1@dont-email.me>
References: <VLKMJ.19775$iK66.8601@fx46.iad> <20220209100111.6b4b869a@ryz>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Wed, 9 Feb 2022 15:17:07 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="9cc950fcf610dc2d669e63dfa86f135a";
logging-data="17380"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+vuBGOYWdo8FB6AFM4BbsL0pXzBAK8VH0="
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Thunderbird/91.5.0
Cancel-Lock: sha1:7MGUj1qcLKeqrpIIF/WI8QpSxW4=
In-Reply-To: <20220209100111.6b4b869a@ryz>
Content-Language: en-GB
 by: Mike Scott - Wed, 9 Feb 2022 15:17 UTC

On 09/02/2022 09:01, Marco Moock wrote:
.......
>
> If you want a secure network, make sure not network services are
> running you don't want.

Not a useful comment. I run various services for LAN use that I'd not
want exposed to the world. You can't just turn off nfs, ssh, ntp, etc;
while some LAN devices like cameras and TV etc can be safely assumed to
be unchangeably insecure.

MH's comment re fritzbox is useful to know (thank you!): I've been wary
about dipping a toe into IPV6 precisely because of the risk of service
exposure. The fritzbox (I have an ISP-supplied one) seems quite a handy
gizmo, albeit poorly documented in places.

> Additionally, you can use a normal hardware firewall that is fully
> configurable.
>

--
Mike Scott
Harlow, England

Re: IPv6 Hardware Firewall

<20220209163922.2794d89d@ryz>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=271&group=comp.os.linux.networking#271

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: mo0...@posteo.de (Marco Moock)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Wed, 9 Feb 2022 16:39:22 +0100
Organization: A noiseless patient Spider
Lines: 20
Message-ID: <20220209163922.2794d89d@ryz>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<20220209100111.6b4b869a@ryz>
<su0ltj$gv4$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Info: reader02.eternal-september.org; posting-host="978a40d0a7a775aaabb5603f4c83b898";
logging-data="6099"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19yS1oAHWwuV3pLUmpVxPsv"
Cancel-Lock: sha1:upYcZwX209ZDZNGJbt82AiBxRG8=
X-Newsreader: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
 by: Marco Moock - Wed, 9 Feb 2022 15:39 UTC

Am Mittwoch, 09. Februar 2022, um 15:17:06 Uhr schrieb Mike Scott:

> Not a useful comment. I run various services for LAN use that I'd not
> want exposed to the world. You can't just turn off nfs, ssh, ntp,
> etc; while some LAN devices like cameras and TV etc can be safely
> assumed to be unchangeably insecure.

If they don't support ACLs where I can restrict the access to my subnet
I let them only listen on an IPv6 ULA prefix that isn't being routed in
the internet.

> MH's comment re fritzbox is useful to know (thank you!): I've been
> wary about dipping a toe into IPV6 precisely because of the risk of
> service exposure. The fritzbox (I have an ISP-supplied one) seems
> quite a handy gizmo, albeit poorly documented in places.

Also IPv6 with EUI64 or privacy extension addresses isn't that easy to
guess, so the attacker first need to find out the address of the device
and with a /64 net that is quite a lengthy task.

Re: IPv6 Hardware Firewall

<slrnt07sg7.5ru.dan@djph.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=272&group=comp.os.linux.networking#272

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: dan...@djph.net (Dan Purgert)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Wed, 9 Feb 2022 16:54:53 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 65
Message-ID: <slrnt07sg7.5ru.dan@djph.net>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
Injection-Date: Wed, 9 Feb 2022 16:54:53 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="6f0e95f423a363de9cf9d3f28830d1b2";
logging-data="10984"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+4EiFk0AjzXtsld6vqsF5gkVvqPPRdDfY="
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:84ud9GpNe5hsjGAEZ2/vifcJq+A=
X-PGP-KeyID: 0x4CE72860
 by: Dan Purgert - Wed, 9 Feb 2022 16:54 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Mike Mocha wrote:
>
> I noticed something interesting the other day. If you are a typical home
> user with cable or DSL Internet service, and your provider gives you
> native IPv6 addresses and you desire to firewall the devices on your home
> network; since IPv6 is not using NAT, every device behind your router
> gets a unique IP address, so you basically have to either close down all
> IPv6 ports at the main router, OR open all IPv6 ports at the router, and
> then run a software firewall on each device on the network! This is not
> practical or possible on many devices (gaming consoles, smart phones, IoT
> devices, etc).

Proper IPv4 and IPv6 firewalls look nearly identical (IPv6 addresses are
just longer). Only real difference is that because you have to to NAT
with IPv4 in addition to the firewall rules, most routers have a
"simplified" user interface (usually "port forwarding" or something to
that effect). Depending on make/model, you may or may not be able to
set individual NAT/Firewall rules.

