Fully agree with Aaron's comments below.
Regards,
Fernando
On 15/07/2014 16:45, Aaron Z wrote:
----- Original Message -----
On Monday, July 14, 2014 5:36:09 PM "Benjamin Cama" <[email protected]> wrote:
Hi everyone,
Le lundi 14 juillet 2014 à 22:17 +0900, Baptiste Jonglez a écrit :
On Mon, Jul 14, 2014 at 02:38:16PM +0200, Steven Barth wrote:
Hi Baptiste,
in general our current firewalling approach is to keep defaults
for IPv4 and
IPv6 relatively close (not considering NAT here of course).
Could you detail the reasoning behind this approach? "Don't
confuse the user"?
I'd rather have "Don't bother the user": things should generally
just
work, without having to configure anything (in this case, port
forwarding). But there is an obvious tradeoff with security.
I agree with Baptiste here. There is no equivalent in IPv4 of “global
reachability” by default with the NATs we have today, so we can't
have
the same defaults. Global reachability is how IP in general was meant
to
be; please, do not make it broken again.
As I understand it, this is NOT adding NAT, but (by default) blocking
unsolicited incoming connections from the outside world to devices on the
internal network (which dont necessarily need to be accessible from the outside
world). That is the whole point in using a firewall is it not? To keep people
out of where they shouldn't be.
Opening up the IPv6 firewall by default would be unexpected and I
don't
really like the approach for that matter and honestly I don't
trust
client devices that much.
At least opening UDP ports > 1024 seems pretty reasonable, and
covers most
use-cases regarding VoIP and video. But it does indeed depart from
the
IPv4 case (not sure if it is such a bad idea though).
This looks like a good compromise to me. Knowledgeable users can
disable
the firewall for needed hosts, while for others this “just work”. PCP
may be coming one day, but it's still not there yet, so we need not
to
break the default configuration while waiting for it.
Opening access from the outside to the inside as a default rule goes against the
"principle of least privilege" on which firewall rules are generally predicated.
As I understand it, if a device on the inside of the network initiates the
connection to a device on the outside (say from a VOIP phone to a VOIP server),
return connections from the server are allowed. What gets blocked are
unsolicited connections from the outside which are generally unneeded (and can
be a security risk) unless one is running a server (in which case, the users
should know how to open ports on their firewall).
Aaron Z
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
