JoelC707Premium
join:2002-07-09
West Point, GA
kudos:5 | reply to whfsdude
Re: [IPv6] Seeing two different LAN side ranges Wait, why do i need an allow all "any any" rule on WAN side? i cant imagine why I would need to fully open up the WAN side like that. |
|
 graysonfPremium,MVM
join:1999-07-16
Fort Lauderdale, FL | I don't have any such WAN rule here. |
|
 whfsdudePremium
join:2003-04-05
Washington, DC
 ·T-Mobile US
| reply to JoelC707
said by JoelC707:Wait, why do i need an allow all "any any" rule on WAN side? i cant imagine why I would need to fully open up the WAN side like that.
FWIW, I lock down my firewall rules via the LAN tab as I have multiple VLANs. In general though, I favor host based security.
You'll need to create several firewall rules if you don't allow all.
Edited for clarify.
1. You need ICMP rule (PMTUD needs to work).
2. Optional rules for UDP or TCP depending on any incoming traffic. |
|
JoelC707Premium
join:2002-07-09
West Point, GA
kudos:5 | Ahhh ok that makes more sense 
I do have ICMP enabled for v4 and v6. At the moment I dont have any services i want to open up on the lan for v6 (yet). If youre doing vlan or host based security then that makes more sense. I thought you were saying i needed to open up the network for general browsing over IPv6 to work, but that makes more sense. |
|
|
|
whfsdudePremium
join:2003-04-05
Washington, DC Reviews:
·T-Mobile US
| said by JoelC707:I do have ICMP enabled for v4 and v6. At the moment I dont have any services i want to open up on the lan for v6 (yet). If youre doing vlan or host based security then that makes more sense.
Yeah, when you're dealing with VLANs, you scoot the rules back to the VLAN interfaces (eg. LAN, Voice) because you don't want traffic passing between the VLANs without rules in place.
For this reason, I've always been taught it's best to put the firewall/ACL as close to the network you want to protect as possible. |
|
