LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Schaller: The long journey towards good free video conferencing

Schaller: The long journey towards good free video conferencing

Posted Oct 15, 2012 17:16 UTC (Mon) by raven667 (subscriber, #5198)
In reply to: Schaller: The long journey towards good free video conferencing by lutchann
Parent article: Schaller: The long journey towards good free video conferencing

You have the right of it, stateful IPv6 firewalls have the same security protection as IPv4 NAT but are simpler to maintain and simpler to design protocols for. It's also easy to use something like uPNP or to make static rule checkboxes like "I want to use VoIP", or "I want to host a webserver", that put in the appropriate rules. That shouldn't be any more complicated than the existing systems, less complicated than configuring port forwarding.

Another policy would be to turn off any filtering for hosts which have their own built-in firewall. That should simplify protocols and reduce connectivity and support problems across the board.

(Log in to post comments)

Schaller: The long journey towards good free video conferencing

Posted Oct 16, 2012 3:27 UTC (Tue) by bronson (subscriber, #4806) [Link]

Sure, in the future, stateful firewalls will hopefully become easier to configure than NAT. That will be a great day.

Today? The near future? I haven't seen an IPv6 stateful firewall that even comes close. Over the last decade the IPv6 world has created tons of theoretical, pie-in-the-sky ideas but very few actual clickable interfaces. Until that changes, NAT is the only reasonable choice for the layperson.

Stateful ipv6 firewalls are here today

Posted Oct 16, 2012 6:14 UTC (Tue) by ebiederm (subscriber, #35028) [Link]

Today ipv6 stateful firewalls are here. Essentially a stateful ipv6 firewall is:

*filter
#By default don't accept anything
:INPUT DROP
:OUTPUT ACCEPT

# Allow existing connections to continue and related connections to start
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

To add a network address and port translation function requires a few more rules, but beyond that the implementation complexity is exactly the same.

Which means all of your ipv4 work for a NAT firewall translates seamlessly to an ipv6 stateless firewall. The functionality has existed in the linux kernel since what looks like November of 2005 and was released in 2.6.15 or 2.6.16.

If you look carefully you can even find consumer routers with stateful ipv6 firewalls.

An ipv6 statefull firewall looks just like an ipv4 NAT firewall except it doesn't scramble your ip address and port number.

Stateful ipv6 firewalls are here today

Posted Oct 16, 2012 17:40 UTC (Tue) by bronson (subscriber, #4806) [Link]

It sounds like you agree with me? You can't possibly expect the layperson to understand what "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" means.

Actual *clickable* interfaces.

Stateful ipv6 firewalls are here today

Posted Oct 16, 2012 17:56 UTC (Tue) by raven667 (subscriber, #5198) [Link]

Is that supposed to be sarcasm? That doesn't seem like a serious response. The end-user, layperson interface is exactly the same as today because the rules are identical and are managed in the same way with the same tools. The kind of iptables config that your router GUI writes out is the same kind of config it writes out for ip6tables, existing devices that support IPv6 already do this AFAIK.

No one is suggesting that end-users need to write their own rules to an iptables-save file by hand, attacking that is a straw man.

Stateful ipv6 firewalls are here today

Posted Oct 16, 2012 21:29 UTC (Tue) by bronson (subscriber, #4806) [Link]

The rules are the same but the GUIs aren't. It's not easy to buy simple, NAT-equivalent stateful IPv6 firewalls from Belkin/Linksys/NetGear/etc. Using the present tense is a wee bit optimistic, no?

All I'm saying is, once IPv6 routers can be configured to do selective ingress as easily as IPv4 routers, we will all celebrate. That day is not here yet. (or wasn't at the end of 2011, the last time I shopped for a new wifi access point).

Stateful ipv6 firewalls are here today

Posted Oct 18, 2012 0:56 UTC (Thu) by marcH (subscriber, #57642) [Link]

> Once IPv6 routers can be configured to do selective ingress as easily as IPv4 routers,

The interface of IPv4 routers has generally been horrible. It doesn't matter because you don't even have a choice; you need the default setting = NAT enabled. Consumers must find their IPv4 routers very easy to use indeed since most they don't have to use them at all. Even gamers don't have to any more since UPnP. The vast majority has no idea what a NAT is and does not need to know.

So yes: IPv6 is a new problem in a way because now you do have the choice of filtering versus not. A good problem/checkbox to have. Giving people this checkbox is exactly what IPv6 is all about.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds