Date: Thu, 20 Jun 2019 07:35:45 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: Jan Bramkamp <crest@rlwinm.de> Cc: "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org> Subject: Re: Look for an ipfw example using NPTv6 Message-ID: <CAHu1Y70oavnHz0sL05J8v9BeKHV_Rs%2Bu6NUEXEiT0qVJXn8USQ@mail.gmail.com> In-Reply-To: <3629aeba-61ef-2cce-4971-c3a0ed973765@rlwinm.de> References: <CAHu1Y72ezsU-f7WbYpH3h0Qcj1uttCsnQHqFue9F9xJmOtZd=w@mail.gmail.com> <3629aeba-61ef-2cce-4971-c3a0ed973765@rlwinm.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Oh, the problem is simply that my ISP assigns me a ::/64 but there is no guarantee that it's mine for the duration. I'm in the process of securing my own IPv6 block, but was hoping for an interim solution. One that occurred to me is to use a public ::/56 that's allocated (but unused) to me in an AWS VPC. Route advertisements from them would make them unusable directly, but then NPTv6 would work. Open to any suggestions.... ;-) =E2=80=93 M On Thu, Jun 20, 2019 at 2:57 AM Jan Bramkamp <crest@rlwinm.de> wrote: > On 18.06.19 22:00, Michael Sierchio wrote: > > I'm looking for a simple firewall example using nptv6 to translate > > link-local addresses to match the prefix assigned by my ISP. I'll be > using > > stateful rules and allowing only outbound traffic. > > > > If you have a snippet, I'l be grateful. Thanks. > > > This sounds like you're trying to force IPv6 to behave like IPv4 with > longer addresses and just replaced RFC1918 addresses with link local > addresses. This isn't going to work because the differences are larger > than just the addresses length. Link local addresses are just what the > name says: they are local to the link. A link local address isn't even > unique within a host e.g. you can have fe80::1234%em0 and fe80::1234%em1 > on the same host. > > In theory you can get very close to NAT between global unicast addresses > and private addresses by configuring NPTv6 between global unicast > addresses and unique local addresses, but that would be a terrible > choice. One of the great advantages of IPv6 it removes the address > scarcity that forced NAT upon us. Each IPv6 device have as many global > IPv6 unicast addresses as required. > > Would you feel comfortable to describe the constrains shaping your > design to us? > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > --=20 "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is = no wiser, but an intelligent person requires only two thousand five hundred." - The Mah=C4=81bh=C4=81rata
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y70oavnHz0sL05J8v9BeKHV_Rs%2Bu6NUEXEiT0qVJXn8USQ>