Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Not only Guinness - Linux is good for you, too. -- Banzai on IRC


computers / comp.os.linux.networking / Re: IPv6 Hardware Firewall

SubjectAuthor
* IPv6 Hardware FirewallMike Mocha
+* Re: IPv6 Hardware FirewallMarco Moock
|+- Re: IPv6 Hardware FirewallMarc Haber
|`* Re: IPv6 Hardware FirewallMike Scott
| `- Re: IPv6 Hardware FirewallMarco Moock
+- Re: IPv6 Hardware FirewallMarc Haber
+- Re: IPv6 Hardware FirewallDan Purgert
+* Re: IPv6 Hardware FirewallGrant Taylor
|+* Re: IPv6 Hardware FirewallMarco Moock
||`* Re: IPv6 Hardware FirewallGrant Taylor
|| `* Re: IPv6 Hardware FirewallDan Purgert
||  +* Re: IPv6 Hardware FirewallMarco Moock
||  |`* Re: IPv6 Hardware FirewallDan Purgert
||  | `* Re: IPv6 Hardware FirewallGrant Taylor
||  |  `- Re: IPv6 Hardware FirewallDan Purgert
||  `* Re: IPv6 Hardware FirewallGrant Taylor
||   `* Re: IPv6 Hardware FirewallDan Purgert
||    `- Re: IPv6 Hardware FirewallGrant Taylor
|`* Re: IPv6 Hardware FirewallMarc Haber
| `* Re: IPv6 Hardware FirewallGrant Taylor
|  `* Re: IPv6 Hardware FirewallDan Purgert
|   `* Re: IPv6 Hardware FirewallGrant Taylor
|    +* Re: IPv6 Hardware FirewallMarco Moock
|    |+* Re: IPv6 Hardware FirewallGrant Taylor
|    ||`* Re: IPv6 Hardware FirewallMarc Haber
|    || `* Re: IPv6 Hardware FirewallGrant Taylor
|    ||  `- Re: IPv6 Hardware FirewallMarc Haber
|    |`* Re: IPv6 Hardware FirewallJorgen Grahn
|    | +* Re: IPv6 Hardware FirewallMarco Moock
|    | |`- Re: IPv6 Hardware FirewallMarc Haber
|    | `* Re: IPv6 Hardware FirewallGrant Taylor
|    |  `* Re: IPv6 Hardware FirewallMarco Moock
|    |   `* Re: IPv6 Hardware FirewallGrant Taylor
|    |    `* Re: IPv6 Hardware FirewallMarco Moock
|    |     `- Re: IPv6 Hardware FirewallGrant Taylor
|    `* Re: IPv6 Hardware FirewallDan Purgert
|     `* Re: IPv6 Hardware FirewallGrant Taylor
|      +- Re: IPv6 Hardware FirewallDan Purgert
|      `* Re: IPv6 Hardware FirewallMarc Haber
|       +* Re: IPv6 Hardware FirewallMarco Moock
|       |`* Re: IPv6 Hardware FirewallGrant Taylor
|       | +* Re: IPv6 Hardware FirewallMarco Moock
|       | |`- Re: IPv6 Hardware FirewallGrant Taylor
|       | `* Re: IPv6 Hardware FirewallMarc Haber
|       |  `* Re: IPv6 Hardware FirewallGrant Taylor
|       |   +* Re: IPv6 Hardware FirewallMarco Moock
|       |   |`* Re: IPv6 Hardware FirewallBit Twister
|       |   | `* Re: IPv6 Hardware Firewalljrg
|       |   |  `* Re: IPv6 Hardware FirewallBit Twister
|       |   |   `* Re: IPv6 Hardware Firewalljrg
|       |   |    `* Re: IPv6 Hardware FirewallBit Twister
|       |   |     `* Re: IPv6 Hardware Firewalljrg
|       |   |      `- Re: IPv6 Hardware FirewallDavid W. Hodgins
|       |   `* Re: IPv6 Hardware FirewallMarc Haber
|       |    `* Re: IPv6 Hardware FirewallGrant Taylor
|       |     `- Re: IPv6 Hardware FirewallMarco Moock
|       `* Re: IPv6 Hardware FirewallGrant Taylor
|        `* Re: IPv6 Hardware FirewallMarc Haber
|         `* Re: IPv6 Hardware FirewallGrant Taylor
|          +* Re: IPv6 Hardware FirewallMarc Haber
|          |`* Re: IPv6 Hardware FirewallGrant Taylor
|          | `* Re: IPv6 Hardware FirewallMarc Haber
|          |  `* Re: IPv6 Hardware FirewallGrant Taylor
|          |   +- Re: IPv6 Hardware FirewallMarco Moock
|          |   `- Re: IPv6 Hardware FirewallMarc Haber
|          `* Re: IPv6 Hardware FirewallMarco Moock
|           `* Re: IPv6 Hardware FirewallGrant Taylor
|            +* Re: IPv6 Hardware FirewallMarco Moock
|            |`- Re: IPv6 Hardware FirewallGrant Taylor
|            `* Re: IPv6 Hardware FirewallMarc Haber
|             `* Re: IPv6 Hardware FirewallGrant Taylor
|              `- Re: IPv6 Hardware FirewallMarc Haber
`* Re: IPv6 Hardware FirewallRoger Blake
 +* Re: IPv6 Hardware FirewallMarco Moock
 |+* Re: IPv6 Hardware FirewallGrant Taylor
 ||+* Re: IPv6 Hardware FirewallMarco Moock
 |||`* Re: IPv6 Hardware FirewallGrant Taylor
 ||| `- Re: IPv6 Hardware Firewallmeff
 ||`* Re: IPv6 Hardware FirewallVincent Coen
 || `* Re: IPv6 Hardware FirewallGrant Taylor
 ||  `* Re: IPv6 Hardware FirewallVincent Coen
 ||   +- Re: IPv6 Hardware FirewallMarco Moock
 ||   `* Re: IPv6 Hardware FirewallGrant Taylor
 ||    `* Re: IPv6 Hardware FirewallMarco Moock
 ||     `- Re: IPv6 Hardware FirewallGrant Taylor
 |`* Re: IPv6 Hardware FirewallRoger Blake
 | `* Re: IPv6 Hardware FirewallMarco Moock
 |  +* Re: IPv6 Hardware FirewallMarc Haber
 |  |+* Re: IPv6 Hardware FirewallMarco Moock
 |  ||`* OT Re: IPv6 Hardware Firewalljrg
 |  || `* Re: OT Re: IPv6 Hardware FirewallMarco Moock
 |  ||  `- Re: OT Re: IPv6 Hardware Firewalljrg
 |  |`- Re: IPv6 Hardware FirewallRoger Blake
 |  `* Re: IPv6 Hardware FirewallRoger Blake
 |   `- Re: IPv6 Hardware Firewalljrg
 `* Re: IPv6 Hardware FirewallMarc Haber
  +* Re: IPv6 Hardware FirewallMike Mocha
  |+* Re: IPv6 Hardware FirewallMarco Moock
  ||+- Re: IPv6 Hardware FirewallRoger Blake
  ||`* Re: IPv6 Hardware FirewallDavid Brown
  || `* Re: IPv6 Hardware FirewallMarco Moock
  |+- Re: IPv6 Hardware Firewallmeff
  |`- Re: IPv6 Hardware FirewallDan Purgert
  `* Re: IPv6 Hardware FirewallRoger Blake

Pages:1234567
Re: IPv6 Hardware Firewall

<slrnt0au84.5ru.dan@djph.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=291&group=comp.os.linux.networking#291

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: dan...@djph.net (Dan Purgert)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 20:43:06 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 46
Message-ID: <slrnt0au84.5ru.dan@djph.net>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<su1nsm$43a$2@tncsrv09.home.tnetconsulting.net>
<su2kma$1gat9$1@news1.tnib.de>
<su3jso$7qe$2@tncsrv09.home.tnetconsulting.net>
<slrnt0ap4h.5ru.dan@djph.net>
<su3pvb$3r2$1@tncsrv09.home.tnetconsulting.net>
Injection-Date: Thu, 10 Feb 2022 20:43:06 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="cb86d720e3143a1c6ac0ef97ad46112d";
logging-data="31329"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/tA9yyRRtG2pIVoRCFwm6ouoIUMgkJYBA="
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:/pEguAoVHfAflYuRoWDt8a37NkU=
X-PGP-KeyID: 0x4CE72860
 by: Dan Purgert - Thu, 10 Feb 2022 20:43 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Grant Taylor wrote:
> On 2/10/22 12:15 PM, Dan Purgert wrote:
>> Although you need neither port-forwarding nor NAT on v6...
>
> Maybe. Maybe not.
>
> It depends on the network topology and other layers of the stack,
> including layers 8 (politics) and 9 (money) influence this.

To rephrase slightly --

The sheer number of available addresses is such that NAT is not an
inherent requirement of setting up a new IPv6 network that is intended
to communicate with the wider internet.

