IPv6 Firewall on CPEs - Default on or off

Jeroen Massar jeroen at unfix.org
Mon Nov 26 10:29:32 CET 2012

On 2012-11-26 10:02, Anfinsen, Ragnar wrote:
> I have my personal and clear opinion about the matter, which is off.
> To be able to uphold the true end to end connectivity it must
> obviously be off. I think the application firewall on the new OS's
> that support IPv6 are more than good enough, and a firewall in the
> CPE is redundant.

Not only redundant but that firewall does not what the applications
want. There is of course NAT-PMP/uPnP which can partially control these
firewalls, little of that supports IPv6 though.

As such I would say "Off", but do provide your customer with a very
clear informational article/(snail)mail on that you enabled IPv6 and
that if they want the protection of a firewall, next to the one built-in
to their own hosts, how they can enable it easily.

I am still a big fan of the Xs4all.nl service center they have (I guess
they still have it) and Swisscom.ch has one one too and I guess other
providers also: a website that the customer can use to change anything
related to their account:
 - password
 - add/remove email aliases etc
 - see billing details
 - how their CPE is configured

That latter part for Swisscom (I don't recall the xs4all one as that is
more than a decade ago ;) means that I can set the CPE's wireless
SSID/password/config (they then use TR-88 to force it) but even disable
them controlling most parts with TR-88 and turn it into a bridge (guess
what it is configured to ;). Now for IPv6 I would see that in that same
service center one can also have a "IPv6 firewall on/off" button, as
simple as that. Or better, a couple of profiles "Port X filtered, rest
not" etc.

I recall that in the time Xs4all for instance allowed blocking of ports
25/139/445 etc through them that way to avoid all the Spam & Samba
problems. They then decided to turn this on per default but, as
everybody knows where the service center is, and it was well documented
that they did most "power users" would turn it off.

Of course, today we have in most consumer operating systems (OSX/Mac*)
host-based firewalls that are easy to configure and pretty much closed
down, as such, 'firewall default' off' is a reasonable option.

Scanning and spreading virusses that way does not happen that much on
IPv6 due to the inherent address space size, another reason to not have
a firewall at all (which is typically the case for me, except for end hosts)

The trick is of course to keep things simple and non-technical,
minimalism is the key nowadays ;)


* = On Mac OS X I advise folks to install Little Snitch, yes, costs a
10'er but it is awesome (http://www.obdev.at/products/littlesnitch/)

More information about the ipv6-ops mailing list