I've used a tunnel broker for IPv6 for quite some time; the biggest advantage is a static IP address.
For bandwidth & latency reasons, I've been considering switching to using my ISP's 6to4 - which means a dynamic IPv6 subnet. The thing is: I want to have some hosts inside the firewall with open SSH ports, but not every host. While the stateless autoconfig 'suffix' (I don't know the proper term) is going to be the same, as it's based on the Ethernet MAC address, the IPv6 prefix is obviously going to change (as it's based on the IPv4 address with 6to4). Is there any sort of mechanism so I can say "This host (on the inside of the firewall) has a MAC address of <foo>. The IPv6 prefix is going to change. The IP address will only be found on (the firewall's) eth2. I want a stateful firewall to block incoming connections for everything but SSH for that host. Is this sort of a pipe dream? It seems to me that with a dynamically assigned IPv6 subnet, firewalls become impossible to really manage, as the IPv6 prefix keeps changing, which in turn changes the 'destination' IP of every computer that is on the subnet... Is there something that is supposed to handle this? If so, what's it called so I can RTFM? I realize a workaround would be to use multiple IPv6 tunnels (similar to the multi-ISP shorewall example) - where I use the tunnel broker's static subnet for incoming connections. I'm wondering if its also the only solution. -- Troy Telford ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