This is in contrast to an IPv4 network, wherein the vast majority of
devices will be configured for an address contained within RFC1918
space, and will therefore require NAT to communicate to the wider
internet.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmIFeQQACgkQbWVw5Uzn
KGCtpg/+Ndka5Mbyz3dyOLbJTtBp8ix5uFa6VURP1hU14B4yJY1ke1cdd2q8wHnE
I6qvXekTaM4vixQ7r/jiDOR5LOAQHVDKGaXFNoEJbLq+KVN0hI6OKkVjEKdVjngq
bgrjF67Unaj+C26+Nmu/jw7LbVj/muz+aLeqVS9EB/anhDE+vfbVmCzUazpXi+or
SdXF3kmLAiOtc2FHLNcFarJe+hLZ7aN86MzI4k0e5WnJKzHPIKu6g6Al2mL9B/8z
IW3b2DJQVjWNmud0+R7hSkIKbPo5FdN3fcrKc5ZGYyrROGNbfUeS29MovvLFuDpF
WxAAEPScmyGOC2drTiY+5VhHpMCMmBvpXASzVtIuzbGx6rfKRNaG9ihDFcIEt36a
6xxCB97GQMz9P0luD+m7oKkoQIZyGtefPgVkgSmMZSP+I/zfwqItfB93KVdo6KDt
Ucd3TiY+gbb/27068rI78oWn5Yc1x3X5eWNsObQfWe/GzG8ake5J7kVbZ7nwf1wQ
yGMSIGYzUurRVAVRfK+rLsRyg6Vqyl5SYuShr1XtULCo26b7b+DVNLimvgCKfQeA
PbezGqYnOvKxSvD5wIZb5YsOlbRYm8x0GTpnakZGz923eZbjTtR1MX6r4oK5mLiL
6g6eHEBKE7WlUX+lInLUkcZJT0Tsl7GrpuM7IrVjRWbs26iH+iY=
=GC+X
-----END PGP SIGNATURE-----

--
|_|O|_| Github: https://github.com/dpurgert
|_|_|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860
|O|O|O|

Re: IPv6 Hardware Firewall

<slrnt0auiv.5ru.dan@djph.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=292&group=comp.os.linux.networking#292

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: dan...@djph.net (Dan Purgert)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 20:48:52 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 40
Message-ID: <slrnt0auiv.5ru.dan@djph.net>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<su1nsm$43a$2@tncsrv09.home.tnetconsulting.net>
<20220210082754.6488362e@ryz>
<su3jp3$7qe$1@tncsrv09.home.tnetconsulting.net>
<slrnt0ap23.5ru.dan@djph.net>
<su3q70$h3i$1@tncsrv09.home.tnetconsulting.net>
Injection-Date: Thu, 10 Feb 2022 20:48:52 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="cb86d720e3143a1c6ac0ef97ad46112d";
logging-data="31329"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+FtgJefsmR2AniwC3wzjUQx22Phu1SttM="
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:tmdTrxlTqG4Y+P+YINJ88teAe8M=
X-PGP-KeyID: 0x4CE72860
 by: Dan Purgert - Thu, 10 Feb 2022 20:48 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Grant Taylor wrote:
> On 2/10/22 12:14 PM, Dan Purgert wrote:
>> I'd argue no implementations of NAT (by themselves) provide any
>> security.
> [...]
> I think that Stateful NAT that dynamically maps between internal and
> external IP(s) & port(s) probably provides some inherent security in the
> fact that incoming connections will fail if there isn't associated NAT
> state data to support the connection.

I must have a wire crossed somewhere, as I'm fairly certain that it's
more the firewall behind things that keeps unwanted traffic from making
a mess of things, even with conntrack in the mix.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmIFel8ACgkQbWVw5Uzn
KGD/Aw/9GMg6ApPtYYO0VMWYjSRQaKVwLNs5P40FV038yjEyJcDaXHCov/OKlrus
EmneBV5Y0vIXDdk5HNIOe7U9P3SLZUWt7GoOmG4tcsnftF2+c9+qro8hedNQk8Kw
5x6KpHhoPxT3MyxNtohr5tufrl4ao1yQQ1UL2BCekml3bktIQY7/wI97YAJGTlWn
3BzW6OfDphNEbJstWs6hpKr236d/iAaGe3PGW5FR4CGWo4wd3pPnvADl43ZwS9xW
cMGf18BewZrXu5RIiu7gBjz+2bd8ZjBmi1fd/xlY7wIpmdhH0Nd6LM+MK/ipdrAC
4/ef6GZGC3sBvyuU6Xpu5/8CfE7VYq4i96PtUc6HyYm+/d8wHHi564q9Fi5sm3/W
+X2wgL0diTMP0jYlDBbjzTAhei5Uf5tKhjoOuDseZKF2fE+pKuHp9I9qxZR9KCRF
04lS0GnHK6aWdZeG9feg1T3yuivdTj6q+VExlOU8ZjndGTOzdrRy4JosBSOINvLN
95HlsqCC1xe5LiAw6IQBcK+A8K0MFLaDBvwtKcrWW3nbXUWzHNf+IvGn5YKDUoiQ
oJe3MslHmhupxxFN463gmNNEUK7J/81969rNdyY55VD1wsHOHtafsML3exOnwlRy
adLiV+WD02x1gXNJKm/tIoV3Mi0TWbLiUW4XiMr5j8Sx9vOmXUk=
=QQEN
-----END PGP SIGNATURE-----

--
|_|O|_| Github: https://github.com/dpurgert
|_|_|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860
|O|O|O|

Re: IPv6 Hardware Firewall

<su3ue0$gm5$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=293&group=comp.os.linux.networking#293

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 14:01:01 -0700
Organization: TNet Consulting
Message-ID: <su3ue0$gm5$1@tncsrv09.home.tnetconsulting.net>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<su1nsm$43a$2@tncsrv09.home.tnetconsulting.net>
<su2kma$1gat9$1@news1.tnib.de>
<su3jso$7qe$2@tncsrv09.home.tnetconsulting.net> <slrnt0ap4h.5ru.dan@djph.net>
<su3pvb$3r2$1@tncsrv09.home.tnetconsulting.net> <20220210213434.61aa8729@ryz>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Thu, 10 Feb 2022 21:00:48 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="17093"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <20220210213434.61aa8729@ryz>
Content-Language: en-US
 by: Grant Taylor - Thu, 10 Feb 2022 21:01 UTC

On 2/10/22 1:34 PM, Marco Moock wrote:
> If you like to have more work (NAT is annoying if using DNS names
> inside and outside of the NAT net), then you can set up NAT for IPv6.

I don't agree that NAT for IPv6 is itself, nor causes, more work. But
we've likely had different use cases.

> I like the easy way that means no NAT at all whenever possible.
>
> Network is one of the things that last very long, so I don't like
> nasty stuff like NAT there.

Fair enough. To each their own.

I personally think that NAT can be ~> is a useful tool. However, the
tool MUST be used appropriately. Any and all tools can be abused in
ways that make life more difficult.

--
Grant. . . .
unix || die

Re: IPv6 Hardware Firewall

<su3unv$th6$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=294&group=comp.os.linux.networking#294

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 14:06:19 -0700
Organization: TNet Consulting
Message-ID: <su3unv$th6$1@tncsrv09.home.tnetconsulting.net>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<su1nsm$43a$2@tncsrv09.home.tnetconsulting.net>
<su2kma$1gat9$1@news1.tnib.de>
<su3jso$7qe$2@tncsrv09.home.tnetconsulting.net> <slrnt0ap4h.5ru.dan@djph.net>
<su3pvb$3r2$1@tncsrv09.home.tnetconsulting.net> <slrnt0au84.5ru.dan@djph.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Thu, 10 Feb 2022 21:06:07 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="30246"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <slrnt0au84.5ru.dan@djph.net>
Content-Language: en-US
 by: Grant Taylor - Thu, 10 Feb 2022 21:06 UTC

On 2/10/22 1:43 PM, Dan Purgert wrote:
> To rephrase slightly --

;-)

Clarifying points are a good thing for discussions. :-D

> The sheer number of available addresses is such that NAT is not an
> inherent requirement of setting up a new IPv6 network that is intended
> to communicate with the wider internet.

I absolutely agree.

I have considerably more uses for NAT than /just/ the number of globally
routed IP addresses I have at my disposal.

> This is in contrast to an IPv4 network, wherein the vast majority of
> devices will be configured for an address contained within RFC1918
> space, and will therefore require NAT to communicate to the wider
> internet.

/me chuckles menacingly to himself. RFC 1918. There are a LOT of other
non-globally routed addresses that can be used. Then there are the
globally routed IP addresses that can be stomped on. }:-)

--
Grant. . . .
unix || die

Re: IPv6 Hardware Firewall

<1644528793@f1.n250.z2.fidonet.ftn>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=295&group=comp.os.linux.networking#295

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: VBC...@gmail.com (Vincent Coen)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 21:33:13 +0000
Organization: A noiseless patient Spider
Lines: 35
Sender: "Vincent Coen" <VBCoen@gmail.com>
Message-ID: <1644528793@f1.n250.z2.fidonet.ftn>
References: <VLKMJ.19775$iK66.8601@fx46.iad> <20220209230421@news.eternal-september.org> <20220210083002.2871a659@ryz> <su3jjb$em0$1@tncsrv09.home.tnetconsulting.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Injection-Info: reader02.eternal-september.org; posting-host="b9ea40d41843cd482ad52749a2bc9987";
logging-data="335"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+x1+Jrfmw2+zuDh4qtw4aZ"
Cancel-Lock: sha1:pPt9VvpI3mUoecRMDoCOvG7HGmU=
X-FTN-TID: MBSE-FIDO 1.0.7.24 (GNU/Linux-x86_64)
X-Newsreader: GoldED+/LNX 1.1.5 (Linux 5.15.18-server-2.mga8 CPU UNKNOWN)
X-FTN-Sender: Vincent Coen <Vincent.Coen@f1.n250.z2.fidonet.org>
X-FTN-AREA: COMP.OS.LINUX.NETWORKING
X-FTN-CHRS: UTF-8 2
X-FTN-PATH: 250/1
X-FTN-SEEN-BY: 25/0 21 250/0 1 2 4 5 6 7 10 11 21 263/0 301/1 371/52
X-FTN-MSGID: 2:250/1@fidonet 6205849c
X-Origin-Newsgroups: comp.os.linux.networking
X-FTN-PID: GED+LNX 1.1.5-b20180707
X-Comment-To: "Grant Taylor" <>
REPLY: tncsrv09.home.tnetconsulting.net 40fdbf15
X-FTN-TZUTC: 0000
 by: Vincent Coen - Thu, 10 Feb 2022 21:33 UTC

<20220209230421@news.eternal-september.org> <20220210083002.2871a659@ryz>
<su3jjb$em0$1@tncsrv09.home.tnetconsulting.net>
Hello Grant!

Thursday February 10 2022 17:56, Grant Taylor wrote to All:

> On 2/10/22 12:30 AM, Marco Moock wrote:
>> You will need that in future because IPv4 has too less addresses.

....

> /last/ 20 years and I bet we will still be transitioning from IPv4 to
> IPv6 for (at least) the /next/ 20 years.

> We are far from access parity between IPv4 and IPv6. We haven't even
> approached the midpoint, much less started the decades long process
> for IPv6 to surpass and out mode IPv4.

> I've been advocating for IPv6 for a decade, and do so weekly. But I'm
> a pragmatist that realizes that IPv4 is going to be around for the
> rest of my career. So, for better or worse -- my money's on worse --
> we have been, are, and will be in a dual protocol network.

You have to be using a ISP that has it implemented and my last two do not.

Plusnet
Virgin Media

Vincent

Re: IPv6 Hardware Firewall

<su4120$9h0$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=296&group=comp.os.linux.networking#296

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 14:45:48 -0700
Organization: TNet Consulting
Message-ID: <su4120$9h0$1@tncsrv09.home.tnetconsulting.net>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<su1nsm$43a$2@tncsrv09.home.tnetconsulting.net> <20220210082754.6488362e@ryz>
<su3jp3$7qe$1@tncsrv09.home.tnetconsulting.net> <slrnt0ap23.5ru.dan@djph.net>
<20220210203935.3a4fc97a@ryz> <slrnt0at6b.5ru.dan@djph.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Thu, 10 Feb 2022 21:45:36 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="9760"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <slrnt0at6b.5ru.dan@djph.net>
Content-Language: en-US
 by: Grant Taylor - Thu, 10 Feb 2022 21:45 UTC

On 2/10/22 1:25 PM, Dan Purgert wrote:
> The "Stateful" part of "Stateful NAT" is the firewall sitting
> immediately behind DNAT, checking to see if packets have valid states.
>
> No firewall = no security.

I disagree.

To me, Stateful Packet Inspection and NAT State are two different
things. Especially considering that iptables uses two different
configurations for SPI and NAT.

Admittedly, the two features may share quite similar dependencies.

When I think of Stateful NAT / Masquerading in Linux, I think of a
connection table that is populated as packets egress through the router.
Said entries contain (at least) the incoming source & destination IP &
port pair and the outgoing source & destination IP & port pair. Wherein
one or more of the source / destination IP and / or port is modified.

So when 192.0.2.3/24 sends a connection to 203.0.113.234, the following
entry is created as the packet is NATed on it's way out.

1) Client sends and router receives: 192.0.2.3:45678 / 203.0.113.234

2) Router creates the following NAT state entry.

IS 192.0.2.3:45678
ID 203.0.113.234:443
OS 198.51.100.200:12345
OD 203.0.113.234:443

{Inside,Outside}{Source,Destination}

3) Router translates the packet and routes it - sends:
198.51.100.200:12345 / 203.0.113.234:443

4) Server receives 198.51.100.200:12345 / 203.0.113.234:443.
5) Server does it's thing.
6) Server sends 203.0.113.234:443 / 198.51.100.200:12345
7) Router receives 203.0.113.234:443 / 198.51.100.200:12345
8) Router finds a matching NAT state entry.
9) Router translates the packet and routes it - sends:
203.0.113.234:443 / 192.0.2.3:45678
A) Client receives 203.0.113.234:443 / 192.0.2.3:45678

Any traffic coming into 198.51.100.200 that doesn't have an associated
NAT state entry is simply routed to processes running on the router's
local TCP/IP stack.

As such, the lack of NAT state entries means that the packet goes to the
router, where the port is likely closed. Thus the connection inherently
stops because there is no place for it to go.

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

or

iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to-source
198.51.100.200

No additional rule(s) are needed to allow NATed traffic to flow.
(Presuming that there aren't other rules prohibiting it.)

Conversely, Stateful Packet Inspection tracks the state of connections
and /explicitly/ takes action based on the connection state.

SPI uses similar connection state information, but for a different
purpose. It is also interfaced with a different way.

iptables -t filter -A INPUT -i ppp0 -m state --state ESTABLISHED -j
ACCEPT

SPI will depend on other rule(s) or built in chain default policy to
block traffic.

Both NAT / Masquerade and SPI work equally well with any combination of
non-globally routed and globally routed IPs.

But, importantly, pure NAT / Masquerade will function without any other
firewall rules / configuration while blocking connections that aren't in
the NAT state table.

Does NAT behave similarly to SPI? Yes. Is NAT dependent on SPI? No.

There was a time -- back in early 2.4 kernels -- when you could have NAT
/ Masquerade support in the kernel without SPI support in the kernel.
Or vice versa, SPI support in the kernel without NAT / Masquerade
support in the kernel.

NAT / Masquerade and SPI are really two completely different things in
the Linux kernel.

> "Port forwarding" (as implemented in most,if not all routers) is just a
> "quick and dirty NAT+Firewall rule" shortcut...

Now we delve into what is "port forwarding".

On one level, "port forwarding" is simply a (Destination) NAT rule.
There is no inherent /requirement/ for any other rules to do DNAT.
However, there are /usually/ other firewall rules that would match and
block the DNATed traffic. As such, there needs to be a rule to allow
the DNATed traffic through the firewall (nominally the FORWARD chain in
the filter table).

It's entirely possible to DNAT traffic as it passes through a router
wherein the firewall wouldn't block it. E.g. you allow traffic form the
world (0/0) to your DMZ hosts (198.51.100.0/24). You implement a DNAT
rule to alter traffic to your old web server's IP address to go to the
new web server's IP address.

# iptables -t nat -A PREROUTING -d 192.51.100.200 -j DNAT
--to-destination 192.51.100.100

Finally, NATing / Masquerading really translate source and / or
destination IP and or port /before/ the Linux kernel uses traditional
/routing/ to handle the packet. Hence why you do DNATing in the
nat:PREROUTING chain and SNATing in the nat:POSTROUTING chain.

--
Grant. . . .
unix || die

Re: IPv6 Hardware Firewall

<su413p$9h0$2@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=297&group=comp.os.linux.networking#297

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 14:46:46 -0700
Organization: TNet Consulting
Message-ID: <su413p$9h0$2@tncsrv09.home.tnetconsulting.net>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<su1nsm$43a$2@tncsrv09.home.tnetconsulting.net> <20220210082754.6488362e@ryz>
<su3jp3$7qe$1@tncsrv09.home.tnetconsulting.net> <slrnt0ap23.5ru.dan@djph.net>
<su3q70$h3i$1@tncsrv09.home.tnetconsulting.net> <slrnt0auiv.5ru.dan@djph.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Thu, 10 Feb 2022 21:46:33 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="9760"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <slrnt0auiv.5ru.dan@djph.net>
Content-Language: en-US
 by: Grant Taylor - Thu, 10 Feb 2022 21:46 UTC

On 2/10/22 1:48 PM, Dan Purgert wrote:
> I must have a wire crossed somewhere, as I'm fairly certain that
> it's more the firewall behind things that keeps unwanted traffic from
> making a mess of things, even with conntrack in the mix.

