#17241 closed enhancement (not_a_bug)
Barrier Breaker: don't reject inbound IPv6 by default
| Reported by: | anonymous | Owned by: | developers |
|---|---|---|---|
| Priority: | normal | Milestone: | Chaos Calmer 15.05 |
| Component: | packages | Version: | Trunk |
| Keywords: | Cc: |
Description
The firewall in OpenWrt Barrier Breaker RC1 rejects WAN-to-LAN IPv6 connections by default. I'd argue that this is not the right behavior and this kind of filtering should be left to the end hosts themselves. Unlike some IPv4-only devices that were designed for the NAT world, IPv6 stuff expects unfiltered inbound connectivity. Filtering IPv6 is unnecessary and will only cause headaches to our users. It should be opt-in, not opt-out.
Before anyone says the firewall should stay this way and suggests enabling PCP: Firewalled IPv6 + PCP has the same behavior as unfiltered IPv6, except the former brings needless extra complexity. In both cases there's exactly the same amount of security.
I must add that most router manufacturers that I know of are not filtering inbound IPv6 by default. Filtering IPv6 in OpenWrt could then make it a not-so-great experience for new users who install OpenWrt on their routers.
As the first release with IPv6 enabled by default, this is time to make these decisions. We are setting an example here as to how we want this new Internet to work. Let's not help break IPv6 before it even takes off.
Attachments (0)
Change History (3)
comment:1 Changed 4 years ago by anon2
comment:2 follow-up: ↓ 3 Changed 4 years ago by nbd
- Resolution set to not_a_bug
- Status changed from new to closed
The current firewall settings were added intentionally. This is a topic which is still being discussed on the mailing list - trying to start a discussion in a bug report as well doesn't really help.
comment:3 in reply to: ↑ 2 Changed 4 years ago by anonymous
Replying to nbd:
The current firewall settings were added intentionally. This is a topic which is still being discussed on the mailing list - trying to start a discussion in a bug report as well doesn't really help.
My apologies, I didn't know about that. I'm glad this is being discussed.
Why should the need for firewall change, when addressing changes from ipv4 to ipv6?
Yes, the address space grows, so random scans are more difficult, but there is still the normal need to filter out incoming unsolicited traffic. Trusting that each ipv6-enabled device including all smart home appliances, is well protected does not sound sensible to me. Much better to filter out traffic at the border.