IPv6 Firewall on CPEs - Default on or off

Benedikt Stockebrand me at benedikt-stockebrand.de
Tue Nov 27 17:53:29 CET 2012


Hi Tore and list,

Tore Anderson <tore.anderson at redpill-linpro.com> writes:

> So NAT44 or other kind of CPE with firewalling wasn't part of the solution.

I'd rather make strict distinctions between NAT, generic "inbound
only" or "diode style" packet filter configurations, custom "allow
this port between these addresses" packet filter configurations, and
full blown firewalls (packet filters plus application level gateways).

> I would have much less issue with the ISP blocking known Windows
> LAN-only service ports like the ones you're mentioning, plus L2
> isolation of individual subscribers, than a "drop all inbound"
> firewalling solution enabled by default.

I agree with layer 2 separation, but blocking port numbers sounds like
a kludgy workaround leading to sporadic problems that are difficult to
troubleshoot plus the occasional frustrated customer who actually
needs to access that port.

And doing so as an enforced configuration, rather than a configurable
setting with a consumer option to change it, sounds really bad to me.


Cheers,

    Benedikt

-- 
			 Business Grade IPv6
		    Consulting, Training, Projects

Benedikt Stockebrand, Dipl.-Inform.   http://www.benedikt-stockebrand.de/




More information about the ipv6-ops mailing list