Modify

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#17241 closed enhancement (not_a_bug)

Barrier Breaker: don't reject inbound IPv6 by default

Reported by: anonymous Owned by: developers
Priority: normal Milestone: Chaos Calmer 15.05
Component: packages Version: Trunk
Keywords: Cc:

Description

The firewall in OpenWrt Barrier Breaker RC1 rejects WAN-to-LAN IPv6 connections by default. I'd argue that this is not the right behavior and this kind of filtering should be left to the end hosts themselves. Unlike some IPv4-only devices that were designed for the NAT world, IPv6 stuff expects unfiltered inbound connectivity. Filtering IPv6 is unnecessary and will only cause headaches to our users. It should be opt-in, not opt-out.

Before anyone says the firewall should stay this way and suggests enabling PCP: Firewalled IPv6 + PCP has the same behavior as unfiltered IPv6, except the former brings needless extra complexity. In both cases there's exactly the same amount of security.

I must add that most router manufacturers that I know of are not filtering inbound IPv6 by default. Filtering IPv6 in OpenWrt could then make it a not-so-great experience for new users who install OpenWrt on their routers.

As the first release with IPv6 enabled by default, this is time to make these decisions. We are setting an example here as to how we want this new Internet to work. Let's not help break IPv6 before it even takes off.

Attachments (0)

Change History (3)

comment:1 Changed 4 years ago by anon2

Why should the need for firewall change, when addressing changes from ipv4 to ipv6?

Yes, the address space grows, so random scans are more difficult, but there is still the normal need to filter out incoming unsolicited traffic. Trusting that each ipv6-enabled device including all smart home appliances, is well protected does not sound sensible to me. Much better to filter out traffic at the border.

comment:2 follow-up: Changed 4 years ago by nbd

  • Resolution set to not_a_bug
  • Status changed from new to closed

The current firewall settings were added intentionally. This is a topic which is still being discussed on the mailing list - trying to start a discussion in a bug report as well doesn't really help.

comment:3 in reply to: ↑ 2 Changed 4 years ago by anonymous

Replying to nbd:

The current firewall settings were added intentionally. This is a topic which is still being discussed on the mailing list - trying to start a discussion in a bug report as well doesn't really help.

My apologies, I didn't know about that. I'm glad this is being discussed.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.