More pieces of the IPv6 puzzle (Re: ISP with native ipv6 in isarael)
E.S. Rosenberg
esr+linux-il at g.jct.ac.il
Thu Jan 28 19:38:54 IST 2016
It is of course highly recommended to figure out a way to use the
firewall in the router in IPv6 mode too....
Changing your setup to local fws only makes you both more vulnerable
to attack and the total setup much harder to manage....
In a worst (or best depends on how you look at it) case scenario I
would even say put a computer with 2 NICs between your network and the
Internet and setup iptables/nftables/your favorite firewall there...
(I wonder if a raspberry pi would be able to pull that off)
Regards,
Eliyahu - אליהו
2016-01-28 16:49 GMT+02:00 Omer Zak <w1 at zak.co.il>:
> On Thu, 2016-01-28 at 15:55 +0200, Beni Cherniavsky-Paskin wrote:
>
>> Brain dump & tips on starting with IPv6 [I imagine Shachar knows all
>> this but for others, including future me ;-]:
>
> A nice brain dump!
>
> To complement the brain dump, I'd like to see advice, from anyone who
> has experience with this, about securing the hosts against intruders via
> both IPv4 and IPv6 - in other words, per host firewall.
>
> The reasons for this are:
> 1. The firewall in Bezeq's router is turned off in Beni's setup.
> 2. Those of us, who are not willing to switch to Xfone yet wish to
> breathe the IPv6 pixie dust, will need to use IPv6 over IPv4 tunnelling.
> It means that the computer running the tunnel will need an IPv6 firewall
> around the local tunnel's endpoint.
>
> Another piece of advice desired is as follows.
> How to configure the home network so that:
> 1. It'll use IPv6 internally.
> 2. Communicate with the outside world via both IPv4 and IPv6 tunnel.
> 3. When your ISP finally starts to support IPv6, switching the home
> network to pure IPv6 would be piece of cake.
>
> --- Omer
>
>
> --
> According to Jean Boutcher, I am "a baby man, whining".
> My own blog is at http://www.zak.co.il/tddpirate/
>
> My opinions, as expressed in this E-mail message, are mine alone.
> They do not represent the official policy of any organization with which
> I may be affiliated in any way.
> WARNING TO SPAMMERS: at http://www.zak.co.il/spamwarning.html
>
>
> _______________________________________________
> Linux-il mailing list
> Linux-il at cs.huji.ac.il
> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
More information about the Linux-il
mailing list