Re: ipv6 maybe has arrived.
jeremy ardley <jeremy@ardley.org> writes:
> In the case of adding IPv6 without NAT, then without a firewall, external baddies can connect unsolicited to your internal devices. Some of your devices will
> have their own personal firewalls already, e.g. any windows machine. Some won't, e.g. a printer. In the printer case it would be unfortunate if your printer
> suddenly started printing out obscenites.. You get the picture.
One point about the IPv6 without NAT: for external connectivity, you
still need to explicitly allow IP forwarding in the *router* and also in
the router's firewall. In Linux terms of course, but Gene said he has
dd-wrt in his router.
If forwarding is not enabled, then the LAN IPv6 hosts are just as
isolated from incoming traffic from the internet as hosts behind NAT.
This was a happy revelation when I started playing with IPv6 last
year. Mostly because systemd-networkd grew built in 6rd support and
that's all my extremely backward ISP does for IPv6 so it was super easy
to try.
> The other option of NAT for your IPv6 is frowned on
I don't know why though. The other IPv6 access I have is through a VPN
and there, for privacy, of course my connection is NATted to the same
exit IPv6 address as everyone else's. IPv6 defines the range fc00::/7 as
unique local addresses which are similar to IPv4 private network ranges
and I get a local IPv6 address from that range from the VPN server.
Reply to: