nanog mailing list archives
Re: Requirements for IPv6 Firewalls
From: Eugeniu Patrascu <eugen () imacandi net>
Date: Sat, 19 Apr 2014 01:26:27 +0300
On Fri, Apr 18, 2014 at 10:49 PM, Jim Clausing <jim.clausing () acm org> wrote:
And maybe I'm just dense, but ho one has been able to tell me how I accomplish this in IPv6 without NAT, I have the requirement in certain circumstances to transparently redirect all outbound DNS (well, on TCP or UDP port 53) and/or SMTP (TCP ports 25 and 587) to my own servers. No, simply blocking it at the firewall and making the user "fix" the problem is not an option (especially when the problem is created by malware). It is a simple rule in IPTABLES for IPv4, but how do I accomplish it in IPv6? Not flaming or anything, but I really want to know how I'm supposed to accomplish that in the ideal IPv6 world with no NAT?
Nothing stops you from using NAT :) This discussion got a bit off track. I'm not saying NAT should be banned completely, I'm saying that with IPv6 we can actually simplify things a lot get rid of all hacks we had to do in the network do get services up and running (e.g. using a firewall's public ip address to hide several distinct services behind it on different hosts, like web, dns, smtp etc). I believe in simplicity, and now IPv6 for me makes things simple: I can have all the IP addresses I want and do not need to use hacks to get things working because no one would give 2048 IPv4 addresses just to do stuff with them and run lots of servers with "public" IP addresses.
Current thread:
- Re: Requirements for IPv6 Firewalls, (continued)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
- Re: Requirements for IPv6 Firewalls Simon Perreault (Apr 18)
- Re: Requirements for IPv6 Firewalls Mike Hale (Apr 18)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
- Re: Requirements for IPv6 Firewalls Simon Perreault (Apr 18)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
- Re: Requirements for IPv6 Firewalls Simon Perreault (Apr 18)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
- Re: Requirements for IPv6 Firewalls Simon Perreault (Apr 18)
- Re: Requirements for IPv6 Firewalls Jim Clausing (Apr 18)
- Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 18)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 18)
- Re: Requirements for IPv6 Firewalls Jeff Kell (Apr 18)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 18)
- Re: Requirements for IPv6 Firewalls Jeff Kell (Apr 18)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 18)
- Re: Requirements for IPv6 Firewalls George William Herbert (Apr 19)
- Re: Requirements for IPv6 Firewalls Ćukasz Bromirski (Apr 19)
- Re: Requirements for IPv6 Firewalls Jimmy Hess (Apr 19)
- Re: Requirements for IPv6 Firewalls George William Herbert (Apr 19)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 19)