[TriLUG] IPv6 workshop
mhrivnak at hrivnak.org
Tue Apr 19 19:42:02 EDT 2011
I second this. For those who really like the "island" idea of NAT as
Greg puts it, use ULA and reasonable firewall rules. Your firewall
rules probably boil down to something like this at the moment:
NAT everything outbound
block new connections inbound unless there is a specific exception
With v6, you can eliminate the "NAT everything outbound" part and just
keep the second part.
On Mon, Apr 18, 2011 at 11:54 PM, Jonathan Woodbury <jpwoodbu at mybox.org> wrote:
>>> If you're looking for private addresses, take a look at the "Unique
>>> Local Address" space in fc00::/7.
>>> These addresses are for exactly what you're looking for... private
>>> addresses that are NAT'ed behind a router.
>> Already found the addresses. What I'm looking for is the cross-router
>> NAT/masquerade piece so (v4 and v6) internal can speak v4 external. v6
>> external is of zero interest now, but transitioning to (v4 or v6)-to-6
>> public-to-private later by dual homing might be.
> That's a very difficult paragraph to comprehend. ;) Can you elaborate?
> You can achieve your goal of having persistent addressing for you
> hosts using ULA (or IPv4 for that matter).
> Those hosts can have v6 Internet access by giving them dynamically
> configured global addresses as well as UL addresses. There's no need
> to NAT. If a simple firewall configuration can protect those devices
> the same as any NAT-ing firewall could.
> What's the bad to this solution?
> This message was sent to: Michael Hrivnak <mhrivnak at hrivnak.org>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/mhrivnak%40hrivnak.org
> TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
More information about the TriLUG