Nope.

See the my reply to your other comment for a much more detailed explanation.

--
Grant. . . .
unix || die

Re: IPv6 Hardware Firewall

<su4170$9h0$3@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=298&group=comp.os.linux.networking#298

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 14:48:29 -0700
Organization: TNet Consulting
Message-ID: <su4170$9h0$3@tncsrv09.home.tnetconsulting.net>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<20220209230421@news.eternal-september.org> <20220210083002.2871a659@ryz>
<su3jjb$em0$1@tncsrv09.home.tnetconsulting.net>
<1644528793@f1.n250.z2.fidonet.ftn>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Thu, 10 Feb 2022 21:48:16 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="9760"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <1644528793@f1.n250.z2.fidonet.ftn>
Content-Language: en-US
 by: Grant Taylor - Thu, 10 Feb 2022 21:48 UTC

On 2/10/22 2:33 PM, Vincent Coen wrote:
> You have to be using a ISP that has it implemented and my last two do not.

Having (native) IPv6 from an ISP is really helpful. But it's not
strictly /required/.

My current ISP doesn't support IPv6. Yet I use IPv6 every single day.

You can do what I do and get an IPv6 in IPv4 tunnel from someone like
Hurricane Electric.

--
Grant. . . .
unix || die

Re: IPv6 Hardware Firewall

<slrnt0b2e4.5ru.dan@djph.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=299&group=comp.os.linux.networking#299

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!news.swapon.de!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: dan...@djph.net (Dan Purgert)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 21:54:33 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 40
Message-ID: <slrnt0b2e4.5ru.dan@djph.net>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<su1nsm$43a$2@tncsrv09.home.tnetconsulting.net>
<su2kma$1gat9$1@news1.tnib.de>
<su3jso$7qe$2@tncsrv09.home.tnetconsulting.net>
<slrnt0ap4h.5ru.dan@djph.net>
<su3pvb$3r2$1@tncsrv09.home.tnetconsulting.net>
<slrnt0au84.5ru.dan@djph.net>
<su3unv$th6$1@tncsrv09.home.tnetconsulting.net>
Injection-Date: Thu, 10 Feb 2022 21:54:33 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="cb86d720e3143a1c6ac0ef97ad46112d";
logging-data="8506"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+0N7v+yqEIyqOBTEg5xBj+1kB1a6nHdHI="
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:x4uKAC1crEBscvDZurCJAmD78+k=
X-PGP-KeyID: 0x4CE72860
 by: Dan Purgert - Thu, 10 Feb 2022 21:54 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Grant Taylor wrote:
> On 2/10/22 1:43 PM, Dan Purgert wrote:
>> [...]
>> This is in contrast to an IPv4 network, wherein the vast majority of
>> devices will be configured for an address contained within RFC1918
>> space, and will therefore require NAT to communicate to the wider
>> internet.
>
> /me chuckles menacingly to himself. RFC 1918. There are a LOT of other
> non-globally routed addresses that can be used. Then there are the
> globally routed IP addresses that can be stomped on. }:-)

Sure, but you understand the point I'm making with the ipv4 'private'
networks here.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmIFicQACgkQbWVw5Uzn
KGBuGRAAhvOUbDu2+TXKQahR7AApClfbrSMO8+OKqZf7utlR7us6tMRWVnSkWjMs
EYP62Jz6KeLfLvyHFm921V5CEyAwhZhlbszUp3MgdByM5x5EMUBDaOCd2oYMykd6
rr8gvPo+AByE6t95VMgHzKWbVOjxfOVT/IibyQhS9TRcd3G2SSeVH1zFKTnbxJw4
kCrfRQI3UmLmD4B/V0pFD4xT4k6Rcy45YjvBD3G/pO78SBzUAzdcVDFDpmYFmdzs
B6kTg3mdLkOZoADRXB5EBZkI6t1NwNxTscHz+ULRIQS1onO2yG7QUSMkMYKGU9ZQ
0bIuWB2H8BFceSvdn7iKJtEwrEN6RAZcZuYDRiOrnWucew5Wm8yHuTCgd5HIg5X/
GDtJy4jZhcNx1c0xuGtjvCrEcWIUNIoys3UDT9eIVeJ8nNiregmIsVYXLpDrNxfa
/iLZGN/yMrbZVNfZotdpSJD15BhegtAXTeq2CSPlrThuoc30hH7NfFR2zI3uFlah
4xJzI5c1NVgtO/hbPBuqfpTgZFL9ISiOes/PDc/M9wtISwX/yEqMWkowJwgsDv3I
UPDeZIm7AbRWibp3yJSXBnobZ4Xu/JGczd5dZgV390hZ4GY+ZlASIkXvKkkgJujt
I2QAS/D6VEHtPn8xNrKoTbZUIWuNapqNtS2O6HWDw8PwC39GupM=
=Hg+s
-----END PGP SIGNATURE-----

--
|_|O|_| Github: https://github.com/dpurgert
|_|_|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860
|O|O|O|

Re: IPv6 Hardware Firewall

<slrnt0b45h.5ru.dan@djph.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=300&group=comp.os.linux.networking#300

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: dan...@djph.net (Dan Purgert)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Thu, 10 Feb 2022 22:24:07 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 71
Message-ID: <slrnt0b45h.5ru.dan@djph.net>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<su1nsm$43a$2@tncsrv09.home.tnetconsulting.net>
<20220210082754.6488362e@ryz>
<su3jp3$7qe$1@tncsrv09.home.tnetconsulting.net>
<slrnt0ap23.5ru.dan@djph.net> <20220210203935.3a4fc97a@ryz>
<slrnt0at6b.5ru.dan@djph.net>
<su4120$9h0$1@tncsrv09.home.tnetconsulting.net>
Injection-Date: Thu, 10 Feb 2022 22:24:07 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="cb86d720e3143a1c6ac0ef97ad46112d";
logging-data="21957"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18s3Iwm0Y6/n2CUz9e8BSNaGG7HnOpchxA="
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:etda+kaZQnhAFfkV8Hr7N8SGXdI=
X-PGP-KeyID: 0x4CE72860
 by: Dan Purgert - Thu, 10 Feb 2022 22:24 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Grant Taylor wrote:
> On 2/10/22 1:25 PM, Dan Purgert wrote:
>> The "Stateful" part of "Stateful NAT" is the firewall sitting
>> immediately behind DNAT, checking to see if packets have valid states.
>>
>> No firewall = no security.
>
> I disagree.
>
> To me, Stateful Packet Inspection and NAT State are two different
> things. Especially considering that iptables uses two different
> configurations for SPI and NAT. [...]

Yes, but an unsolicited packet that doesn't trigger NAT rules can (and
in many cases will) still be forwarded by the router. Granted, this
isn't likely to happen across the internet[1]; but say between two local
subnets that one is subject to NAT before going upstream (e.g. that
dirty hack I've had to do on occasion because some vendor-supplied
appliance will only ever work as 10.1.1.2, and oh no, you can't change
its IP, what do you mean you'd ever not use 10.1.1.0/8 on your office
LAN ... or ever want to use TWO of these in the same facility?!)

I think it's more a case of we're looking at the same coin from two
different sides (and I wholly agree with the direction you presented in
the bits I snipped).

[1] I'm only refraining from saying it's impossible across the internet,
lest someone come back with contrary examples ;)

>> "Port forwarding" (as implemented in most,if not all routers) is just a
>> "quick and dirty NAT+Firewall rule" shortcut...
>
> Now we delve into what is "port forwarding". [...]

Maybe the conversation diverged somewhere, and I hadn't noticed -- I was
under the impression that the phrase "port forwarding" was being used
strictly in the context of general consumer "whole-home-gateway" devices
(either supplied by one's ISP or picked up from AMZN/BestBuy/etc); so
literally the "simplistic" interface that consumers are expecting to

(1) Insert any necessary DNAT (and potentially PAT) rule AND
(2) Insert the corresponding firewall rule in int INPUT chain

Rather than the general sense of the phrase you are presenting in the
bit I snipped out.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmIFkK4ACgkQbWVw5Uzn
KGDJAQ/+IcEfIhMzNmg4Ry6nVrOdo9YgV/1Xwf46WMVgznZCM5h/SDXwZ/WJzWGc
Y8qZAcPdE/yUsM5wSFXo2xWax2/j6lHZ5L1GRzh4WZy8hYkDh+e1XWcmBnX63184
PecfWae2oC6A0hM9QBF7s1ztMJXlXXfIe/SjCaCOr9iQ7nMehWfbtQFYgTGEFJMz
VDRHVusWL3SqiYO0yJ8u6clb6FthWwoMnhN92hub8XdpA4KBAUYtybesJwVWMNAc
AHp0k+Xr4CnqsvzVXb3SHpLsC6CV6ZW5oxpqVmgQ/mIyWiGPA3tIyOxxjDZyq8U0
RMywFkKwgy7QSYZNSqd92a74ilBxjfIgTok28S2xL+P9LFtIabmUTwCJK8E2e+qj
isoYH0G/OVyxkmRelx8K8Op3v6wv7QbKEiQgcWEEorQS6kw/czu8lKv2qvQooX8e
mcCxFkbmzbwxSgML77ja5KMTYcBYbo8VMl676n2bL/7wlZl6KrLiPJhquW3HOh6Y
25VknpxQFKMEnqG73DrVHaXwxRsypfRYjl2H7zpJIgNSQB3cmGWcwNPH0kAcAeSR
VHhbISX9GveSuRU1Pk0cu6SBCldZFkWRF7U81kG+F5u+Mnl+N9USkYQbx1kNVJXi
DT0+IzC+uDtYyYxq8mCJ7LZB9qRu0hvb9dVlO0FQwLD+EjJ0cTA=
=9HsS
-----END PGP SIGNATURE-----

--
|_|O|_| Github: https://github.com/dpurgert
|_|_|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860
|O|O|O|

Re: IPv6 Hardware Firewall

<1644542408@f1.n250.z2.fidonet.ftn>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=301&group=comp.os.linux.networking#301

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: VBC...@gmail.com (Vincent Coen)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Fri, 11 Feb 2022 01:20:08 +0000
Organization: A noiseless patient Spider
Lines: 28
Sender: "Vincent Coen" <VBCoen@gmail.com>
Message-ID: <1644542408@f1.n250.z2.fidonet.ftn>
References: <VLKMJ.19775$iK66.8601@fx46.iad> <20220209230421@news.eternal-september.org> <20220210083002.2871a659@ryz> <su3jjb$em0$1@tncsrv09.home.tnetconsulting.net> <1644528793@f1.n250.z2.fidonet.ftn> <su4170$9h0$3@tncsrv09.home.tnetconsulting.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Injection-Info: reader02.eternal-september.org; posting-host="94036ce4a20f083b4c0e6b78e42cb049";
logging-data="19339"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/JDKYizgXmWs+8fuf0mB0V"
Cancel-Lock: sha1:d33abnr4KZ87mqHjs9ZnD1xhVTA=
X-FTN-TID: MBSE-FIDO 1.0.7.24 (GNU/Linux-x86_64)
X-Newsreader: GoldED+/LNX 1.1.5 (Linux 5.15.18-server-2.mga8 CPU UNKNOWN)
X-FTN-Sender: Vincent Coen <Vincent.Coen@f1.n250.z2.fidonet.org>
X-FTN-AREA: COMP.OS.LINUX.NETWORKING
X-FTN-CHRS: UTF-8 2
X-FTN-PATH: 250/1
X-FTN-SEEN-BY: 25/0 21 250/0 1 2 4 5 6 7 10 11 21 263/0 301/1 371/52
X-FTN-MSGID: 2:250/1@fidonet 6205ba55
X-Origin-Newsgroups: comp.os.linux.networking
X-FTN-PID: GED+LNX 1.1.5-b20180707
X-Comment-To: "Grant Taylor" <gtaylor@tnetconsulting.net>
REPLY: tncsrv09.home.tnetconsulting.net 457c7869
X-FTN-TZUTC: 0000
 by: Vincent Coen - Fri, 11 Feb 2022 01:20 UTC

Hello Grant!

Thursday February 10 2022 21:48, Grant Taylor wrote to All:

> On 2/10/22 2:33 PM, Vincent Coen wrote:
>> You have to be using a ISP that has it implemented and my last two
>> do not.

> Having (native) IPv6 from an ISP is really helpful. But it's not
> strictly /required/.

> My current ISP doesn't support IPv6. Yet I use IPv6 every single day.

> You can do what I do and get an IPv6 in IPv4 tunnel from someone like
> Hurricane Electric.

Dumb nut question 1 - So what does it do for a system that only has a ipv4
address from the isp ?

Reason for asking is I run a BBS and some of my downlinks have a v6 address
along with a v4 and when the v4 cannot connect my system has a quick look
at v6 says protocol not supported and gives up on that poll.

Vincent

Re: IPv6 Hardware Firewall

<su4neo$v7t$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=302&group=comp.os.linux.networking#302

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: ema...@example.com (meff)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Fri, 11 Feb 2022 04:07:52 -0000 (UTC)
Organization: That of fools
Lines: 14
Message-ID: <su4neo$v7t$1@dont-email.me>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<20220209230421@news.eternal-september.org> <20220210083002.2871a659@ryz>
<su3jjb$em0$1@tncsrv09.home.tnetconsulting.net>
<20220210194906.44813ebc@ryz>
<su3o4t$mob$1@tncsrv09.home.tnetconsulting.net>
Injection-Date: Fri, 11 Feb 2022 04:07:52 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="bf92e78395d9f6d5c9ac057260d3c65f";
logging-data="31997"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18L1liOf4ler2jNE2tB/fGB"
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:cM64ZDCw0rfoINpE8AGytRfiMA4=
 by: meff - Fri, 11 Feb 2022 04:07 UTC

On 2022-02-10, Grant Taylor <gtaylor@tnetconsulting.net> wrote:
> On 2/10/22 11:49 AM, Marco Moock wrote:
> There are multiple ways to fulfill "access to". Not all of them use
> NAT. Not all of them even require (any version of) IP. Application
> layer proxies that use something other than IP between the client and
> the proxy are very interesting.

There's a bunch of new overlay networks out there these days that can
help you "be on" the internet, as such. ZeroTier, TailScale, and
Wireguard (which underpins TailScale) are some of these overlay
networks. For a long time I used to hand out IPv6 addresses on one of
these overlays until I finally switched to an ISP with native
IPv6. I've just (personally) had it with crappy CGNAT getting in the
way of communication.

Re: IPv6 Hardware Firewall

<9eoNJ.42368$%uX7.41616@fx38.iad>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=303&group=comp.os.linux.networking#303

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!usenet.goja.nl.eu.org!3.eu.feeder.erje.net!feeder.erje.net!newsreader4.netcologne.de!news.netcologne.de!peer01.ams1!peer.ams1.xlned.com!news.xlned.com!peer02.iad!feed-me.highwinds-media.com!news.highwinds-media.com!fx38.iad.POSTED!not-for-mail
From: moc...@mailexcite.com (Mike Mocha)
Subject: Re: IPv6 Hardware Firewall
Newsgroups: comp.os.linux.networking
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<20220209230421@news.eternal-september.org> <su2kpj$1gb44$1@news1.tnib.de>
MIME-Version: 1.0
Organization: --==RHW==--
x-no-archive: yes
User-Agent: Pan/0.147 (Sweet Solitude; 0d77554
gitlab.gnome.org/dgraef/pan.git)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Lines: 14
Message-ID: <9eoNJ.42368$%uX7.41616@fx38.iad>
X-Complaints-To: abuse@frugalusenet.com
NNTP-Posting-Date: Fri, 11 Feb 2022 07:28:05 UTC
Date: Fri, 11 Feb 2022 07:28:05 GMT
X-Received-Bytes: 1645
 by: Mike Mocha - Fri, 11 Feb 2022 07:28 UTC

Thanks for all the responses! Something that still is not making sense
to me, if for example we have a home network that contains many different
IPv6 devices connected, how do we control what ports get exposed on each
device?

That is the primary question I was trying to ask. For example, on one of
my daily use Linux machines I have many different services running, and
as soon as I open the IPv6 firewall on my ISPs router, it means that all
of those services are open to the world! I don't want that! I can setup
iptables on this box, but what about all the other IPv6 devices on my
network? Random IoT devices, webcams, game consoles or whatever, I have
no idea what services they are running, and I'm worried that if someone
could get on one of those devices then they could eventually make their
way into my Linux box.

Re: IPv6 Hardware Firewall

<20220211093521.6c720ec9@ryz>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=304&group=comp.os.linux.networking#304

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: mo0...@posteo.de (Marco Moock)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Fri, 11 Feb 2022 09:35:21 +0100
Organization: A noiseless patient Spider
Lines: 15
Message-ID: <20220211093521.6c720ec9@ryz>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<20220209230421@news.eternal-september.org>
<20220210083002.2871a659@ryz>
<su3jjb$em0$1@tncsrv09.home.tnetconsulting.net>
<1644528793@f1.n250.z2.fidonet.ftn>
<su4170$9h0$3@tncsrv09.home.tnetconsulting.net>
<1644542408@f1.n250.z2.fidonet.ftn>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Info: reader02.eternal-september.org; posting-host="ead9c39d5bbe1658600e1a7f41e855aa";
logging-data="21473"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19+jpy8d3TTI4ByTXyWkOkT"
Cancel-Lock: sha1:95FZSAxSi5xhv2oh0l+qbax0pjo=
X-Newsreader: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
 by: Marco Moock - Fri, 11 Feb 2022 08:35 UTC

Am Freitag, 11. Februar 2022, um 01:20:08 Uhr schrieb Vincent Coen:

> Thursday February 10 2022 21:48, Grant Taylor wrote to All:
> > like Hurricane Electric.
>
> Dumb nut question 1 - So what does it do for a system that only has a
> ipv4 address from the isp ?

