Future of pf / firewall in FreeBSD ? - does it have one ?

Mark Martinec Mark.Martinec+freebsd at ijs.si
Mon Jul 28 23:22:01 UTC 2014 

> On Mon, Jul 28, 2014 at 2:41 AM, Darren Reed <darrenr at freebsd.org> 
> wrote:
>> [...]
>> IPFilter 5 does IPv6 NAT.
>> 
>> With the import of 5.1.2, map, rdr and rewrite rules will all work 
>> with
>> IPv6 addresses.
>> 
>> NAT66 is a specific implementation of IPv6 NAT behaviour.

2014-07-29 00:07 Kevin Oberman wrote:
> And all IPv6 NAT is evil and should be cast into (demonic residence of 
> your
> choosing) on sight!
> 
> NAT on IPv6 serves no useful purpose at all. It only serves to 
> complicate
> things and make clueless security officers happy. It adds zero 
> security. It
> is a great example of people who assume that NAT is a security feature 
> in
> IPv4 (it's not) so it should also be in IPv6.
> 
> The problem is that this meme is so pervasive that even when people
> understand that it is bad, they still insist on it because there will 
> be an
> unchecked box on the security checklist for "All systems not pubic 
> servers
> are in RFC1918 space? -- YES   NO". The checklist item should be 
> (usually)
> "All systems behind a stateful firewall with an appropriate rule set? 
> --
> YES  NO" as it is a stateful firewall (which is mandatory for NAT that
> provides all of the security.
> 
> I say "usually" because the major research lab where I worked ran 
> without a
> firewall (and probably still does) and little, if any, NAT. It was 
> tested
> regularly by red teams hired by the feds and they never were able to
> penetrate anything due to a very aggressive IDS/IPS system, but most 
> people
> and companies should NOT go this route. I have IPv6 at home (Comcast) 
> and
> my router runs a stateful firewall with a rule set functionally the 
> same as
> that used for IPv4 and that provides the protection needed.
> 
> So putting support for NAT66 or any IPv6 NAT into a firewall is just 
> making
> things worse. Please don't do it!
> --
> R. Kevin Oberman, Network Engineer, Retired
> E-mail: rkoberman at gmail.com

You are missing the point, we are talking about NAT64 (IPv6-only 
datacenter's
path to a legacy world), and NPT66 (prefix transalation). I doubt anyone 
had
a traditional NAT in mind.

Consider a small site with uplinks to two service providers: it can use 
ULA
internally and translate prefix on each uplink.

Please see these short blogs:

- To ULA or not to ULA, That’s the Question
   
http://blog.ipspace.net/2013/09/to-ula-or-not-to-ula-thats-question.html

- I Say ULA, You Hear NAT
   http://blog.ipspace.net/2014/01/i-say-ula-you-hear-nat.html

- PA, PI or ULA IPv6 Address Space? It depends
   
http://blog.ipspace.net/2014/01/pa-pi-or-ula-ipv6-address-space-it.html

- Source IPv6 Address Selection Saves the Day
   
http://blog.ipspace.net/2014/01/source-ipv6-address-selection-saves-day.html


Mark

More information about the freebsd-current mailing list