From: Elliott Mitchell <ehem@m5p.com>
To: usagi-users@linux-ipv6.org
Cc: netdev@oss.sgi.com, Jeroen Massar <jeroen@unfix.org>
Subject: Re: (usagi-users 03226) Re: support of IPv6 by NFS
Date: Tue, 1 Mar 2005 13:37:52 -0800 (PST) [thread overview]
Message-ID: <200503012137.j21LbqmL005962@m5p.com> (raw)
In-Reply-To: <200503011256.25282.Info@quantum-sci.com>
>From: Quantum Scientific <Info@quantum-sci.com>
> On Tuesday 01 March 2005 9:08, Jeroen Massar wrote:
> > On Tue, 2005-03-01 at 07:44 -0600, Quantum Scientific wrote:
> > >On Tuesday 01 March 2005 4:10, Gilles Quillard wrote:
> > >> This works but this needs that the kernel has been compiled with IPv6,
> > >> which is not mandotary. A lot of people in the Linux community do not
> > >> have experience with IPv6 yet and are not ready to use it. So making it
> > >> mandatory for NFS, even in a pure IPv4 network, is not easy.
> > >
> > >My experience is that IPV6 is extremely difficult to figure out how to set
> up
> > >securely, for the time being, due to lack of connection-sharing.
> >
> > NAT is not a firewall. Get that into your brain.
>
> Jeroen, was this addressed to me, or to Giles? Never mind, it doesn't matter; your
> words show that you are an uneducated man.
Though I was planning to be more polite, I was going to write a similar
message. If you're depending on a firewall as a main defense, you're
already dead. If you wish your hosts to be secure, they MUST be secure
even if they didn't have a firewall!
The already mentioned approach works quite well. Filter packets with
only the SYN bit set, no incoming connections will work, outgoing
connections will be unaffected. No state needed. Though important for a
firewall, stateful filtering isn't a critical feature to state the IPv6
stack is working.
--
(\___(\___(\______ --=> 8-) EHM <=-- ______/)___/)___/)
\ ( | EHeM@gremlin.m5p.com PGP 8881EF59 | ) /
\_ \ | _____ -O #include <stddisclaimer.h> O- _____ | / _/
\___\_|_/82 04 A1 3C C7 B1 37 2A*E3 6E 84 DA 97 4C 40 E6\_|_/___/
next prev parent reply other threads:[~2005-03-01 21:37 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-01 10:10 support of IPv6 by NFS Gilles Quillard
2005-03-01 13:44 ` Quantum Scientific
2005-03-01 15:08 ` (usagi-users 03222) " Jeroen Massar
2005-03-01 16:19 ` Olaf Kirch
2005-03-01 17:18 ` Jeroen Massar
2005-03-01 18:39 ` (usagi-users 03224) " Rémi Denis-Courmont
2005-03-01 18:56 ` (usagi-users 03222) " Quantum Scientific
2005-03-01 19:46 ` Jeroen Massar
2005-03-01 21:37 ` Elliott Mitchell [this message]
2005-03-06 11:04 ` Harald Welte
2005-03-06 15:40 ` (usagi-users 03249) " Jeroen Massar
2005-03-01 15:19 ` (usagi-users 03222) " YOSHIFUJI Hideaki / 吉藤英明
2005-03-01 16:35 ` Rémi Denis-Courmont
2005-03-06 11:02 ` Harald Welte
2005-03-01 15:42 ` YOSHIFUJI Hideaki / 吉藤英明
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200503012137.j21LbqmL005962@m5p.com \
--to=ehem@m5p.com \
--cc=jeroen@unfix.org \
--cc=netdev@oss.sgi.com \
--cc=usagi-users@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).