nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IPv6 Ingress traffic by default

From: Mark Andrews <marka () isc org>
Date: Tue, 21 Jun 2016 10:04:07 +1000

In message <F7BADD47-3CC9-478C-96DA-A07FCB8CBDBF () delong com>, Owen DeLong writes:


And that is the fault of the Raspberry PI.  There is zero reason for
the Raspberry PI to be open to the world before it has been configured.
It could have a initial configuration that is just

    permit <local-prefixes>/64 any port 22
    deny any any port 22


It’s very hard to configure a Raspberry PI using Cisco’s filter language.

I don’t know of any case where this will work.

Owen


So you are going to argue about firewall configuration language
rather than the concept which was viable in host firewalls I've
used for over a decade.

You can do the same thing with all firewalls even if it requires a
piece of software to listen to interfaces being configured are
rewriting the firewalls as they are being brought up.

I develope software that does just this at the application level.
It is not rocket science.  Just listen to the routing interface and
adjust the acls as interfaces come and go.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org
Previous By Date Next
Previous By Thread Next

Current thread: