Dne 16.7.2014 22:41, Gui Iribarren napsal(a): >> > I expect that, over time, users will become accustomed to the >> > "end-to-end" nature of the v6 Internet and may demand that the firewall >> > be "open" by default, and I would certainly propose that we have a >> > simple checkbox in LUCI that allows the firewall to be changed from "all >> > closed except explicitly open ports" to "all open" in one action. At >> > some point we would probably change the default behavior from "all >> > closed" to "all open." > What about... at *this* point? :) (i.e. before BB rc2 freeze) > > >> > However, for the moment, I would argue that the "rightness" of following >> > expected behavior is greater than the "rightness" of delivering the true >> > "end-to-end" nature of v6. > At least Swisscom (according to Baptiste) and TP-Link seem to have > solved the dilemma by defining "expected behaviour" = the true > end-to-end nature of v6 :P hurray!
+1 for having default firewall settings somewhat more open. IMO opening incoming connections to TCP/UDP ports greater than 1024 as well as all other protocols that don't use port numbers would be the best compromise between security and usability. Blocking ports lower than 1024 should be sufficient to protect legacy stuff with exploitable telnet, SSH or HTTP/S management interfaces, as well as it would block unintended file sharing from home NAS-es using CIFS/NFS/HTTP(S). On the other hand, it would still allow unrestricted flow of P2P traffic, as well as ad-hoc servers in home network (For instance, I like to share a file by running an ad-hoc HTTP server and sharing a link such as http://[2001:db8:123:456::2]:8080/). I think that reasonable default matters, because sometimes, you are not able to change the setting of home router (like visiting a friend or on public hotspot). It would be sad if you had to use some sort of VPN or IPv6-over-IPv6 tunnelling just to overcome the firewall. Cheers! Ondřej Caletka
smime.p7s
Description: Elektronicky podpis S/MIME
_______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
