ip6tables and multiple possible source addresses
Jens Weibler
jens.weibler at h-da.de
Thu Jan 19 10:55:16 CET 2012
On 19.01.2012 09:48, Mohacsi Janos wrote:
> Which is more frequent, renumbering or tweaking firewall rules? There
> is a tradeoff - everybody should decide according their taste.
In my opinion firewalls should change their behaviour in flexible rules.
I don't want to enter the prefix explicitly in each rule but only the
host part.
Example:
I configure my currently prefix 2001:db8::/48 as prefix-set MY-NETWORK.
In a rule I only use MY-NETWORK:dead:beef:0:1.
On the big day of prefix change I advance my prefix-set by simply adding
the new prefix - letting the old one still there..
After the renumbering phase I simply delete my old prefix 2001:db8::/48
from the prefix-set and I'm done.
Firewalls have to change for real ipv6 ops.
And by the way: I really don't care for my servers on the renumbering
day. They are all static configured but managed by puppet. Changing the
ip will just be a small script.
--
Jens Weibler
IT-Services
Hochschule Darmstadt
www.h-da.de
University of Applied Sciences
Fachbereich Informatik
www.fbi.h-da.de
Schöfferstr. 8b
D-64295 Darmstadt
Tel +49 6151 16-8425
Fax +49 6151 16-8935
jens.weibler at h-da.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4678 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.cluenet.de/pipermail/ipv6-ops/attachments/20120119/d7412211/attachment.p7s>
More information about the ipv6-ops
mailing list