IPv6 Firewall on CPEs - Default on or off

Tore Anderson tore.anderson at redpill-linpro.com
Tue Nov 27 15:08:35 CET 2012


* Mikael Abrahamsson

> Well, initially we disabled broadcast capability between customers which
> meant they couldn't see each other in "my network neighbourhood" (direct
> access still worked, but people generally didn't do that), and then we
> blocked "windows ports" later. A lot of deployments I know of still
> today block whatever ports windows uses in 135-139 and 445 for this reason.

So NAT44 or other kind of CPE with firewalling wasn't part of the solution.

Then why does it need to be for IPv6?

I would have much less issue with the ISP blocking known Windows
LAN-only service ports like the ones you're mentioning, plus L2
isolation of individual subscribers, than a "drop all inbound"
firewalling solution enabled by default.

-- 
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com



More information about the ipv6-ops mailing list