Mailinglist Archive: opensuse (1599 mails)

< Previous Next >
Re: [opensuse] ipv4 Firewalls & ipv6: ipv6 encapsulate in ipv4 -> security hole?
That is the purpose of a firewall.
Speaking of which...how do exsiting ipv4 firewalls interact
with IPV6?
Most probably they don't. For instance, iptables deals only with IPv4,
ip6tables with IPv6.

Yep.

Many of the ipv6 solutions I see use ipv4 some for of encapsulation to
get across "ipv6-dead zones".

This is true, and can be 'interesting'.

So isn't that an open path into your network if your firewall
is ipv4 only? Or are all firewalls easily upgraded to ipv6?...
If you're connected to IPv6 and your firewall doesn't set up any rules
for IPv6, then yes, you're wide open.

That is the safest assumption. The biggest concern here is that most
organizations filter outgoing traffic to some extent, block some
traffic, etc... In many cases an internal IPv6 host can end up with
full Internet access via encapsulation as many times this isn't
something IPv4 firewalls have been set up to deal with. Inbound
firewall rules are usually deny-everything-except-what-I-expect,
outbound rules are often much more confusing (of course, if your
outbound rule is allow-everything then IPv6 access is a given anyway).


--
openSUSE <http://www.opensuse.org/en/>
Linux for human beings who need to get things done.

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >