Re: Google wants to be your Internet

[Bernhard Schmidt <berni () birkenwald de>]

Henning Brauer <hb-nanog () bsws de> wrote:

> > > IPv6 makes NAT obsolete because IPv6 firewalls can provide all
> > > the useful features of IPv4 NAT without any of the downsides.
> > ...
> >
> > IPv6 firewalls?  Where?  Good ones?
> OpenBSD's pf has support for v6 for years now.

Which works pretty well if you forget one tiny thing (from pf.conf(5))

| FRAGMENT HANDLING
| [...]
|     Currently, only IPv4 fragments are supported and IPv6 fragments are
|     blocked unconditionally.

which can bite you in the ass pretty hard if you don't expect it.
Fragments are valid packets and crucial for many applications, so
unconditional blocking (even with a "pass inet6 from any to any"
policy) is bad.

Other working solutions are

- Linux + nf_conntrack (maybe in a few kernel versions, there was an
  OOPS in 2.6.20-rc5 with (tadaaa) fragment handling, fixed though)
- Cisco ASA and FWSM
- IIRC Juniper (Netscreen) firewalls

and I guess some more.

Regards,
Bernhard