[127986] in North American Network Operators' Group
Re: Looking for comments
daemon@ATHENA.MIT.EDU (Franck Martin)
Thu Jul 22 00:59:19 2010
X-Barracuda-Envelope-From: franck@genius.com
Date: Thu, 22 Jul 2010 16:58:41 +1200 (FJT)
From: Franck Martin <franck@genius.com>
To: Karl Auer <kauer@biplane.com.au>
In-Reply-To: <1279772699.5467.141.camel@karl>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
----- Original Message -----
> From: "Karl Auer" <kauer@biplane.com.au>
> To: nanog@nanog.org
> Sent: Thursday, 22 July, 2010 4:24:59 PM
> Subject: Re: Looking for comments
> On Wed, 2010-07-21 at 20:37 -0700, Owen DeLong wrote:
> > I can throw a COTS d-link box with
> > > address-overloaded NAT on a connection and have reasonably
> > > effective
> > > network security and anonymity in IPv4. Achieving comparable
> > > results
> > > in the IPv6 portion of the dual stack on each of those hosts is
> > > complicated at best.
> > >
> > Actually, it isn't particularly hard at all... Turn on privacy
> > addressing
> > on each of the hosts (if it isn't on by default) and then put a
> > linux
> > firewall in front of them with a relatively simple ip6tables
> > configuration
> > for outbound only.
>
> All respect to someone that knows his stuff, and I do realise that the
> OP mentioned small-scale hardware, but in the wider world (and even
> the
> world of home users as seen from the carrier side) any solution that
> says "do <whatever> on every host" is just not workable. As for the
> Linux packet filter, that's an exercise for the advanced home user.
On Mac Airport Extreme it is "disallow outside to access internal machines", tick and it is done!
