From owner-freebsd-current@FreeBSD.ORG Mon Apr 15 10:36:30 2013 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 0C4B916F; Mon, 15 Apr 2013 10:36:30 +0000 (UTC) (envelope-from kpaasial@gmail.com) Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 4C490252; Mon, 15 Apr 2013 10:36:29 +0000 (UTC) Received: by mail-wg0-f50.google.com with SMTP id k13so4392088wgh.17 for ; Mon, 15 Apr 2013 03:36:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:content-transfer-encoding; bh=lWIihVDyaEQidvIpRrySs0QzOajjsdOFteimd9vq8f4=; b=v5br8GHqduhbC/hZpRw1jTkMvC7LHXmKewmUqnm1JZHy/0zTonxK6M97HwmXGR//nx jurps8341cKITV8qx/KUZfkk0Y6bTR5c4iT/QKcNgdh2iszdYYx3pkpQwWuSPJL5tzn1 AtUQMf7N5IKd/XBFydcVu8w2sXnXzfGtQTKSinuvNg44VCcrbnZ4l6LdP5GEop1gK8EW Mq1FNKnrlxBPc6nyc8nWqMBb/KBP6lBM12qoqrvfVuJNYQpwEvWYaDhfBvpNDj0QnmNV rAbS484EpsqA480HCqo4BtchVSsY9AZmKPkRHEgrgAyW57obnDmY1QxCiIuEGO635HwL pTcQ== MIME-Version: 1.0 X-Received: by 10.180.19.39 with SMTP id b7mr11064061wie.15.1366022187931; Mon, 15 Apr 2013 03:36:27 -0700 (PDT) Received: by 10.216.139.72 with HTTP; Mon, 15 Apr 2013 03:36:27 -0700 (PDT) In-Reply-To: <195468703.20130415143237@serebryakov.spb.ru> References: <20130411201805.GD76816@FreeBSD.org> <20130414160648.GD96431@in-addr.com> <36562.1365960622.5652758659450863616@ffe10.ukr.net> <201304150025.07337.Mark.Martinec+freebsd@ijs.si> <951943801.20130415141536@serebryakov.spb.ru> <195468703.20130415143237@serebryakov.spb.ru> Date: Mon, 15 Apr 2013 13:36:27 +0300 Message-ID: Subject: Re: ipfilter(4) needs maintainer From: Kimmo Paasiala To: lev@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: Mark Martinec , freebsd-net@freebsd.org, current@freebsd.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Apr 2013 10:36:30 -0000 On Mon, Apr 15, 2013 at 1:32 PM, Lev Serebryakov wrote: > Hello, Kimmo. > You wrote 15 =D0=B0=D0=BF=D1=80=D0=B5=D0=BB=D1=8F 2013 =D0=B3., 14:26:40: > >>> MM> ... and as far as I can tell none of them is currently usable >>> MM> on an IPv6-only FreeBSD (like protecting a host with sshguard), >>> MM> none of them supports stateful NAT64, nor IPv6 prefix translation := ( >>> IPv6 prefix translation?! AGAIN!? FML. I've thought, that IPv6 will >>> render all that NAT nightmare to void. I hope, IPv6 prefix translation >>> will not be possible never ever! > > KP> Things like ftp-proxy(8) will need address translation even with IPv6= . > ftp-proxy is solution to help IPv4 NAT. Why do we need it when every > device could have routable IPv6? Of course, _every_ device should be > protected by border firewall (stateful and IPv6-enabled), but FTP > server should have special rules for it to allow traffic pass, not > some "proxy". > > And, yes, NAT64 will be useful for sure, but it is another story, > not IPv6<->IPv6 translation. > You're forgetting set ups where outgoing traffic is controlled by filter rules, outgoing passive mode ftp needs help from the proxy to open holes for arbitrary ports. This is not limited to IPv4 and NAT. -Kimmo