[AusNOG] Globally Routed IPv6 and Windows Firewall

Greg Anderson ganderson at raywhite.com
Fri Jul 25 14:24:25 EST 2014 

Not a typo, but quite possibly unaware :)

To be more clear, I was not referring to dynamic NAT for outbound traffic,
I am specifically talking about inbound traffic here.

Most devices I have used no doubt firewall the public IPv4 address, but you
are required to specify a NAT to an internal address.  Subsequently the
traffic arrives at the internal IP address.

I have never used a device in a residential space that required you to
first configure the NAT, and then configure the firewall for the same port
before traffic would flow.  You could, however, optionally firewall the
port between certain hours - but that is an optional extra.  Or you could
firewall outbound traffic, which has always been permitted by default.

Admittedly, I have not seen this in an environment where every local device
had a globally routed IPv4 address, so I would be interested in what you
have experienced - feel free to contact me on list because I do find this
intriguing.


On 25 July 2014 14:06, Pete Mundy <pete at fiberphone.co.nz> wrote:

> On 25/07/2014, at 3:47 PM, Greg Anderson <ganderson at raywhite.com> wrote:
>
> > I am not aware of any home router that out of the box has a firewall
> enabled for clients out of the box with IPv4.  I generally expect that
> clients are (badly) protected because there is no NAT unless specified by
> an end user or UPNP.  On many you can enable firewalls for the clients but
> they are usually for outbound traffic, or only inbound for a (usually
> single) DMZ type device that nearly all ports are forwarded to.
>
> I'm not sure if this is a type or what, but my experience is the exact
> opposite
>
> I am not aware of any home router that out of the box does NOT have
> firewall enabled for IPv5 (nor NAT for that matter; for without it the user
> would have no internet on their multiple-device network with only one
> public v4 IP).
>
> Furthermore, all IPv6 capable CPE devices that I've seen supplied by
> network providers here in NZ all have the IPv6 firewall enabled by default
> too. So you get real-world IP addresses on your workstations but they're
> protected at the border by default and you can't accept connections to them
> without loading a rule (ie no change from current situation with v4).
>
>  Pete
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>


--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140725/832b5a99/attachment.html>

More information about the AusNOG mailing list