Anders Johansson said the following on 09/09/2010 02:19 PM:
On Thursday 09 September 2010, Adam Tauno Williams wrote:
With a firewall'd IPv6 network you just say - permit inbound :80. Done. No need to port forward 80 on the external interface to A.B.C.D:80 on some internal host. Or you can say permit inbound :80 just to A.B.C.D.E.F. And if you want to access port 80 on two machines - no problem. No need to have one be :80 and the other :81 as is required with NAT (and makes for hackish URLs).
Except you're not supposed to run external services on the internal LAN at all, because once a flaw has been discovered, your entire LAN with all its desktops and everything is wide open. A LAN should be locked down, completely, totally, utterly. Saying "with IPv6 you can run services there" is simply not an argument that wins any favours with me, and I hope any security conscious admin agrees
+1 -- "The wide world is all about you: you can fence yourselves in, but you cannot for ever fence it out." -- JRR Tolkien, -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org