I hope that others might also contribute even questions and thereby a document in the 'how to' class is created.
On Mon, Jan 31, 2022 at 5:03 PM Simon <li...@thehobsons.co.uk> wrote: > > o1bigtenor via Dng <dng@lists.dyne.org> wrote: > > > Not only do I want to echo mr Joel but for mr Simon. > > This gives great information - - - all together AND in a fashion that > > I think I may even be understanding this. > > Thanks, that makes it worthwhile having written it. > As you might have guessed, I’m in the IPv6 is good camp. Frustratingly my ISP > ran IPv6 trials several years ago but has since gone quiet - even though > their parent company (a larger ISP) rolled out IPv6 by default several years > ago ! > > > Please would you fashion perhaps 2 or three more messages for > > intermediate and maybe even extend this into more of the > > 'advanced' networking country. > > I’m not sure there’s all that much I can add. One of the problems of not > using it often enough is that I’ve forgotten a lot of what I learned when I > worked through the tunnelbroker certification - which BTW will (if it’s still > part of the deal) will get you what must be one of the geekiest tee shirts > ever created ! > snip > You will want to configure an IPv6 firewall. I used Shorewall for this - it’s > an amazing package. It’s still usable, but it’s time is now limited as it’s > deeply entangled with iptables which is now deprecated and replaced with > nftables. I imagine that at some point the iptables compatibility shim will > go away and that will stop Shorewall. > I am looking at (have the hardware waiting for pickup) running something like Pfsense or Opnsense for a firewall. It seems that either support ipv6 as well. snip > > > I am not needing ipv6 at present but likely this spring fiber optics > > are happening (finally some decent speed options) and they are > > in the process of moving to ipv6 likely within a year or so. I would > > prefer to know at least some more before I 'need' it. > > Good news then - the more ISPs do IPv6 the better. The main thing to remember > is that IPv4 vs IPv6 is orthogonal to the rest of the stack - the physical > layer underneath (fibre, ethernet, xDSL, cable, dial-up, damp string, carrier > pigeon, ...) and the session layers higher up (DNS, HTTP, SMTP, ...). > Things are not completely disconnected as things need to support the > differences - e.g. handling 128 bit long addresses, doing AAAA lookups as > well as A, and so on. But (and not speaking as someone who’s had to deal with > that), I think a lot of that is handled by the standard libraries. > Wondering about physical setup. I had thought of running my network (part of it at least) like this: WAN == router == firewall == managed switch == complicated network It has been suggested to me that I should combine the router and the firewall functions into the same machine. Which option (combining functions or separating functions) gives a more robust network? Where would a pihole function in this scenario? An air gapped machine is considered the most secure. Doing this makes updating the system more difficult and could make some tasks more difficult. (Business reasons for wanting as high a security as possible.) How secure can a system be made using firewall(s)? TIA _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
