= Сообщение: 3346 из 7440 ============================================= IPV6 = От : Tony Langdon 3:633/410 09 Aug 16 09:35:00 Кому : Michiel van der Vlist 09 Aug 16 09:35:00 Тема : Re: IPV6 and Netgear FGHI : area://IPV6?msgid=1803.fido-ipv6@3:633/410+1c0e55aa На : area://IPV6?msgid=2:280/5555+57a8ee36 = Кодировка сообщения определена как: CP866 ================================== Ответ: area://IPV6?msgid=2:280/5555+57aa3533 ============================================================================== -=> Michiel van der Vlist wrote to Tony Langdon <=-
MvV> This confusing way of presenting the IPv6 firewall options seems to be MvV> common among router manufacturers. I have a combined Cable modem + MvV> router from Cisco. There is a tab "security" with a subtab for MvV> "firewall". That allows for enabling or disabeling the IPv6 firewall. MvV> Also enabling things like enabeling port scan detection, amd flood MvV> detection.
Ahh, OK. My router only has the one place to control the IPv6 firewall, AFAIK.
MvV> In a completely dirfferent part there is a tab "Applications and MvV> gaming" there is a section "Port Range Frowarding". IPv4 and IPv6 are MvV> covered in one and the same section. You choose and external port range MvV> (start port and end port) an internal IP adress, the IP type, internal MvV> port range and protocol (TCP/UDP/Both).
Yes, my router has an extra IPv6 tab in the same area where IPv4 port forwarding is configured. The tab is separate, so the dialog boxes are IPv6 specific, not shared with IPv4 port forwarding.
MvV> For IPv4 it is old hat. But when you change the IP type there are two MvV> other choices, IPv6 or MACv6. If you choose one of these the boxes for MvV> the external port range gray out. You can only enter an internal port MvV> range. That one can not eneter both an external and an internal port MvV> range makes sense, there is no port /translation/. But it is confusing MvV> at first because the external port range is the two most left boxes, MvV> which one naturally would try to enter first.
I get a dialog box where you put in the "interface ID", which is the host part of the IPv6 address. There's also options to select ports, or you can click the "exposed host" button, which disables the firewall entirely for that host.
MvV> The internal IPv6 address defaults to ::. Which in a way also makes MvV> sense. Interesting is the option "MACV6". Instead of the IPv6 addres,
That is an interesting option. I don't have that one that I know of, but I can see it being quite useful.
MvV> one enters the MAC addres of the interface. Usefull if one does not MvV> hava a static IPv6 prefix. Then you do not have to change the table MvV> every time the IPv6 prefix changes.
Another useful option, and again, I don't think I have that one.
MvV> I can understand why they do it this way, but I find it undesirable MvV> from an edecucational POV. While it hase the same goal: having an MvV> uncoming packet reach its inteded destination, the mechanism is MvV> completely different. As you say for IPv6 it is not NAPT, it is a MvV> packet filter.
Yes, it will lead to confusion for the average punter.
MvV> What is a bit unclear is how it deals wikt ICMP. There is an option in MvV> the firewal setting "block anonymous internet requests". It is unclear MvV> if it applies to both IPv4 and IPv6 or to both. It is activated by MvV> default. By default it rejects PING. So I have deactivated it and now MvV> all IPv6 devices on the LAN are pinagble. It has no way to be more MvV> specific, so I assume all ICMP is allowed.
Only way ICMP echo (ping) is allowed to hosts behind the router is if I use the exposed host option. There is another option in the firewall setup to allow ICMP echo, but that's for the router itself, and I'm unsure if that affects IPv6 as well as IPv4.