Am 31.03.2012 17:37, schrieb Les Mikesell:
On Sat, Mar 31, 2012 at 8:06 AM, Peter Eckel lists@eckel-edv.de wrote:
So, before you do anything else, set up proper incoming and outgoing IPv6 port filtering rules on your perimeter routers. It will save you a hell of a headache.
If the addresses are auto-discovered, how are you supposed to be able to configure filtering rules for what you want to let through?
Same as today: machines which need individual filtering rules need static addresses. That includes all machines which are to accept connections traversing the firewall, but also machines which are permitted to access services that are not generally allowed.
One difference though: machines will typically have more than one IPv6 address, so you may have to somehow make sure that you don't use a different address than the one which is mentioned in the filtering rule. That's no problem for incoming connections. You just have to allow the same addresses in the firewall as you published in DNS. But for outgoing connections (for example, from mail servers) you may have to explicitly specify the source address.