IPv6 Firewall on CPEs - Default on or off

Anfinsen, Ragnar Ragnar.Anfinsen at altibox.no
Mon Nov 26 10:50:46 CET 2012

On 26.11.12 10:29, "Jeroen Massar" <jeroen at unfix.org> wrote:

>As such I would say "Off", but do provide your customer with a very
>clear informational article/(snail)mail on that you enabled IPv6 and
>that if they want the protection of a firewall, next to the one built-in
>to their own hosts, how they can enable it easily.

Agreed, information is the key here. If us internet guys wants true
end2end connectivity, we need to explain that to the customer in a non
technical understandable fashion and help the customer to make the right

>I am still a big fan of the Xs4all.nl service center they have (I guess
>they still have it) and Swisscom.ch has one one too and I guess other
>providers also: a website that the customer can use to change anything
>related to their account:
> - password
> - add/remove email aliases etc
> - see billing details
> - how their CPE is configured
>That latter part for Swisscom (I don't recall the xs4all one as that is
>more than a decade ago ;) means that I can set the CPE's wireless
>SSID/password/config (they then use TR-88 to force it) but even disable
>them controlling most parts with TR-88 and turn it into a bridge (guess
>what it is configured to ;). Now for IPv6 I would see that in that same
>service center one can also have a "IPv6 firewall on/off" button, as
>simple as that. Or better, a couple of profiles "Port X filtered, rest
>not" etc.

We do have a self care support system, where the customer do all support
requests and configure the CPE. We use TR-069 for this. We do not allow
the customer to access the GUI on the CPE.

>The trick is of course to keep things simple and non-technical,
>minimalism is the key nowadays ;)


>* = On Mac OS X I advise folks to install Little Snitch, yes, costs a
>10'er but it is awesome (http://www.obdev.at/products/littlesnitch/)

Nice one. I'll try it out.


More information about the ipv6-ops mailing list