It uses Protocol 41. It tunnels all the IPv6 packages via IPv4 to the
tunnel endpoint at Hurricane electric.

The IPv6 packages are simply inside of the IPv4 packages. At the tunnel
endpoint they will be extracted and are normal IPv6 packages.
I also use that service from HE, works fine.

Re: IPv6 Hardware Firewall

<20220211094118.25fc3210@ryz>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=305&group=comp.os.linux.networking#305

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: mo0...@posteo.de (Marco Moock)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Fri, 11 Feb 2022 09:41:18 +0100
Organization: A noiseless patient Spider
Lines: 48
Message-ID: <20220211094118.25fc3210@ryz>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<20220209230421@news.eternal-september.org>
<su2kpj$1gb44$1@news1.tnib.de>
<9eoNJ.42368$%uX7.41616@fx38.iad>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Info: reader02.eternal-september.org; posting-host="ead9c39d5bbe1658600e1a7f41e855aa";
logging-data="21473"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+tjVefrM/ufsNa/l3wcWWN"
Cancel-Lock: sha1:znf9kbBoPg2kUM8HhGuauuir7Hs=
X-Newsreader: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
 by: Marco Moock - Fri, 11 Feb 2022 08:41 UTC

Am Freitag, 11. Februar 2022, um 07:28:05 Uhr schrieb Mike Mocha:

> Thanks for all the responses! Something that still is not making
> sense to me, if for example we have a home network that contains many
> different IPv6 devices connected, how do we control what ports get
> exposed on each device?

The concept of the internet (IPv4 and IPv6) is that every device has an
unique address that is reachable from any other node. NAT and all that
crap are just temporary solutions for keeping IPv4 alive. We should
switch to IPv6 ASAP.

> That is the primary question I was trying to ask. For example, on
> one of my daily use Linux machines I have many different services
> running, and as soon as I open the IPv6 firewall on my ISPs router,
> it means that all of those services are open to the world!

True.

> I don't want that!
Then don't let that services listen on your public IPv6 address. For
that purpose you can use an IPv6 ULA prefix that is not routed in the
internet.
> I can setup iptables on this box, but what about all the
> other IPv6 devices on my network?

I recommend getting rid of devices you can't control. Do you have the
control or the manufacturer?
Think about this.

> Random IoT devices, webcams, game consoles or whatever, I have no
> idea what services they are running, and I'm worried that if someone
> could get on one of those devices then they could eventually make
> their way into my Linux box.

Use nmap from other devices to check if they respond on any UDP or TCP
port. If so, switch these services off or configure them properly.

Randomly finding them with their IPv6 address is also a PITA.
Mostly you have a /64 net and they either use EUI64 with their MAC
address or privacy extensions with a randomly generated host identifier
(also 64 bits).
Randomly finding such an address is very seldom.
If you want security here run an SPI firewall and only allow traffic
from outside for specific ports (but allow ICMP all the time for Path
MTU discovery).

Re: IPv6 Hardware Firewall

<su5dnu$jqr$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=306&group=comp.os.linux.networking#306

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: ema...@example.com (meff)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Fri, 11 Feb 2022 10:28:14 -0000 (UTC)
Organization: That of fools
Lines: 16
Message-ID: <su5dnu$jqr$1@dont-email.me>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<20220209230421@news.eternal-september.org> <su2kpj$1gb44$1@news1.tnib.de>
<9eoNJ.42368$%uX7.41616@fx38.iad>
Injection-Date: Fri, 11 Feb 2022 10:28:14 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="bf92e78395d9f6d5c9ac057260d3c65f";
logging-data="20315"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/CtiUa4autqedIhT5E/K4c"
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:JhOxEouflpL1wOWvXD+jqEWCIpY=
 by: meff - Fri, 11 Feb 2022 10:28 UTC

On 2022-02-11, Mike Mocha <mocha@mailexcite.com> wrote:
> That is the primary question I was trying to ask. For example, on one of
> my daily use Linux machines I have many different services running, and
> as soon as I open the IPv6 firewall on my ISPs router, it means that all
> of those services are open to the world! I don't want that! I can setup
> iptables on this box, but what about all the other IPv6 devices on my
> network? Random IoT devices, webcams, game consoles or whatever, I have
> no idea what services they are running, and I'm worried that if someone
> could get on one of those devices then they could eventually make their
> way into my Linux box.

You'll want to setup a Stateful (SPI) Firewall. Here's [1] some
example steps on how from the Arch wiki, but should be pretty
generalizable to other distros.

[1]: https://wiki.archlinux.org/title/simple_stateful_firewall

Re: IPv6 Hardware Firewall

<slrnt0cg8i.5ru.dan@djph.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=307&group=comp.os.linux.networking#307

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: dan...@djph.net (Dan Purgert)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Fri, 11 Feb 2022 10:56:39 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 45
Message-ID: <slrnt0cg8i.5ru.dan@djph.net>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<20220209230421@news.eternal-september.org> <su2kpj$1gb44$1@news1.tnib.de>
<9eoNJ.42368$%uX7.41616@fx38.iad>
Injection-Date: Fri, 11 Feb 2022 10:56:39 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="bfd79e22aff0b984c385bca785e11efe";
logging-data="28034"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+mCOGZS1LCjrKxMutmxZErH/3F/8y4Wms="
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:Fz7Z1jKOo+cvbNshO8livmEgcJU=
X-PGP-KeyID: 0x4CE72860
 by: Dan Purgert - Fri, 11 Feb 2022 10:56 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Mike Mocha wrote:
> Thanks for all the responses! Something that still is not making sense
> to me, if for example we have a home network that contains many different
> IPv6 devices connected, how do we control what ports get exposed on each
> device?

Your edge firewall. The rule would be constructed as

1. Destination IP -> host:addr::what:ever
2. Destination Port(s) -> Port(s)

> as soon as I open the IPv6 firewall on my ISPs router, it means that all
> of those services are open to the world! I don't want that! [...]

If the screen you're using only allows "open everything", that sounds
more like a DMZ configuration panel than something for setting firewall
ACLs.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmIGQREACgkQbWVw5Uzn
KGANCBAAoyabrtdDxMBt90HNeaZYjTPeA4rhub8/xVmPXpi355a+OEadenxUL1Ct
LXB+GJxIEcmdq8dqU7HohUED8VzARo4XTLV7HAugQhado3IxtgTGF11E8JX+ixTN
NHO9VhAYaqwvcFhaZq/zQzDFzdSCgR7Wyv73/ODBw9H/S+CqfWUOYCrNmfidSjs+
oVKSCpCU+wrIgp0yTspF9CIGXF+Ng3fY6ObnA8QmrtnNeiF6uTMki+6VOp+9nxM5
HFly2pdERjwWekU8i72WqKkpEyUCfPS9gO/Kc7BG3OvXSdLWAzbxfS1xAHrJbSaP
sP8YxmBPHxGxzu0uB0T9WIhB2t8XF00Zb2/2kOlI3jroCpPzfF0OIHdgG84PsheK
6NY6lSZrZsJJlp1djHQOldmCA/7HSBso3VVo2tWL72Ci10mulE1QGSQd2/71AQQi
ElJ5P5OWntp0dToglPEgejhGt19r/Xj0qRAfQi5OwxBZQNfZrAOKkSecKIgyRp1Q
Iuw9y/ezoXgDhjMcNSBwsJ/0WwEzebXZ+Qel4OKv3oY7FKIZUzmNRnXoBaa3kPy5
LTsJ1yg5w3s6sWqXFPvcjCweS2yJTfYJLoeg+n2jAxhEE1xfGrhdPy7Y2KbT4wSC
PKnl5mJLMd2Fnh/QrbWH8QNIk4VJNvCewl2Yu5fjXU2vzBeJG2w=
=9fck
-----END PGP SIGNATURE-----

--
|_|O|_| Github: https://github.com/dpurgert
|_|_|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860
|O|O|O|

Re: IPv6 Hardware Firewall

<su5nu5$47b4$1@news1.tnib.de>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=308&group=comp.os.linux.networking#308

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!usenet.goja.nl.eu.org!news.freedyn.de!news1.tnib.de!feed.news.tnib.de!news.tnib.de!.POSTED.torres.zugschlus.de!not-for-mail
From: mh+usene...@zugschl.us (Marc Haber)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Fri, 11 Feb 2022 14:22:13 +0100
Organization: private site, see http://www.zugschlus.de/ for details
Message-ID: <su5nu5$47b4$1@news1.tnib.de>
References: <VLKMJ.19775$iK66.8601@fx46.iad> <su1nsm$43a$2@tncsrv09.home.tnetconsulting.net> <su2kma$1gat9$1@news1.tnib.de> <su3jso$7qe$2@tncsrv09.home.tnetconsulting.net> <slrnt0ap4h.5ru.dan@djph.net> <su3pvb$3r2$1@tncsrv09.home.tnetconsulting.net> <20220210213434.61aa8729@ryz> <su3ue0$gm5$1@tncsrv09.home.tnetconsulting.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Date: Fri, 11 Feb 2022 13:22:14 -0000 (UTC)
Injection-Info: news1.tnib.de; posting-host="torres.zugschlus.de:85.214.160.151";
logging-data="138596"; mail-complaints-to="abuse@tnib.de"
X-Newsreader: Forte Agent 6.00/32.1186
 by: Marc Haber - Fri, 11 Feb 2022 13:22 UTC

Grant Taylor <gtaylor@tnetconsulting.net> wrote:
>On 2/10/22 1:34 PM, Marco Moock wrote:
>> If you like to have more work (NAT is annoying if using DNS names
>> inside and outside of the NAT net), then you can set up NAT for IPv6.
>
>I don't agree that NAT for IPv6 is itself, nor causes, more work. But
>we've likely had different use cases.

I agree with Marco. Probably you have become so intimate with NAT and
the other crutches we need to keep v4 alive that you're dearly missing
them when they're not needed. Such people do exist.

>I personally think that NAT can be ~> is a useful tool.

For v4, yes. IPv6 was carefully crafted not to need it.

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Re: IPv6 Hardware Firewall

<su5nuu$47ba$1@news1.tnib.de>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=309&group=comp.os.linux.networking#309

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!usenet.goja.nl.eu.org!news.freedyn.de!news1.tnib.de!feed.news.tnib.de!news.tnib.de!.POSTED.torres.zugschlus.de!not-for-mail
From: mh+usene...@zugschl.us (Marc Haber)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Fri, 11 Feb 2022 14:22:38 +0100
Organization: private site, see http://www.zugschlus.de/ for details
Message-ID: <su5nuu$47ba$1@news1.tnib.de>
References: <VLKMJ.19775$iK66.8601@fx46.iad> <su1nsm$43a$2@tncsrv09.home.tnetconsulting.net> <su2kma$1gat9$1@news1.tnib.de> <su3jso$7qe$2@tncsrv09.home.tnetconsulting.net> <slrnt0ap4h.5ru.dan@djph.net> <su3pvb$3r2$1@tncsrv09.home.tnetconsulting.net> <slrnt0au84.5ru.dan@djph.net> <su3unv$th6$1@tncsrv09.home.tnetconsulting.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Date: Fri, 11 Feb 2022 13:22:38 -0000 (UTC)
Injection-Info: news1.tnib.de; posting-host="torres.zugschlus.de:85.214.160.151";
logging-data="138602"; mail-complaints-to="abuse@tnib.de"
X-Newsreader: Forte Agent 6.00/32.1186
 by: Marc Haber - Fri, 11 Feb 2022 13:22 UTC

Grant Taylor <gtaylor@tnetconsulting.net> wrote:
>There are a LOT of other
>non-globally routed addresses that can be used.

Which ones, for example?

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Re: IPv6 Hardware Firewall

<20220211143446.4134c032@ryz>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=310&group=comp.os.linux.networking#310

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: mo0...@posteo.de (Marco Moock)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Fri, 11 Feb 2022 14:34:46 +0100
Organization: A noiseless patient Spider
Lines: 15
Message-ID: <20220211143446.4134c032@ryz>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<su1nsm$43a$2@tncsrv09.home.tnetconsulting.net>
<su2kma$1gat9$1@news1.tnib.de>
<su3jso$7qe$2@tncsrv09.home.tnetconsulting.net>
<slrnt0ap4h.5ru.dan@djph.net>
<su3pvb$3r2$1@tncsrv09.home.tnetconsulting.net>
<slrnt0au84.5ru.dan@djph.net>
<su3unv$th6$1@tncsrv09.home.tnetconsulting.net>
<su5nuu$47ba$1@news1.tnib.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Info: reader02.eternal-september.org; posting-host="ead9c39d5bbe1658600e1a7f41e855aa";
logging-data="21151"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/uyIklBpRJXD4GO2bh8Por"
Cancel-Lock: sha1:NNQhaHVzHYCXMzQUHyLYCluqGm8=
X-Newsreader: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
 by: Marco Moock - Fri, 11 Feb 2022 13:34 UTC

Am Freitag, 11. Februar 2022, um 14:22:38 Uhr schrieb Marc Haber:

> Grant Taylor <gtaylor@tnetconsulting.net> wrote:
> >There are a LOT of other
> >non-globally routed addresses that can be used.
>
> Which ones, for example?

IPv6 ULA
IPv6 site-local (but deprecated)
IPv6 link-local (no routing at all)
IPv4 link-local (used for APIPA, no routing, 169.254.0.0/16)

All not intended for connecting to other sites, only for internal stuff.

Re: IPv6 Hardware Firewall

<su69pt$haj$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=311&group=comp.os.linux.networking#311

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Fri, 11 Feb 2022 11:27:21 -0700
Organization: TNet Consulting
Message-ID: <su69pt$haj$1@tncsrv09.home.tnetconsulting.net>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<su1nsm$43a$2@tncsrv09.home.tnetconsulting.net>
<su2kma$1gat9$1@news1.tnib.de>
<su3jso$7qe$2@tncsrv09.home.tnetconsulting.net> <slrnt0ap4h.5ru.dan@djph.net>
<su3pvb$3r2$1@tncsrv09.home.tnetconsulting.net> <20220210213434.61aa8729@ryz>
<su3ue0$gm5$1@tncsrv09.home.tnetconsulting.net> <su5nu5$47b4$1@news1.tnib.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Fri, 11 Feb 2022 18:27:09 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="17747"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <su5nu5$47b4$1@news1.tnib.de>
Content-Language: en-US
 by: Grant Taylor - Fri, 11 Feb 2022 18:27 UTC

On 2/11/22 6:22 AM, Marc Haber wrote:
> Probably you have become so intimate with NAT and the other crutches
> we need to keep v4 alive that you're dearly missing them when they're
> not needed.

I don't think so.

> For v4, yes. IPv6 was carefully crafted not to need it.

The thing that IPv6 has over IPv4 is the number of IP addresses. But
/utilizing/ those IP addresses brings inherent problems, not the least
of which is additional routing burden.

Consider the use case of what I call the "Customer Interface Router".

Picture any business wherein each location is locally owned while having
some loose affiliation with a corporate entity with different owners. A
very good example is car dealerships affiliated with a major brand or
service company. Wherein each individual location administers their
network with complete autonomy and corporate administers it's network
with complete autonomy. With that large topology in mind, consider the
potential, nay likely, complications with needing to establish
bi-directional communications between every single location and the
corporate entity such that systems at corporate can print to the
networked printer in the parts department. The C.I.R. functions as an
integration between each individual location and corporate.

NAT makes this trivial to do. Corproate sends traffic to the C.I.R.
which translates what's necessary for each individual site's local
network. Similarly each local site sends traffic to the C.I.R. which
translates what's necessary to interface with corporate.

Corporate doesn't have to worry about (de)conflicting subnets across
multiple sites. Local stores don't need to worry about (de)conflicting
subnets with coroprate, much less other stores. Neither corporate nor
local stores need to propagate route information for each other's networks.

Corporate sends traffic to 192.0.<site #>.<printer #> to print orders in
the aprts department. The local manager connects to 198.51.100.<server
#> to access corproate's vehicle inventory system.

The NAT on the C.I.R. acts as an abstraction alyer allowing each side to
operate with almost complete autonomy from each other. I asy almost
because nominally each side can't have the /same/ subnet. However, even
taht can be accomodated by using two C.I.R.s back to back to do double
translation.

I have written this email using IPv4 addresses because they are simpler
/ shorter to type (and more mussle memory). But the exact same concept
applies to IPv6 as it does to IPv4.

The underlying issue is only compounded if you try to add another entity
to this scenario, say an external financing company or insurance
company. Each additional entity that needs to be integrated adds
complexity to /routed/ IP addresses at an exponential rate. Conversely
NATing C.I.R.s scale linearly.

The Customer Interface Router is only one scenario. I've run into other
more exhotic scenarios wherein I needed (as in didn't have a choice) to
have the same subnet in two different locations that couldn't actually
sahre the subnet (TL;DR: D.R. environment replicating part of corporate)
where each saw the other side as different subnets so that the could
have routed communications. Linux's net-map IPTables target (prefix
translation) made this ... possible. Backups of servers from one side
could be restored on the other side without readdressing or any other
changes and they could still communicate with what they needed to
communicate with.

Aside: I'd say the IP part was trivial, but the other parts of the
stack were anything but trivial.

