The problem with most home router firewalls today is that they have a strict "us" vs "them" concept in them, and are closely tied to what can be NATed, or not, which limits our internet to tcp and udp.
Recently the concept of 'guest' has been added to many devices, which doesn't work particularly well. A problem with "us vs them" and extending this sort of thinking to ipv6, is that interesting new protocols such as sctp, hip, rdp, dccp, rsvp esp, gre, ah, skip, ospf, vrrp, isis, manet, shim6, wesp, and rohc... are all blocked by default in ipv6, too. It doesn't need to be this way. I have hated living in a world of purely tcp on port 80 and 443. Seeing udp begin to fail in multiple respects - such as dns,dhcp, voice, etc really bothers me. So cerowall attempted (I've never finished it) to use pattern matching in iptables, and device renaming, to make it possible to have a nearly default free zone (DFZ) for guests, and use a bare minimum of rules, to pass through... and the core idea was also be able to pass ALL protocols everywhere, under ipv6. The current openwrt firewall solution scales O(n) where n = the number of interfaces the cerowall idea scales O(n) where n = the number of different zones. Firewalling is responsible for a minimum of 11% of the current runtime, with the current firewall rules, with 6 interfaces in play. CeroWall did a lot better, while opening up new vistas to play in. -- Dave Täht SKYPE: davetaht US Tel: 1-239-829-5608 http://www.bufferbloat.net _______________________________________________ Bloat mailing list [email protected] https://lists.bufferbloat.net/listinfo/bloat
