On Tue, Mar 01, 2005 at 04:08:32PM +0100, Jeroen Massar wrote:
> >My experience is that IPV6 is extremely difficult to figure out how
> >to set up securely, for the time being, due to lack of
> >connection-sharing.
>
> NAT is not a firewall. Get that into your brain.
oh, that was what he meant. I wasn't familiar with the term 'connection
sharing'.
I've stated numerous time that IPv6<->IPv6 NAT will only end up in
netfilter/iptables over my dead body. IPv4<->IPv6 NAT-PT is a different
issue, obviously.
btw, the IETF BEHAVE group is actually demanding that a NAT device does
not NAT ipv6 traffic!!
> And indeed there is no Linux firewalling code yet, in the mainstream
> that can do connection tracking.
still, ip6_conntrack is shipped by commercial distributions like SuSE...
--
- Harald Welte <laforge@xxxxxxxxxxxx> http://gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
signature.asc
Description: Digital signature
|