[190501] in North American Network Operators' Group
Re: NAT firewall for IPv6?
daemon@ATHENA.MIT.EDU (Baldur Norddahl)
Tue Jul 5 15:22:20 2016
X-Original-To: nanog@nanog.org
In-Reply-To: <CAD8GWstEJCJOkePCT7O1NDP5BcwJ44VA=Pifqveuafk2_9yMGg@mail.gmail.com>
From: Baldur Norddahl <baldur.norddahl@gmail.com>
Date: Tue, 5 Jul 2016 21:22:15 +0200
To: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On 5 July 2016 at 17:40, Lee <ler762@gmail.com> wrote:
>
> Right. But how long is it going to take to secure the Palo Alto firewall?
> If the central Cisco Catalyst really is an IPv6 router, doing a
> conf t
> ipv6 access-list denyIPv6
> deny ipv6 any any
>
> interface [whatever connects to the ISP]
> ipv6 traffic-filter denyIPv6 in
> ipv6 traffic-filter denyIPv6 out
> end
> would be a quick fix for the firewall not doing any ipv6 filtering.
>
Nope, that is not going to stop his IPv6 address from appearing, which I
will bet you good money is in the range of fe80::/64.