So ... Network Address Translation is a /valuable/ tool to have in the
tool box and it has far more uses than what most people think of. Just
because the most common use is to allow private IPv4 addresses to share
a single public IPv4 address doesn't mean that it's the /only/ use.

To directly reply to your opening comment:

> Probably you have become so intimate with NAT and the other crutches
> we need to keep v4 alive that you're dearly missing them when they're
> not needed.

Nope. NAT actually *SIGNIFICANTLY* simplifies many of the different
networks that I've helped administer over the last 20 years. The C.I.R.
is one of the simpler examples. Getting Microsoft's Active Directory
Domain Controllers to be happy thinking that each is in the same subnet
when they are not, for DR purposes, is another use case for NAT (prefix
translation). These are things that can't easily be done with actual
routed IP addresses, irrespective of if they are IPv4 or IPv6.

Aside: The reason for the DR configuration was so that there could be a
production Active Directory Domain Controller in the D.R. environment
that was always online and replicating with the production corporate
network. The D.R. side /needed/ to have the same IP addresses as the
production side so that production (member) servers could be restored
without modification and /just/ /work/. But the D.R. and production
networks couldn't be connected as a L2 environment for many reasons.
Not the least of which is that production had to be online at the same
time various D.R. tests were happening. The simplest solution was to
let each side think that it was the network it was configured for and to
lie to it about what the other side's network was. Thus each side would
send traffic to the other side's fake IP address, NAT would happen in
the middle to actually estabish the communications. It worked
wonderfuly well.

Further Aside: I challange you to explain to me how routed addresses,
IPv4 or IPv6, can work as well as NAT does in either the C.I.R. or D.R.
environment.

--
Grant. . . .
unix || die

Re: IPv6 Hardware Firewall

<su69tq$haj$2@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=312&group=comp.os.linux.networking#312

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Fri, 11 Feb 2022 11:29:27 -0700
Organization: TNet Consulting
Message-ID: <su69tq$haj$2@tncsrv09.home.tnetconsulting.net>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<su1nsm$43a$2@tncsrv09.home.tnetconsulting.net>
<su2kma$1gat9$1@news1.tnib.de>
<su3jso$7qe$2@tncsrv09.home.tnetconsulting.net> <slrnt0ap4h.5ru.dan@djph.net>
<su3pvb$3r2$1@tncsrv09.home.tnetconsulting.net> <slrnt0au84.5ru.dan@djph.net>
<su3unv$th6$1@tncsrv09.home.tnetconsulting.net> <su5nuu$47ba$1@news1.tnib.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Fri, 11 Feb 2022 18:29:14 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="17747"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <su5nuu$47ba$1@news1.tnib.de>
Content-Language: en-US
 by: Grant Taylor - Fri, 11 Feb 2022 18:29 UTC

On 2/11/22 6:22 AM, Marc Haber wrote:
> Which ones, for example?

Pick any U.S. DoD prefix for starters. }:-)

Or any other entity that you know that you're not going to communicate with.

In many ways, the world is your oyster.

ProTip: IP addresses / network prefixes are /locally/ /significant/.
-- Once you truly grok anycast and how it works, you can get *REALLY*
creative.

--
Grant. . . .
unix || die

Re: IPv6 Hardware Firewall

<su6a98$mbm$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=313&group=comp.os.linux.networking#313

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Fri, 11 Feb 2022 11:35:33 -0700
Organization: TNet Consulting
Message-ID: <su6a98$mbm$1@tncsrv09.home.tnetconsulting.net>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<su1nsm$43a$2@tncsrv09.home.tnetconsulting.net>
<su2kma$1gat9$1@news1.tnib.de>
<su3jso$7qe$2@tncsrv09.home.tnetconsulting.net> <slrnt0ap4h.5ru.dan@djph.net>
<su3pvb$3r2$1@tncsrv09.home.tnetconsulting.net> <slrnt0au84.5ru.dan@djph.net>
<su3unv$th6$1@tncsrv09.home.tnetconsulting.net> <su5nuu$47ba$1@news1.tnib.de>
<20220211143446.4134c032@ryz>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 11 Feb 2022 18:35:20 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="22902"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <20220211143446.4134c032@ryz>
Content-Language: en-US
 by: Grant Taylor - Fri, 11 Feb 2022 18:35 UTC

On 2/11/22 6:34 AM, Marco Moock wrote:
> IPv4 link-local (used for APIPA, no routing, 169.254.0.0/16)

"You mustn’t be afraid to dream a little bigger, darling." - Inception.

https://www.youtube.com/watch?v=WcGbnX8Ay38

> All not intended for connecting to other sites, only for internal stuff.

Sadly, IPv6 site-local doesn't work for accessing the IPv6 internet,
despite IPv6 NAT /because/ clients won't choose them for globally routed
destinations.

You /can/ route IPv6 link-local if you get creative. }:-)

--
Grant. . . .
unix || die

Re: IPv6 Hardware Firewall

<20220211193915.69a4c70c@ryz>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=314&group=comp.os.linux.networking#314

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: mo0...@posteo.de (Marco Moock)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Fri, 11 Feb 2022 19:39:15 +0100
Organization: A noiseless patient Spider
Lines: 13
Message-ID: <20220211193915.69a4c70c@ryz>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<su1nsm$43a$2@tncsrv09.home.tnetconsulting.net>
<su2kma$1gat9$1@news1.tnib.de>
<su3jso$7qe$2@tncsrv09.home.tnetconsulting.net>
<slrnt0ap4h.5ru.dan@djph.net>
<su3pvb$3r2$1@tncsrv09.home.tnetconsulting.net>
<slrnt0au84.5ru.dan@djph.net>
<su3unv$th6$1@tncsrv09.home.tnetconsulting.net>
<su5nuu$47ba$1@news1.tnib.de>
<20220211143446.4134c032@ryz>
<su6a98$mbm$1@tncsrv09.home.tnetconsulting.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Info: reader02.eternal-september.org; posting-host="ead9c39d5bbe1658600e1a7f41e855aa";
logging-data="17306"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX189B9VINBsizZBPwmgu17pU"
Cancel-Lock: sha1:e/luCrpTWVc8qFVzWiz7N2k5/pk=
X-Newsreader: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
 by: Marco Moock - Fri, 11 Feb 2022 18:39 UTC

Am Freitag, 11. Februar 2022, um 11:35:33 Uhr schrieb Grant Taylor:

> Sadly, IPv6 site-local doesn't work for accessing the IPv6 internet,
> despite IPv6 NAT /because/ clients won't choose them for globally
> routed destinations.

This is the right decision and was also intended for RF1918 addresses.

> You /can/ route IPv6 link-local if you get creative. }:-)

It is against the protocol to do so. You can change the software, but
then it doesn't follow the RFC's rules.

Re: IPv6 Hardware Firewall

<su6asn$iu9$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=315&group=comp.os.linux.networking#315

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.os.linux.networking
Subject: Re: IPv6 Hardware Firewall
Date: Fri, 11 Feb 2022 11:45:56 -0700
Organization: TNet Consulting
Message-ID: <su6asn$iu9$1@tncsrv09.home.tnetconsulting.net>
References: <VLKMJ.19775$iK66.8601@fx46.iad>
<20220209230421@news.eternal-september.org> <20220210083002.2871a659@ryz>
<su3jjb$em0$1@tncsrv09.home.tnetconsulting.net>
<1644528793@f1.n250.z2.fidonet.ftn>
<su4170$9h0$3@tncsrv09.home.tnetconsulting.net>
<1644542408@f1.n250.z2.fidonet.ftn>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Fri, 11 Feb 2022 18:45:43 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="19401"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
In-Reply-To: <1644542408@f1.n250.z2.fidonet.ftn>
Content-Language: en-US
 by: Grant Taylor - Fri, 11 Feb 2022 18:45 UTC

On 2/10/22 6:20 PM, Vincent Coen wrote:
> Dumb nut question 1 - So what does it do for a system that only has
> a ipv4 address from the isp ?

It provides IPv6 address(es) from the tunnel provider.

Think along the lines of a VPN. You get IPv6 inside the tunnel for your
use while the tunnel itself uses only IPv4 on the outside.

From a simplistic view point your system thinks that it has two
Internet connections, one of which only provides IPv4 addresses and the
other only provides IPv6 addresses.

I say simplistic because there are a lot of different ways that you can
configure things, some of which have (logical) interfaces, others do not.

> Reason for asking is I run a BBS and some of my downlinks have a v6
> address along with a v4 and when the v4 cannot connect my system has a
> quick look at v6 says protocol not supported and gives up on that poll.

I'm not quite tracking what downlinks means in this case. I'm assuming
that it's down in a FTN network topology perspective. Thus from an IP
network topology perspective, they are simply peers. If your system
can't connect to an IPv4 peer for some reason and you don't have IPv6,
then you actually can't connect (at that time).

--
Grant. . . .
unix || die

Pages:1234567
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor