Hi Steven, On Mon, Jul 14, 2014 at 02:38:16PM +0200, Steven Barth wrote: > Hi Baptiste, > > in general our current firewalling approach is to keep defaults for IPv4 and > IPv6 relatively close (not considering NAT here of course).
Could you detail the reasoning behind this approach? "Don't confuse the user"? I'd rather have "Don't bother the user": things should generally just work, without having to configure anything (in this case, port forwarding). But there is an obvious tradeoff with security. > Opening up the IPv6 firewall by default would be unexpected and I don't > really like the approach for that matter and honestly I don't trust > client devices that much. At least opening UDP ports > 1024 seems pretty reasonable, and covers most use-cases regarding VoIP and video. But it does indeed depart from the IPv4 case (not sure if it is such a bad idea though). > However the packaged version of miniupnpd does indeed support both UPNP > WANIPv6FirewallControl and PCP. One of my colleague recently ran a test with > PCP and said miniupnpd and it works fine. Good news, thanks! PCP doesn't show up in the config file, so I guess PCP is controlled by the NAT-PMP-related options. > Cheers, > > Steven Thank you, Baptiste
pgpLyuqgFHLrc.pgp
Description: PGP signature
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
