On 20110710_225108, Erwan David wrote: > On 10/07/11 20:34, Randy Kramer wrote: > > > >> Also, ipv6 firewalling is very annoying on the gateway (due to the > >> icmpv6 filtering which must be done right). When possible, get a > >> script that does most of it right for you (or check RFC 4890). > > > > Sounds like good advice. > > > > Randy Kramer > > > > shorewall6 is quite good at setting the rules for IPv6.
I am puzzled by this discussion. Without going into any features of IPv6, the reason NAT works for IPv4 that I have been taught is the 192.168.xxx.xxx are illegal on the actual internet. No router is supposed to do anything but drop them. And your NAT box acts as a proper internet router on the side that is connected to the internet. So anyone on the outside cannot send messages to your hosts on the inside because any messages will be dropped long before they get near a box on the inside. It is not NAT, by itself, that offers protection, but NAT with the sure knowledge that packets on the inside are always illegal addresses in the outside. (Proper internet legal address packets ARE legal on the inside. That is how packets requesting web pages from a web site get from your host to your router/NAT.) Is there something wrong, or incorrect, about this? -- Paul E Condon pecon...@mesanetworks.net -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110711215848.gb7...@cmpq.lan.gnu
