On 2/8/23 19:16, jeremy ardley wrote:
On 9/2/23 06:39, gene heskett wrote:
On 2/8/23 16:29, jeremy ardley wrote:
On 9/2/23 04:54, gene heskett wrote:
My several machine home net is behind a dd-wrt install, NAT'ed so
that any machine here has access to the net via the ipv4 address my
router obtains from them. That legally is a dynamic address but
hasn't changed in the decade and a half since I last switched isp's
to one that just worked courtesy of cloning the mac from one router
to its backup.
So now my question is, can I maintain the same level of security if
I start using an ipv6 address in my router?
And if so, how do I maintain the NAT, & how would I do it? Or am I
better off to not kick this sleeping dog called ipv6?
Thanks Jeremy. but in the back of my mind is the need for a firewall.
I've not setup a new one since bullseye moved in a year plus ago.
dd-wrt reflashing my now elderly buffalo router handles all that.
Lets look at the different cases.
First, you have IPv4 and NAT. Your firewall will allow (and NAT) any
outbound trafffic, and will accept any incoming trafic related to
outgoing traffic and inverse NAT it and send to the internal host. You
are relatively safe in this scenario as external baddies can't scan your
LAN and can't make unsolicited connections to your LAN devices.
In the case of adding IPv6 without NAT, then without a firewall,
external baddies can connect unsolicited to your internal devices. Some
of your devices will have their own personal firewalls already, e.g. any
windows machine. Some won't, e.g. a printer. In the printer case it
would be unfortunate if your printer suddenly started printing out
obscenites.. You get the picture.
Net result is with IPv6 you need a firewall on your internet connection
to disallow any unsolicited connections to internal devices. It's really
easy in ip6tables. It is probably very easy in dd-wrt. It is certain to
be in any off-the shelf dual-stack modem/router.
The other option of NAT for your IPv6 is frowned on
Another problem is internal names. As with IPv4 you need a directory
service to say what devices are at what IPv4 or IPv6 addresses in your
LAN. In my case I run a DNS server linked to my DHCP server for the IPv4
and IPv6 addresses. It uses a combination of DHCP registration data, and
static records to give IPv4 and IPv6 addresses internally to the LAN.
Of note, in my LAN which runs IPv4 and IPv6, most traffic between
devices is IPv6 because modern Debian/Linux applications default to IPv6
and only fall back to IPv4 as necessary.
Jeremy
Where you run a dns of sorts, I don't, resolv.conf says check host
first, then query the router which forwards it to the nameserver at my
isp. That has worked very well since redhat 5.0 in 1998. The only thing
I do is a chattr +i on resolv.conf so network mangler can't putz with
it. And network mangler has had sense enough to stfu about it not being
writable for close to 15 years now. The host file is identical and
accounts for all the local machines. Until ipv4 stops working, I'm
inclined to leave it be.
Cheers, Gene Heskett.
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis
Genes Web page <http://geneslinuxbox.net:6309/>
