From owner-freebsd-net@FreeBSD.ORG Mon Apr 15 10:47:25 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id ED04A97E; Mon, 15 Apr 2013 10:47:25 +0000 (UTC) (envelope-from kpaasial@gmail.com) Received: from mail-wi0-x234.google.com (mail-wi0-x234.google.com [IPv6:2a00:1450:400c:c05::234]) by mx1.freebsd.org (Postfix) with ESMTP id 384F0349; Mon, 15 Apr 2013 10:47:25 +0000 (UTC) Received: by mail-wi0-f180.google.com with SMTP id c10so1382245wiw.13 for ; Mon, 15 Apr 2013 03:47:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:content-transfer-encoding; bh=P1ZKwYwb92Sbj62ZjZpl4ffRTg7lVPe6GykMxQTfN5I=; b=klasYIv8EfrQ91mYeWpsmoPtt/R3gpycHmcO+8ralOKI6llbBm2x8VPmMFHVTdp0I9 bujt82gd56vVwx1RGvWZ+Cc2fVOCvz7vIYoW55pD9aD2pSV9VjkkiVMzYF3GyWPzOt/2 iPPvI43gKprmtA/ltdmH1gVxyyq/HpcBeuBx5rGVgUioTyQC4uBFmhU62fHYVOg2G0aR YOHcYTAXtuF2nVBhtyeangTjsJHNaAmaIIOrPvCTz9mvcgopx9UfnMaF/eMyzak63AY7 2HgWyUXMB6sZ5KXQk/sAoMXLIwUhgyFtYAbCohyVQnTJKk1XH5kxI/smwZE9brcIpYIc rZqA== MIME-Version: 1.0 X-Received: by 10.194.157.138 with SMTP id wm10mr10133324wjb.28.1366022844442; Mon, 15 Apr 2013 03:47:24 -0700 (PDT) Received: by 10.216.139.72 with HTTP; Mon, 15 Apr 2013 03:47:24 -0700 (PDT) In-Reply-To: <621849003.20130415144428@serebryakov.spb.ru> References: <20130411201805.GD76816@FreeBSD.org> <20130414160648.GD96431@in-addr.com> <36562.1365960622.5652758659450863616@ffe10.ukr.net> <201304150025.07337.Mark.Martinec+freebsd@ijs.si> <951943801.20130415141536@serebryakov.spb.ru> <195468703.20130415143237@serebryakov.spb.ru> <621849003.20130415144428@serebryakov.spb.ru> Date: Mon, 15 Apr 2013 13:47:24 +0300 Message-ID: Subject: Re: ipfilter(4) needs maintainer From: Kimmo Paasiala To: lev@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: Mark Martinec , freebsd-net@freebsd.org, current@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Apr 2013 10:47:26 -0000 On Mon, Apr 15, 2013 at 1:44 PM, Lev Serebryakov wrote: > Hello, Kimmo. > You wrote 15 =D0=B0=D0=BF=D1=80=D0=B5=D0=BB=D1=8F 2013 =D0=B3., 14:36:27: > >>> And, yes, NAT64 will be useful for sure, but it is another story, >>> not IPv6<->IPv6 translation. > KP> You're forgetting set ups where outgoing traffic is controlled by > KP> filter rules, outgoing passive mode ftp needs help from the proxy to > KP> open holes for arbitrary ports. This is not limited to IPv4 and NAT. > It could be done without IPv6 prefix mapping. Yes, firewall should > have ability to expect some connections fro FTP commands (some flag > on rule, for sure), but it is not prefix rewriting (there are some > other protocols, which need similar treatment, like SIP)! I was > shocked by idea of true NAT from IPv6 to IPv6. IPv6 has its own > problems and complications, but one REALLY GOOD side of it, that we > don't need NAT for it anymore! Some special tricks in firewall -- yes, > maybe, for bad-designed, but widely-deployed application level > protocols, but not address translations! > > I, personally, don't see any problems to enable all outbound > connections for dedicated FTP server, though. > Server side is the easy part, no need for proxy because you know the passive mode data ports and you can open holes in your firewall using the known port numbers. I'm however talking about an ftp client behind a very restrictive firewall making an IPv6 connection an ftp server that uses passive mode data ports that can't be known in advance. -Kimmo