ip6tables and multiple possible source addresses

Jens Weibler jens.weibler at h-da.de
Thu Jan 19 10:55:16 CET 2012


On 19.01.2012 09:48, Mohacsi Janos wrote:
> Which is more frequent, renumbering or tweaking firewall rules? There 
> is a tradeoff - everybody should decide according their taste. 

In my opinion firewalls should change their behaviour in flexible rules. 
I don't want to enter the prefix explicitly in each rule but only the 
host part.

Example:
I configure my currently prefix 2001:db8::/48 as prefix-set MY-NETWORK.
In a rule I only use MY-NETWORK:dead:beef:0:1.

On the big day of prefix change I advance my prefix-set by simply adding 
the new prefix - letting the old one still there..
After the renumbering phase I simply delete my old prefix 2001:db8::/48 
from the prefix-set and I'm done.

Firewalls have to change for real ipv6 ops.


And by the way: I really don't care for my servers on the renumbering 
day. They are all static configured but managed by puppet. Changing the 
ip will just be a small script.

-- 
Jens Weibler
IT-Services

Hochschule Darmstadt
www.h-da.de
University of Applied Sciences

Fachbereich Informatik
www.fbi.h-da.de
Schöfferstr. 8b
D-64295 Darmstadt
Tel  +49 6151 16-8425
Fax +49 6151 16-8935
jens.weibler at h-da.de


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4678 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20120119/d7412211/attachment.bin 


More information about the ipv6-ops mailing list