In either event, the "IPv4 Port Forwarding" UI does two things:

1. Set up a new DNAT rule for destination (WAN_IP, Wan Port) gets
translated to (LAN_IP[,LAN_PORT])
2. Set up a new firewall rule for destination (LAN_IP[,LAN_PORT])
ACCEPT

An IPv6 firewall rule merely needs to be setup for
"prefix::abcd:1234,PORT" ACCEPT.

In either event, both firewall inbound chains will (should) look
something like this:

firewall_inbound {
rule 1 - accept established / related traffic
rule 2 - drop invalid packets
rules {3-N} - custom rules ("accept port 80/443 to webserver IP")
rule 10000 - drop everything else }

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmID8gcACgkQbWVw5Uzn
KGC+aQ/+OnsArTblZOieNr4KPL+W5h2aDDimZtIbb90uEeEUgTPDkvRJi27XXtOX
O9DERnF/6dvNGEQQLRm+lcPWx2VzwBNiWwlVuEy6hl4y0ByRSDmPOL9F8IDOBmnq
oZeBsr1XyG/5W5Yck74D1DpOCpNl6DDuelHH3CCTzU/+jA1wtrddRsjmJsaXbidZ
6KodjUeYgw92ZN9zL3Nfva2pQMsVuIxuWeDnsUxDa+GTX7Cr2L4cmmK4elQB9zMc
YpIoDfgt6UgExRq9NwhxMNGtxwhYXtmk4pqaJnEFlzoLkiKieBLi/3KCT7BWpAA2
dTmMAl6Fp1z0F+QJjqL12yI+ovvcYp/445dAeawJJ029wIfReWg6NYBsezyiqThH
Eo/3Sve9Gp4jdQ2+Jytz/LKJl7SogrPJlcoMRO1sH6tR3PRynCmPA5n1KuyzSwjh
QSjzd4SWIkpd7G02KF4KaYVZFQNdPeQSUppZfPTnAZ0WdufPF5cIervaChwkgkBq
d/MdNen2qTh6JcYtX9nWS1THgM7SBBdBVKes2XLyMs55QbZEyKGacObmnS9POVWS
SB6xN1h1ryV2Py3n2q5VBpvjAlzKU33KBJXuxixtZ7XD6JISzNOQ/BU24CDyesuO
ymusm8TeKSEZsRvpwYhGmemPb4+tZM2muaXgzb2p4rlsc/rfVeM=
=oOCF
-----END PGP SIGNATURE-----

--
|_|O|_| Github: https://github.com/dpurgert
|_|_|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860
|O|O|O|

Re: IPv6 Hardware Firewall

<su1nsm$43a$2@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=273&group=comp.os.linux.networking#273

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Wed, 9 Feb 2022 17:57:06 -0700
Organization: TNet Consulting
Message-ID: <su1nsm$43a$2@tncsrv09.home.tnetconsulting.net>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Thu, 10 Feb 2022 00:56:54 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="4202"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <VLKMJ.19775$iK66.8601@fx46.iad>
Content-Language: en-US
 by: Grant Taylor - Thu, 10 Feb 2022 00:57 UTC

Somebody's got to say it, so it might as well be me.

On 2/9/22 1:16 AM, Mike Mocha wrote:
> since IPv6 is not using NAT

IPv6 NAT works perfectly fine.

--
Grant. . . .
unix || die

Re: IPv6 Hardware Firewall

<20220209230421@news.eternal-september.org>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=274&group=comp.os.linux.networking#274

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: rogbl...@iname.invalid (Roger Blake)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 04:08:02 -0000 (UTC)
Organization: Ministry of Silly Walks
Lines: 24
Message-ID: <20220209230421@news.eternal-september.org>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
Injection-Date: Thu, 10 Feb 2022 04:08:02 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="a084198dff36beea02af1170e28a8824";
logging-data="15659"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+ivaOdHJm7Q1gksuvDI9w9V0Xf6W84YKQ="
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:aoxABmbj6GH81vLT+5t61LJjpTM=
 by: Roger Blake - Thu, 10 Feb 2022 04:08 UTC

On 2022-02-09, Mike Mocha <mocha@mailexcite.com> wrote:
> I noticed something interesting the other day. If you are a typical home
> user with cable or DSL Internet service, and your provider gives you
> native IPv6 addresses and you desire to firewall the devices on your home
> network; since IPv6 is not using NAT, every device behind your router
> gets a unique IP address, so you basically have to either close down all
> IPv6 ports at the main router, OR open all IPv6 ports at the router, and
> then run a software firewall on each device on the network! This is not
> practical or possible on many devices (gaming consoles, smart phones, IoT
> devices, etc).

I have no need for IPV6 and have it disabled on my home network. My own
router behind the ISP's gateway runs DD-WRT and has IPV6 turned off. All
of my computers and any other networked devices where it's configurable
have IPV6 disabled.

