[190269] in North American Network Operators' Group
Re: IPv6 Ingress traffic by default
daemon@ATHENA.MIT.EDU (Mark Andrews)
Mon Jun 20 20:04:15 2016
X-Original-To: nanog@nanog.org
To: Owen DeLong <owen@delong.com>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Mon, 20 Jun 2016 16:33:46 -0700."
<F7BADD47-3CC9-478C-96DA-A07FCB8CBDBF@delong.com>
Date: Tue, 21 Jun 2016 10:04:07 +1000
Cc: NANOG list <nanog@nanog.org>, Mark Milhollan <mlm@pixelgate.net>
Errors-To: nanog-bounces@nanog.org
In message <F7BADD47-3CC9-478C-96DA-A07FCB8CBDBF@delong.com>, Owen DeLong writes:
> >
> > And that is the fault of the Raspberry PI. There is zero reason for
> > the Raspberry PI to be open to the world before it has been configured.
> > It could have a initial configuration that is just
> >
> > permit <local-prefixes>/64 any port 22
> > deny any any port 22
>
> It’s very hard to configure a Raspberry PI using Cisco’s filter language.
>
> I don’t know of any case where this will work.
>
> Owen
So you are going to argue about firewall configuration language
rather than the concept which was viable in host firewalls I've
used for over a decade.
You can do the same thing with all firewalls even if it requires a
piece of software to listen to interfaces being configured are
rewriting the firewalls as they are being brought up.
I develope software that does just this at the application level.
It is not rocket science. Just listen to the routing interface and
adjust the acls as interfaces come and go.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
