On Sun, 2005-03-06 at 12:04 +0100, Harald Welte wrote:
>On Tue, Mar 01, 2005 at 04:08:32PM +0100, Jeroen Massar wrote:
>> >My experience is that IPV6 is extremely difficult to figure out how
>> >to set up securely, for the time being, due to lack of
>> >connection-sharing.
>>
>> NAT is not a firewall. Get that into your brain.
>
>oh, that was what he meant. I wasn't familiar with the term 'connection
>sharing'.
That is the Windows term for it ;)
>I've stated numerous time that IPv6<->IPv6 NAT will only end up in
>netfilter/iptables over my dead body.
Hmmm..... then I guess that I'll have to kill you at some point ;)
But I'll leave it to printing out a kernel source and throwing it on
your casket in a year or 100 or so.
>IPv4<->IPv6 NAT-PT is a different issue, obviously.
>
>btw, the IETF BEHAVE group is actually demanding that a NAT device does
>not NAT ipv6 traffic!!
Doing the NAT as in the 'connection sharing', or better said, "rewriting
source/dest addresses and packet contents" is evil. But the other method
for which we are going to use a "translation of addresses", but on both
sides will be very interesting and will cost you your dead body <grin>.
>> And indeed there is no Linux firewalling code yet, in the mainstream
>> that can do connection tracking.
>
>still, ip6_conntrack is shipped by commercial distributions like SuSE...
There is nothing wrong with connection tracking as that can be used for
checking if a certain packet is allowed to come back into the firewall
or not, one of the basic principles of stateful firewalling
Greets,
Jeroen
signature.asc
Description: This is a digitally signed message part
|