--
------------------------------------------------------------------------------
18 Reasons I won't be vaccinated -- https://tinyurl.com/ebty2dx3
Covid vaccines: experimental biology -- https://tinyurl.com/57mncfm5
The fraud of "Climate Change" -- https://RealClimateScience.com
There is no "climate crisis" -- https://climatedepot.com
Don't talk to cops! -- https://DontTalkToCops.com
------------------------------------------------------------------------------

Re: IPv6 Hardware Firewall

<20220210082754.6488362e@ryz>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=275&group=comp.os.linux.networking#275

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: mo0...@posteo.de (Marco Moock)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 08:27:54 +0100
Organization: A noiseless patient Spider
Lines: 13
Message-ID: <20220210082754.6488362e@ryz>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<su1nsm$43a$2@tncsrv09.home.tnetconsulting.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Info: reader02.eternal-september.org; posting-host="50233fe813cca44e60fec3a20f3f63c4";
logging-data="2431"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/Ya90MQnzlu3I1pq4V6nAZ"
Cancel-Lock: sha1:dwS1Oe4OpRlKVTSmoGs662FHZ0s=
X-Newsreader: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
 by: Marco Moock - Thu, 10 Feb 2022 07:27 UTC

Am Mittwoch, 09. Februar 2022, um 17:57:06 Uhr schrieb Grant Taylor:

> Somebody's got to say it, so it might as well be me.
>
> On 2/9/22 1:16 AM, Mike Mocha wrote:
> > since IPv6 is not using NAT
>
> IPv6 NAT works perfectly fine.

But it is not recommended to use it. It creates additional latency and
stateful NAT is a relict from IPv4. If you want the "security" feature
of NAT, use an SPI firewall.

Re: IPv6 Hardware Firewall

<20220210083002.2871a659@ryz>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=276&group=comp.os.linux.networking#276

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: mo0...@posteo.de (Marco Moock)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 08:30:02 +0100
Organization: A noiseless patient Spider
Lines: 25
Message-ID: <20220210083002.2871a659@ryz>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<20220209230421@news.eternal-september.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Info: reader02.eternal-september.org; posting-host="50233fe813cca44e60fec3a20f3f63c4";
logging-data="2431"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/Up+jodg3vr968Y2YpyKhj"
Cancel-Lock: sha1:O2mxGVG24DDToCIo5c9/b6I+kf0=
X-Newsreader: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
 by: Marco Moock - Thu, 10 Feb 2022 07:30 UTC

Am Donnerstag, 10. Februar 2022, um 04:08:02 Uhr schrieb Roger Blake:

> On 2022-02-09, Mike Mocha <mocha@mailexcite.com> wrote:
> > I noticed something interesting the other day. If you are a
> > typical home user with cable or DSL Internet service, and your
> > provider gives you native IPv6 addresses and you desire to firewall
> > the devices on your home network; since IPv6 is not using NAT,
> > every device behind your router gets a unique IP address, so you
> > basically have to either close down all IPv6 ports at the main
> > router, OR open all IPv6 ports at the router, and then run a
> > software firewall on each device on the network! This is not
> > practical or possible on many devices (gaming consoles, smart
> > phones, IoT devices, etc).
>
> I have no need for IPV6 and have it disabled on my home network. My
> own router behind the ISP's gateway runs DD-WRT and has IPV6 turned
> off. All of my computers and any other networked devices where it's
> configurable have IPV6 disabled.

You will need that in future because IPv4 has too less addresses. NAT
is very annoying and many home user ISPs don't provide public IPv4
addresses to their customers anymore. They can only use IPv6 to operate
a server. Now IPv4 creates additional costs and need resources. I
really like to get rid of IPv4 as soon as possible.

Re: IPv6 Hardware Firewall

<su2kma$1gat9$1@news1.tnib.de>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=277&group=comp.os.linux.networking#277

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!paganini.bofh.team!news.freedyn.de!news1.tnib.de!feed.news.tnib.de!news.tnib.de!.POSTED.torres.zugschlus.de!not-for-mail
From: mh+usene...@zugschl.us (Marc Haber)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 10:08:26 +0100
Organization: private site, see http://www.zugschlus.de/ for details
Message-ID: <su2kma$1gat9$1@news1.tnib.de>
References: <VLKMJ.19775$iK66.8601@fx46.iad> <su1nsm$43a$2@tncsrv09.home.tnetconsulting.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Date: Thu, 10 Feb 2022 09:08:26 -0000 (UTC)
Injection-Info: news1.tnib.de; posting-host="torres.zugschlus.de:85.214.160.151";
logging-data="1584041"; mail-complaints-to="abuse@tnib.de"
X-Newsreader: Forte Agent 6.00/32.1186
 by: Marc Haber - Thu, 10 Feb 2022 09:08 UTC

Grant Taylor <gtaylor@tnetconsulting.net> wrote:
>Somebody's got to say it, so it might as well be me.
>
>On 2/9/22 1:16 AM, Mike Mocha wrote:
>> since IPv6 is not using NAT
>
>IPv6 NAT works perfectly fine.

But you don't need to use it, as long as the network is sane.

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Re: IPv6 Hardware Firewall

<su2kpj$1gb44$1@news1.tnib.de>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=278&group=comp.os.linux.networking#278

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news1.tnib.de!feed.news.tnib.de!news.tnib.de!.POSTED.torres.zugschlus.de!not-for-mail
From: mh+usene...@zugschl.us (Marc Haber)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 10:10:11 +0100
Organization: private site, see http://www.zugschlus.de/ for details
Message-ID: <su2kpj$1gb44$1@news1.tnib.de>
References: <VLKMJ.19775$iK66.8601@fx46.iad> <20220209230421@news.eternal-september.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Date: Thu, 10 Feb 2022 09:10:12 -0000 (UTC)
Injection-Info: news1.tnib.de; posting-host="torres.zugschlus.de:85.214.160.151";
logging-data="1584260"; mail-complaints-to="abuse@tnib.de"
X-Newsreader: Forte Agent 6.00/32.1186
 by: Marc Haber - Thu, 10 Feb 2022 09:10 UTC

Roger Blake <rogblake@iname.invalid> wrote:
>I have no need for IPV6 and have it disabled on my home network. My own
>router behind the ISP's gateway runs DD-WRT and has IPV6 turned off. All
>of my computers and any other networked devices where it's configurable
>have IPV6 disabled.

And you're soooooo proud of that, aren't you?

--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Re: IPv6 Hardware Firewall

<su3jjb$em0$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=279&group=comp.os.linux.networking#279

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 10:56:07 -0700
Organization: TNet Consulting
Message-ID: <su3jjb$em0$1@tncsrv09.home.tnetconsulting.net>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<20220209230421@news.eternal-september.org> <20220210083002.2871a659@ryz>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Thu, 10 Feb 2022 17:55:55 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="15040"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <20220210083002.2871a659@ryz>
Content-Language: en-US
 by: Grant Taylor - Thu, 10 Feb 2022 17:56 UTC

On 2/10/22 12:30 AM, Marco Moock wrote:
> You will need that in future because IPv4 has too less addresses.

Probably. But maybe not.

> NAT is very annoying and many home user ISPs don't provide public
> IPv4 addresses to their customers anymore.

NAT is annoying to /some/. Many if not most of the home users don't
even realize that their router doesn't have a globally routed IP. Most
of those aren't aware that their workstation quite likely doesn't have a
globally routed IP.

NAT, despite it's various cons, is simple and reliable enough that it's
the defacto way that the vast majority of the world accesses the Internet.

> They can only use IPv6 to operate a server. Now IPv4 creates additional
> costs and need resources. I really like to get rid of IPv4 as soon
> as possible.

I too would like to see more wide spread adoption and embrace of IPv6.
But we've been transitioning from IPv4 to IPv6 for (at least) the /last/
20 years and I bet we will still be transitioning from IPv4 to IPv6 for
(at least) the /next/ 20 years.

We are far from access parity between IPv4 and IPv6. We haven't even
approached the midpoint, much less started the decades long process for
IPv6 to surpass and out mode IPv4.

I've been advocating for IPv6 for a decade, and do so weekly. But I'm a
pragmatist that realizes that IPv4 is going to be around for the rest of
my career. So, for better or worse -- my money's on worse -- we have
been, are, and will be in a dual protocol network.

--
Grant. . . .
unix || die

Re: IPv6 Hardware Firewall

<su3jp3$7qe$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=280&group=comp.os.linux.networking#280

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 10:59:12 -0700
Organization: TNet Consulting
Message-ID: <su3jp3$7qe$1@tncsrv09.home.tnetconsulting.net>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<su1nsm$43a$2@tncsrv09.home.tnetconsulting.net> <20220210082754.6488362e@ryz>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Thu, 10 Feb 2022 17:58:59 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="8014"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <20220210082754.6488362e@ryz>
Content-Language: en-US
 by: Grant Taylor - Thu, 10 Feb 2022 17:59 UTC

On 2/10/22 12:27 AM, Marco Moock wrote:
> But it is not recommended to use it.

Agreed.

Though a recommendation against something doesn't mean that doesn't
exist. If anything, the recommendation against something is supporting
that it does exist. }:-)

> It creates additional latency

True.

Though many things create additional latency.

> stateful NAT is a relict from IPv4.

I could argue that TCP is even more of a relic from IPv4.

> If you want the "security" feature of NAT, use an SPI firewall.

NAT can be multiple things. Some of them provide zero security.

A Stateful Packet Inspection firewall is independent of NAT. SPI /does/
provide security.

--
Grant. . . .
unix || die

Re: IPv6 Hardware Firewall

<su3jso$7qe$2@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=281&group=comp.os.linux.networking#281

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 11:01:09 -0700
Organization: TNet Consulting
Message-ID: <su3jso$7qe$2@tncsrv09.home.tnetconsulting.net>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<su1nsm$43a$2@tncsrv09.home.tnetconsulting.net>
<su2kma$1gat9$1@news1.tnib.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Thu, 10 Feb 2022 18:00:56 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="8014"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <su2kma$1gat9$1@news1.tnib.de>
Content-Language: en-US
 by: Grant Taylor - Thu, 10 Feb 2022 18:01 UTC

On 2/10/22 2:08 AM, Marc Haber wrote:
> But you don't need to use it, as long as the network is sane.

Let's agree to disagree without getting into minutia.

Remember, port forwarding -- which is a thing in IPv6 -- is at it's
roots NAT. There are definitely uses for port forwarding in IPv6.

--
Grant. . . .
unix || die

Re: IPv6 Hardware Firewall

<20220210194906.44813ebc@ryz>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=282&group=comp.os.linux.networking#282

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: mo0...@posteo.de (Marco Moock)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 19:49:06 +0100
Organization: A noiseless patient Spider
Lines: 15
Message-ID: <20220210194906.44813ebc@ryz>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<20220209230421@news.eternal-september.org>
<20220210083002.2871a659@ryz>
<su3jjb$em0$1@tncsrv09.home.tnetconsulting.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Info: reader02.eternal-september.org; posting-host="50233fe813cca44e60fec3a20f3f63c4";
logging-data="8106"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18B/PjeL1If8yumNNq/CCnb"
Cancel-Lock: sha1:pr13p9Z5c9biMa2Gs2TTTWg/2W8=
X-Newsreader: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
 by: Marco Moock - Thu, 10 Feb 2022 18:49 UTC

Am Donnerstag, 10. Februar 2022, um 10:56:07 Uhr schrieb Grant Taylor:

> NAT is annoying to /some/. Many if not most of the home users don't
> even realize that their router doesn't have a globally routed IP.
> Most of those aren't aware that their workstation quite likely
> doesn't have a globally routed IP.
>
> NAT, despite it's various cons, is simple and reliable enough that
> it's the defacto way that the vast majority of the world accesses the
> Internet.

True, but it destroys the way internet is designed. You can't run your
own servers at home. This will just support big tech companies and
destroy the original concept of the internet.

Re: IPv6 Hardware Firewall

<su3o4t$mob$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=283&group=comp.os.linux.networking#283

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 12:13:45 -0700
Organization: TNet Consulting
Message-ID: <su3o4t$mob$1@tncsrv09.home.tnetconsulting.net>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<20220209230421@news.eternal-september.org> <20220210083002.2871a659@ryz>
<su3jjb$em0$1@tncsrv09.home.tnetconsulting.net> <20220210194906.44813ebc@ryz>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Thu, 10 Feb 2022 19:13:33 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="23307"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <20220210194906.44813ebc@ryz>
Content-Language: en-US
 by: Grant Taylor - Thu, 10 Feb 2022 19:13 UTC

On 2/10/22 11:49 AM, Marco Moock wrote:
> True, but it destroys the way internet is designed. You can't run
> your own servers at home. This will just support big tech companies
> and destroy the original concept of the internet.

Most people are satisfied with "access to" the Internet. Others want to
"be on" the Internet.

(Nested) NAT is usually sufficient for the former category.

NAT is problematic for the latter category, especially nested NAT.

I'm going to say that there is probably an 80/20 split (if not more like
90/10 or even 95/5) for "access to" vs "be on" the Internet.

There are multiple ways to fulfill "access to". Not all of them use
NAT. Not all of them even require (any version of) IP. Application
layer proxies that use something other than IP between the client and
the proxy are very interesting.

--
Grant. . . .
unix || die

Re: IPv6 Hardware Firewall

<slrnt0ap23.5ru.dan@djph.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=284&group=comp.os.linux.networking#284

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: dan...@djph.net (Dan Purgert)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 19:14:32 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 31
Message-ID: <slrnt0ap23.5ru.dan@djph.net>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<su1nsm$43a$2@tncsrv09.home.tnetconsulting.net>
<20220210082754.6488362e@ryz>
<su3jp3$7qe$1@tncsrv09.home.tnetconsulting.net>
Injection-Date: Thu, 10 Feb 2022 19:14:32 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="cb86d720e3143a1c6ac0ef97ad46112d";
logging-data="3848"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/iw2juGMXQ0UjHTykMetR4RcxIrLDTNXk="
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:H7ys4XI1NVeL/j31LSC5a2to1L8=
X-PGP-KeyID: 0x4CE72860
 by: Dan Purgert - Thu, 10 Feb 2022 19:14 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Grant Taylor wrote:
> NAT can be multiple things. Some of them provide zero security.

I'd argue no implementations of NAT (by themselves) provide any
security.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmIFZEMACgkQbWVw5Uzn
KGCi/w/+LpseReJA1MVa6Zszb5FuIZj34arTNrWeCIppUFv9gA5ku3u4EDKIVGS5
seB1o9NwqV1PlHI3TKeqCMaiwg3nJDwnsMYfpwbStjSSgebAAPJW9Iqna6Xl4ZHW
mSd/7hcT8W8uedrtcIR7067xZZwTMI5s0h+gn2Z68G75a661CyAWf57WzELXF9Hx
UD+kzCmdooXZqJs3gD2A8KnqqPlPuVWUfiiS01Cpa4TkzSEb4lL8SFBLi8q2NKTj
iiKNPfG8OqEQMLn3de5QSTpOYDWHvN/sUFww4XmWxF2TNe8K842larfNK2NO9vxt
6WFztb+1suqsexepvhdbpItUiEPGfxTfW3oKPxV8pjzyLkdIwC36tFlJ8GrwCmmr
iBccIodZbb1nHOQjKwXjmBrHA19s/bvRjg4kLkv22kBiHEEhT/6lgQC+hZoVvU77
rt6oc7TGSB+1rGasc7WZQhrV4DuKBC/gMDIWKxMpWX4yJyOasD2ZI7P/nKj38FEL
rM8Xqchy/FdWfnSZRgkZo2MoIrvPg515ynoP0UvECNEeEgF5SfWVS21X3O8API72
T9j17Fr2eADcNoIhgYJwnM/ThrImW79e2Hjv/EWY8rHMx5OUPGwbeB0t1TQxAieJ
8Sgrd/b6FUo7ze47+SW9198/f9PJs+RDdS4f1uRHK5/G8MgEggQ=
=VlUI
-----END PGP SIGNATURE-----

--
|_|O|_| Github: https://github.com/dpurgert
|_|_|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860
|O|O|O|

Re: IPv6 Hardware Firewall

<slrnt0ap4h.5ru.dan@djph.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=285&group=comp.os.linux.networking#285

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: dan...@djph.net (Dan Purgert)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 19:15:50 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 31
Message-ID: <slrnt0ap4h.5ru.dan@djph.net>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<su1nsm$43a$2@tncsrv09.home.tnetconsulting.net>
<su2kma$1gat9$1@news1.tnib.de>
<su3jso$7qe$2@tncsrv09.home.tnetconsulting.net>
Injection-Date: Thu, 10 Feb 2022 19:15:50 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="cb86d720e3143a1c6ac0ef97ad46112d";
logging-data="3848"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19zyKVyHcpU47wFKwcqRIux1FlUa8cxUI8="
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:vsBSUeSiTWcufAQDF2vBtA3Noms=
X-PGP-KeyID: 0x4CE72860
 by: Dan Purgert - Thu, 10 Feb 2022 19:15 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Grant Taylor wrote:
> Remember, port forwarding -- which is a thing in IPv6 -- is at it's
> roots NAT. There are definitely uses for port forwarding in IPv6.

Although you need neither port-forwarding nor NAT on v6...

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmIFZJEACgkQbWVw5Uzn
KGA8BhAAhvn+i4wCFJYSUUcL3N+xW7WGGpFP0+ve3OGIjK84zg+JIXg8Oz9KnBgh
hvt+9crO/AjXNOfHBZtR9DYmjYMv3PO+LADRojX6u1kcqco61XTuBsamATswbnCq
VIzu4aoX4rtWKHN0b2SuTzZnHUCvsQHWfCoHJIW3hzX6jItmAApyVjPvt3WSdG+1
AGPja425+3LDhpDYeUsw591jjXMSmvFaxHJdPlBrymc5oLRlQfPNsJEbz4hx7x27
lW1EhQ1QmY38312NfpjyF0fI6NogC8EiVZwrWVjb5ClMstyZN7uZTo7qZ3OG/TTI
Sq3Af/NxMwLVAOEPijbcPX4G9cHYDdcekhneQxBstJxM13qBho1+Vcc4t9wB2gwj
J2muZKdaOvlNx1Sl0437QL7L0vU57oFt1Vrctzhcs63ckY7haZQvy9aT9IGV99W3
Vo95UA1GudmJtNsFDe5GcE/k91WIgGhGz0P1bm+q/w3r9ynv/NpOej4sU2YsqOaR
/4/S4j5ibUTyh2Xqkcy6ZDzvzqTO8rwrMKgTwHGiVkC2xCQwzjNuIaXP9lQKYxgw
Qn7KByJgd8E/8JzZjnOK24LVaziSO2TkcPdcVpgnSCnAEVgqrXIi0norm+jibblU
S469k/79rAgGQZ9NUTFDcDoPOFRbMcmdF4q4jlFeqVNiGvrclN4=
=5ndj
-----END PGP SIGNATURE-----

--
|_|O|_| Github: https://github.com/dpurgert
|_|_|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860
|O|O|O|

Re: IPv6 Hardware Firewall

<20220210203935.3a4fc97a@ryz>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=286&group=comp.os.linux.networking#286

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: mo0...@posteo.de (Marco Moock)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 20:39:35 +0100
Organization: A noiseless patient Spider
Lines: 9
Message-ID: <20220210203935.3a4fc97a@ryz>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<su1nsm$43a$2@tncsrv09.home.tnetconsulting.net>
<20220210082754.6488362e@ryz>
<su3jp3$7qe$1@tncsrv09.home.tnetconsulting.net>
<slrnt0ap23.5ru.dan@djph.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Info: reader02.eternal-september.org; posting-host="50233fe813cca44e60fec3a20f3f63c4";
logging-data="8106"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18oE0UucwbSSMxAPVyImf0c"
Cancel-Lock: sha1:BDUWudadXBJpqdfa8HUqpkRJa8I=
X-Newsreader: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
 by: Marco Moock - Thu, 10 Feb 2022 19:39 UTC

Am Donnerstag, 10. Februar 2022, um 19:14:32 Uhr schrieb Dan Purgert:

> I'd argue no implementations of NAT (by themselves) provide any
> security.

stateful NAT (regardless if NAT44/NAT64) provides implicit seceurity.
It is like an SPI firewall, without a static NAT rule (port forwarding)
you can't access the devices behind the NAT.

Re: IPv6 Hardware Firewall

<su3pvb$3r2$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=287&group=comp.os.linux.networking#287

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 12:44:56 -0700
Organization: TNet Consulting
Message-ID: <su3pvb$3r2$1@tncsrv09.home.tnetconsulting.net>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<su1nsm$43a$2@tncsrv09.home.tnetconsulting.net>
<su2kma$1gat9$1@news1.tnib.de>
<su3jso$7qe$2@tncsrv09.home.tnetconsulting.net> <slrnt0ap4h.5ru.dan@djph.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Thu, 10 Feb 2022 19:44:43 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="3938"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <slrnt0ap4h.5ru.dan@djph.net>
Content-Language: en-US
 by: Grant Taylor - Thu, 10 Feb 2022 19:44 UTC

On 2/10/22 12:15 PM, Dan Purgert wrote:
> Although you need neither port-forwarding nor NAT on v6...

Maybe. Maybe not.

It depends on the network topology and other layers of the stack,
including layers 8 (politics) and 9 (money) influence this.

--
Grant. . . .
unix || die

Re: IPv6 Hardware Firewall

<su3q70$h3i$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=288&group=comp.os.linux.networking#288

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 12:49:00 -0700
Organization: TNet Consulting
Message-ID: <su3q70$h3i$1@tncsrv09.home.tnetconsulting.net>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<su1nsm$43a$2@tncsrv09.home.tnetconsulting.net> <20220210082754.6488362e@ryz>
<su3jp3$7qe$1@tncsrv09.home.tnetconsulting.net> <slrnt0ap23.5ru.dan@djph.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Thu, 10 Feb 2022 19:48:48 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="17522"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <slrnt0ap23.5ru.dan@djph.net>
Content-Language: en-US
 by: Grant Taylor - Thu, 10 Feb 2022 19:49 UTC

On 2/10/22 12:14 PM, Dan Purgert wrote:
> I'd argue no implementations of NAT (by themselves) provide any
> security.

This gets into theological discussions / debates about what NAT is and
is not.

I see no way that Stateless NAT /by/ /itself/ can provide security.
(Save for potentially only applying to specific source & destination IP
pairs. I know you know what I mean here.)

I think that Stateful NAT that dynamically maps between internal and
external IP(s) & port(s) probably provides some inherent security in the
fact that incoming connections will fail if there isn't associated NAT
state data to support the connection.

I'd enjoy such a theological discussion / debate. But I think it's very
much it's own independent topic.

--
Grant. . . .
unix || die

Re: IPv6 Hardware Firewall

<slrnt0at6b.5ru.dan@djph.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=289&group=comp.os.linux.networking#289

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: dan...@djph.net (Dan Purgert)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 20:25:04 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 44
Message-ID: <slrnt0at6b.5ru.dan@djph.net>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<su1nsm$43a$2@tncsrv09.home.tnetconsulting.net>
<20220210082754.6488362e@ryz>
<su3jp3$7qe$1@tncsrv09.home.tnetconsulting.net>
<slrnt0ap23.5ru.dan@djph.net> <20220210203935.3a4fc97a@ryz>
Injection-Date: Thu, 10 Feb 2022 20:25:04 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="cb86d720e3143a1c6ac0ef97ad46112d";
logging-data="31329"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18dXuyxzGteR0i43Ok/m4b6Hzo1q13cU1s="
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:2CE1P9rmdjdZRob5OSk/UG9hloE=
X-PGP-KeyID: 0x4CE72860
 by: Dan Purgert - Thu, 10 Feb 2022 20:25 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Marco Moock wrote:
> Am Donnerstag, 10. Februar 2022, um 19:14:32 Uhr schrieb Dan Purgert:
>
>> I'd argue no implementations of NAT (by themselves) provide any
>> security.
>
> stateful NAT (regardless if NAT44/NAT64) provides implicit seceurity.
> It is like an SPI firewall, without a static NAT rule (port forwarding)
> you can't access the devices behind the NAT.
>

The "Stateful" part of "Stateful NAT" is the firewall sitting
immediately behind DNAT, checking to see if packets have valid states.

No firewall = no security.

"Port forwarding" (as implemented in most,if not all routers) is just a
"quick and dirty NAT+Firewall rule" shortcut...

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmIFdMoACgkQbWVw5Uzn
KGAGtg/+KmtDl26JA9KCT+Qr4E1vm94JF/IesB4vq2KKXd1aWIwnKKAwWDe3ftBv
ahS180/S/WmRjYzM1WHVP94PLy0k2lC1V+JFnq7NEBKca5qtSXyC2lSGm/1CwhWV
UfXP430ZSfFMjsbzU77rL034w63AP4aYkurFmL2FLYTrS9liqcw1aRvelrEGWz/i
LB0IAI4LvSDFDept8etrkj3KO0/+HZ43MkO4drcFrFKYyLkBXRhWMbKCkjZIEpsY
9/QD4pIZAbBvCfqrQttc/ST4Ya+gLQCqBZy0kR0DG1pXQZGwRhCIBl2j4hJN0t3q
bopgcF8ZJNkrKsUEYj3S4UHXW95r3UP7oxvSjOW5/kpWoBiAjwE6wg95YnsKR1TH
HRoxn16xVCQB19z78gCWTwt5Pq79JbzUC3Bt1d/B31kysQFBLZ5BTSEopYdS59Sh
mRzChnPU48h6X5FgId5bL0VfYeoGIOAHyzz6RQGRbRMBDCGDffdXdFKPQeMnQwBC
xWSoS4IgvgoyBiJabpCCoE73AVg1gHCUl8/VbbkseG5uypLnAHauoX4FfrDgmy8G
QPDPcATCb6A6Vyhf3pEeMlLjBLoMVMC77B6JhPyUdteF9H3gpurZSJVESoGmEW11
y7LI7X+2+aXKT72s3SsFmkWVdH0NJE+NO3m5NnlLZ/mH+mXq/BI=
=duJD
-----END PGP SIGNATURE-----

--
|_|O|_| Github: https://github.com/dpurgert
|_|_|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860
|O|O|O|

Re: IPv6 Hardware Firewall

<20220210213434.61aa8729@ryz>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=290&group=comp.os.linux.networking#290

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: mo0...@posteo.de (Marco Moock)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 21:34:34 +0100
Organization: A noiseless patient Spider
Lines: 17
Message-ID: <20220210213434.61aa8729@ryz>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<su1nsm$43a$2@tncsrv09.home.tnetconsulting.net>
<su2kma$1gat9$1@news1.tnib.de>
<su3jso$7qe$2@tncsrv09.home.tnetconsulting.net>
<slrnt0ap4h.5ru.dan@djph.net>
<su3pvb$3r2$1@tncsrv09.home.tnetconsulting.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Info: reader02.eternal-september.org; posting-host="50233fe813cca44e60fec3a20f3f63c4";
logging-data="8106"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/2cnge4XPM00DOQKZa/YiA"
Cancel-Lock: sha1:mD5kD12ExW81e7c3hNMiUcqs5/k=
X-Newsreader: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
 by: Marco Moock - Thu, 10 Feb 2022 20:34 UTC

Am Donnerstag, 10. Februar 2022, um 12:44:56 Uhr schrieb Grant Taylor:

> On 2/10/22 12:15 PM, Dan Purgert wrote:
> > Although you need neither port-forwarding nor NAT on v6...
>
> Maybe. Maybe not.
>
> It depends on the network topology and other layers of the stack,
> including layers 8 (politics) and 9 (money) influence this.

If you like to have more work (NAT is annoying if using DNS names
inside and outside of the NAT net), then you can set up NAT for IPv6.
I like the easy way that means no NAT at all whenever possible.

Network is one of the things that last very long, so I don't like nasty
stuff like NAT there.

Pages:1234567
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor