On Thu, 17 Jul 2014, Gui Iribarren wrote:
On 17/07/14 21:03, David Lang wrote:
I know that IPv6 designers pine for the good old days of the Internet
when no security was needed.
But the reality is that hackers and worms have shown that leaving
systems exposed to the Internet is just a Bad
by the way, link local addresses are not going to be used for these devices,
because they will all have some 'cloud' feature that will require they have a
way to phone home.
David Lang
On Fri, 18 Jul 2014, David Lang wrote:
Every IPv4 home router I have seen defaults to 'block all
Hi Karl,
On July 17, 2014 11:40:52 PM CEST, Karl P ka...@tweak.net.au wrote:
On 07/17/2014 08:26 PM, Sebastian Moeller wrote:
I argue that people unable to change the router settings are
better of with all unsolicited inbound traffic disabled.
I've tried to avoid weighing in on this,
Le jeudi 17 juillet 2014 à 17:03 -0700, David Lang a écrit :
But the reality is that hackers and worms have shown that leaving systems
exposed to the Internet is just a Bad Idea.
Do you mean, all the hackers and worms we see today despite all these
systems being behind blocking firewalls and
Hi Gui, hi list,
Gesendet: Freitag, 18. Juli 2014 um 05:56 Uhr
Von: Gui Iribarren g...@altermundi.net
An: openwrt-devel@lists.openwrt.org
Betreff: Re: [OpenWrt-Devel] IPv6 firewall and Port Control Protocol (Was:
Barrier Breaker 14.07-rc1)
On 17/07/14 21:59, Fernando Frediani wrote:
Perfect
On Fri, 18 Jul 2014, Benjamin Cama wrote:
Le jeudi 17 juillet 2014 à 17:03 -0700, David Lang a écrit :
But the reality is that hackers and worms have shown that leaving systems
exposed to the Internet is just a Bad Idea.
Do you mean, all the hackers and worms we see today despite all these
Le mercredi 16 juillet 2014 à 15:58 -0400, Aaron Z a écrit :
IMO, it comes down to trust:
Do you trust that the people who made your NAS, blueray player, etc
will release patches when exploits are found 3 years down the road? I
don't.
Do you trust that the people who made the firmware for
Le mercredi 16 juillet 2014 à 21:12 +0200, Sebastian Moeller a écrit :
What is so wonderful about IPv6? Maleware surely will evolve quickly
to take advantage of a dropped layer of defense…
“Layer of defense”? To most, it will just translate to a brick wall that
will have to be worked
Le mercredi 16 juillet 2014 à 21:12 +0200, Sebastian Moeller a écrit :
What is so wonderful about IPv6? Maleware surely will evolve quickly
to take advantage of a dropped layer of defense…
“Layer of defense”? To most, it will just translate to a brick wall that
will have to be worked
Hello Benjamin,
On July 17, 2014 7:45:10 PM CEST, Benjamin Cama ben...@dolka.fr wrote:
Le mercredi 16 juillet 2014 à 21:12 +0200, Sebastian Moeller a écrit :
What is so wonderful about IPv6? Maleware surely will evolve quickly
to take advantage of a dropped layer of defense…
“Layer of
On 07/17/2014 08:26 PM, Sebastian Moeller wrote:
I argue that people unable to change the router settings are better of
with all unsolicited inbound traffic disabled.
I've tried to avoid weighing in on this, but I'd argue that you're wrong :)
Making sure that people can _never_
I know that IPv6 designers pine for the good old days of the Internet when no
security was needed.
But the reality is that hackers and worms have shown that leaving systems
exposed to the Internet is just a Bad Idea.
As such, the idea that IPv6 would restore the everyone can connect to
Perfect and well said.
Really don't see why people still think leaving firewalls opened is a
good idea.
At the end it will bring more problems than solutions for those using
OpenWRT and play against its good reputation.
As mentioned before adjusting firewall for specific needs or using UPnP
On 17/07/14 21:03, David Lang wrote:
I know that IPv6 designers pine for the good old days of the Internet
when no security was needed.
But the reality is that hackers and worms have shown that leaving
systems exposed to the Internet is just a Bad Idea.
As such, the idea that IPv6 would
On 17/07/14 21:59, Fernando Frediani wrote:
Perfect and well said.
Really don't see why people still think leaving firewalls opened is a
good idea.
leaving *hosts* firewalls opened is a really bad idea. Agreed.
But openwrt doesn't run on hosts, it runs on network equipment
I.e. the building
Hi,
A typical home connection is not an ISP.
Also OpenWRT for the majority of the cases isn't just 'a router', but
also as a firewall and to protect user's network either on IPv4 or IPv6,
not just a dummy bridge device.
I guess I see the good intentions of those defending it should be
Le mardi 15 juillet 2014 à 17:43 -0400, Justin Vallon a écrit :
I don't think turning off the firewall is a sane default.
I don't advise to turn it off for everything. I am trying to find a good
compromise.
Your
arguments based on global addressability are false because IPv4 can be
globally
On Tue, Jul 15, 2014 at 11:45:27AM -0400, Aaron Z wrote:
As I understand it, if a device on the inside of the network initiates
the connection to a device on the outside (say from a VOIP phone to a
VOIP server), return connections from the server are allowed.
Yes, this is exactly the role of a
+1 to all benjamin arguments,
default openwrt ipv4 firewall basically does:
* deny all unsolicited traffic coming from WAN to the router (i.e. it's
own host)
* masquerade the LAN hosts behind a single, scarce, ipv4 address, on
outgoing traffic.
* allow *any possible traffic* that involves LAN
adding more wood to baptiste fire... :)
On 16/07/14 06:15, Baptiste Jonglez wrote:
2/ Allow inbound traffic in the home gateway's firewall. In an
ideal world, this is the best solution, since it leaves all the
intelligence to end nodes (in accordance with the end-to-end
principle). In
Hi,
On Wed, Jul 16, 2014 at 08:41:50AM -0300, Gui Iribarren wrote:
then, what happens when those devices are deployed in a myriad of
real-world scenarios? hackers rejoice!
This actually is a somewhat moot arguments. Devices travel today, and
while your home network and office network might be
Le mercredi 16 juillet 2014 à 10:53 +0200, Benjamin Cama a écrit :
Well, if you didn't want them to be accessible, you have many
possibilities: bind it on some non-global address (LL, ULA), restrict it
locally (/etc/hosts.deny when appropriate, custom configuration that
limit access to some
On 14-07-16 08:09 AM, Gert Doering wrote:
Hi,
This actually is a somewhat moot arguments. Devices travel today, and
while your home network and office network might be behind a firewall,
the hotspot you're using while waiting for your train might not be.
So with todays devices, every device
On 16/07/14 12:09, Gert Doering wrote:
Hi,
On Wed, Jul 16, 2014 at 08:41:50AM -0300, Gui Iribarren wrote:
then, what happens when those devices are deployed in a myriad of
real-world scenarios? hackers rejoice!
This actually is a somewhat moot arguments. Devices travel today, and
while
Hi Gui,
On Jul 16, 2014, at 20:10 , Gui Iribarren g...@altermundi.net wrote:
On 16/07/14 12:09, Gert Doering wrote:
Hi,
On Wed, Jul 16, 2014 at 08:41:50AM -0300, Gui Iribarren wrote:
then, what happens when those devices are deployed in a myriad of
real-world scenarios? hackers rejoice!
- Original Message -
On Wednesday, July 16, 2014 2:10:53 PM Gui Iribarren g...@altermundi.net
wrote:
Benjamin is giving some great examples of real-world scenarios where
an
default-open firewall simplifies administration,
and where a default-closed firewall would be not only
Sorry for the earlier email, apparently I accidentally hit send rather than
save...
- Original Message -
On Wednesday, July 16, 2014 2:10:53 PM Gui Iribarren g...@altermundi.net
wrote:
Benjamin is giving some great examples of real-world scenarios where
an
default-open firewall
- Original Message -
On Wednesday, July 16, 2014 2:10:53 PM Gui Iribarren g...@altermundi.net
wrote:
Benjamin is giving some great examples of real-world scenarios where
an
default-open firewall simplifies administration,
and where a default-closed firewall would be not only
- Original Message -
On Monday, July 14, 2014 5:36:09 PM Benjamin Cama ben...@dolka.fr wrote:
Hi everyone,
Le lundi 14 juillet 2014 à 22:17 +0900, Baptiste Jonglez a écrit :
On Mon, Jul 14, 2014 at 02:38:16PM +0200, Steven Barth wrote:
Hi Baptiste,
in general our current
Fully agree with Aaron's comments below.
Regards,
Fernando
On 15/07/2014 16:45, Aaron Z wrote:
- Original Message -
On Monday, July 14, 2014 5:36:09 PM Benjamin Cama ben...@dolka.fr wrote:
Hi everyone,
Le lundi 14 juillet 2014 à 22:17 +0900, Baptiste Jonglez a écrit :
On Mon, Jul
Le mardi 15 juillet 2014 à 11:45 -0400, Aaron Z a écrit :
- Original Message -
On Monday, July 14, 2014 5:36:09 PM Benjamin Cama ben...@dolka.fr wrote:
Hi everyone,
Le lundi 14 juillet 2014 à 22:17 +0900, Baptiste Jonglez a écrit :
I'd rather have Don't bother the user: things
I don't think turning off the firewall is a sane default. Your
arguments based on global addressability are false because IPv4 can be
globally addressable, if you want. You can get static ip addresses (or
a subnet), turn off NAT, and turn off the firewall - every internal
network device will be
On Mon, Jul 14, 2014 at 11:12:01AM +0200, John Crispin wrote:
The OpenWrt developers are proud to announce the first release
candidate of OpenWrt Barrier Breaker.
Excellent news, thanks!
* Native IPv6-support
- RA DHCPv6+PD client and server
- Local prefix allocation
Hi Baptiste,
in general our current firewalling approach is to keep defaults for IPv4
and IPv6 relatively close (not considering NAT here of course). Opening
up the IPv6 firewall by default would be unexpected and I don't really
like the approach for that matter and honestly I don't trust
Hi Steven,
On Mon, Jul 14, 2014 at 02:38:16PM +0200, Steven Barth wrote:
Hi Baptiste,
in general our current firewalling approach is to keep defaults for IPv4 and
IPv6 relatively close (not considering NAT here of course).
Could you detail the reasoning behind this approach? Don't confuse
Hi everyone,
Le lundi 14 juillet 2014 à 22:17 +0900, Baptiste Jonglez a écrit :
On Mon, Jul 14, 2014 at 02:38:16PM +0200, Steven Barth wrote:
Hi Baptiste,
in general our current firewalling approach is to keep defaults for IPv4 and
IPv6 relatively close (not considering NAT here of
36 matches
Mail list logo