From owner-freebsd-current@FreeBSD.ORG Tue Jul 29 13:20:07 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CC2A3D8E; Tue, 29 Jul 2014 13:20:07 +0000 (UTC) Received: from smtp-out-02.shaw.ca (smtp-out-03.shaw.ca [64.59.136.139]) by mx1.freebsd.org (Postfix) with ESMTP id 908DD2E9B; Tue, 29 Jul 2014 13:20:07 +0000 (UTC) X-Cloudmark-SP-Filtered: true X-Cloudmark-SP-Result: v=1.1 cv=ryrf5q5p6c4dCQYR2lAej91p2ozDt6sfPnRAuS/Q8hc= c=1 sm=1 a=cQ5pcHtl6RgA:10 a=QrugwKR0C_UA:10 a=wAGQQ9Az6v0A:10 a=BLceEmwcHowA:10 a=ICAaq7hcmGcA:10 a=kj9zAlcOel0A:10 a=IbtKDeXwb2+SRU442/pi3A==:17 a=6I5d2MoRAAAA:8 a=s6FIl2w8AAAA:8 a=BWvPGDcYAAAA:8 a=eTcz2Vil-Y1R6Uq0KPwA:9 a=CjuIK1q_8ugA:10 a=SV7veod9ZcQA:10 a=cGv0LpZPy6cA:10 a=V7tsTZBp22UA:10 a=HpAAvcLHHh0Zw7uRqdWCyQ==:117 Received: from unknown (HELO spqr.komquats.com) ([96.50.7.119]) by smtp-out-02.shaw.ca with ESMTP; 29 Jul 2014 07:20:06 -0600 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 4DBF09C1E; Tue, 29 Jul 2014 06:20:06 -0700 (PDT) Received: from slippy.cwsent.com (localhost [127.0.0.1]) by slippy.cwsent.com (8.14.9/8.14.9) with ESMTP id s6TDK5Pa005331; Tue, 29 Jul 2014 06:20:05 -0700 (PDT) (envelope-from Cy.Schubert@komquats.com) Received: from slippy (cy@localhost) by slippy.cwsent.com (8.14.9/8.14.8/Submit) with ESMTP id s6TDK5ZS005328; Tue, 29 Jul 2014 06:20:05 -0700 (PDT) (envelope-from Cy.Schubert@komquats.com) Message-Id: <201407291320.s6TDK5ZS005328@slippy.cwsent.com> X-Authentication-Warning: slippy.cwsent.com: cy owned process doing -bs X-Mailer: exmh version 2.8.0 04/21/2012 with nmh-1.6 Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.komquats.com/ To: Kevin Oberman Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? In-Reply-To: Message from Kevin Oberman of "Mon, 28 Jul 2014 15:07:32 -0700." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 29 Jul 2014 06:20:04 -0700 Cc: Darren Reed , FreeBSD Current X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2014 13:20:07 -0000 In message , Kevin Oberman writes: > On Mon, Jul 28, 2014 at 2:41 AM, Darren Reed wrote: > > > On 27/07/2014 4:43 AM, Cy Schubert wrote: > > > In message <53D395E4.1070006@fastmail.net>, Darren Reed writes: > > >> On 24/07/2014 1:42 AM, Cy Schubert wrote: > > >>>>> But, lack of ipv6 fragment processing still causes ongoing pain. > > That'= > > >>>>> s our=20 > > >>>>> #1 wish list item for the cluster. > > >>> Taking this discussion slightly sideways but touching on this thread a > > >>> little, each of our packet filters will need nat66 support too. Pf > > doesn't > > >>> support it for sure. I've been told that ipfw may and I suspect > > ipfilter > > >>> doesn't as it was on Darren's todo list from 2009. > > >> ipfiler 5 handles fragments for ipv6. > > > Switching gears and leaving the discussion of ipv6 fragments to mention > > > nat66. A lot of people have been talking about nat66. I could be wrong > > but > > > I don't think it can handle nat66. I need to do some testing to verify > > > this. I remember reading on sourceforge that it was on your todo list. It > > > doesn't look like it was checked off as being completed. > > > > IPFilter 5 does IPv6 NAT. > > > > With the import of 5.1.2, map, rdr and rewrite rules will all work with > > IPv6 addresses. > > > > NAT66 is a specific implementation of IPv6 NAT behaviour. > > > > Cheers, > > Darren > > > > And all IPv6 NAT is evil and should be cast into (demonic residence of your > choosing) on sight! That I don't disagree with, IPv6 NAT makes no logical sense. Having said that I've received emails asking about NAT66 specifically. It is on people's minds. > > NAT on IPv6 serves no useful purpose at all. It only serves to complicate > things and make clueless security officers happy. It adds zero security. It > is a great example of people who assume that NAT is a security feature in > IPv4 (it's not) so it should also be in IPv6. Agreed. People think NAT is a security feature (and those same people tout the "security" of reverse proxies too). It's a checkbox item. > > The problem is that this meme is so pervasive that even when people > understand that it is bad, they still insist on it because there will be an > unchecked box on the security checklist for "All systems not pubic servers > are in RFC1918 space? -- YES NO". The checklist item should be (usually) > "All systems behind a stateful firewall with an appropriate rule set? -- > YES NO" as it is a stateful firewall (which is mandatory for NAT that > provides all of the security. Exactly! That's pretty much what people who know better are saying. > > I say "usually" because the major research lab where I worked ran without a > firewall (and probably still does) and little, if any, NAT. It was tested > regularly by red teams hired by the feds and they never were able to > penetrate anything due to a very aggressive IDS/IPS system, but most people > and companies should NOT go this route. I have IPv6 at home (Comcast) and > my router runs a stateful firewall with a rule set functionally the same as > that used for IPv4 and that provides the protection needed. Not part of this discussion: I think you need both. Firewalls and IPS with IDS. OTOH using NAT as a means of securing a network is illogical. I worked at one place where they would NAT already NATted packets, themselves having previously been processed by previous NAT, all for the sake of "security" only terribly broke the network to the point there were issues to numerous to discuss in a quick reply here. > > So putting support for NAT66 or any IPv6 NAT into a firewall is just making > things worse. Please don't do it! -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few.