Eric H. Christensen wrote:
What are you trying to protect yourself from, exactly?
Me? Other than address translation (a necessary evil) I use packet
filters mostly to restrain crazy programs that open listening sockets
for unknown reasons even though I don't use them for any kind of
communication. There was for example some kind of Gnome daemon that
popped up and started listening on an RTSP port just because I was
playing music from the local disk through the local loudspeakers. Such
behaviour is equally crazy on all networks, so I don't need firewall
zones for that.
Better ask those who think they need "home" and "work" zones what
they're trying to achieve.
> This difference may be temporary though. Sooner or later ISPs
will be
> forced to start providing IPv6 to customers, and then NAT will no
> longer function as a firewall.
NAT was never really supposed to be a security feature.
That's not its primary purpose, no, but not having a public IP address
is in practice much like being behind a really zealous firewall that
only allows outgoing connections. People rely on that when they use
naïve protocols at home, for example unencrypted or passwordless file
and printer sharing protocols.
IPv6 really isn't the problem.
I agree.
> link-layer encryption like WPA2 won't protect anything
anymore
What do you think WPA2 protects against? It has never protected
against anything but decoding of intercepted packets across the
wireless link.
As far as I know it's also supposed to prevent active attacks, not just
passive eavesdropping. The underlying assumption is that your local
wired network is protected by a firewall plus physical walls and locked
doors, and that you have something insecure on your network that needs
that protection. Then when you add a wireless link you have to prevent
others from connecting to it and attacking your insecure stuff. That's
what WPA2 is for.
But if your firewall is just a side effect of your NAT, and IPv6 makes
NAT obsolete, then your insecure stuff is no longer protected.
> ...and then
> protocols designed for an isolated friendly network will be equally
> insecure on both wired and wireless networks.
Then you probably shouldn't be using protocols designed for an
isolated friendly network. If you do then you probably deserve what
happens to you as there is rarely such a thing as an "isolated
friendly network".
And I don't use those protocols, but other people apparently do. Why
else would there be a need for WPA2 or firewall zones?
--
Björn Persson
Sent from my computer.