tag:blogger.com,1999:blog-3993498847203183398.post6508339255866659893..comments2024-03-18T12:28:29.902+00:00Comments on RevK<sup>®</sup>'s ramblings: DHCPv6 and CISCO 877WRevKhttp://www.blogger.com/profile/12369263214193333422noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-3993498847203183398.post-25293443899225888942012-01-18T00:39:40.310+00:002012-01-18T00:39:40.310+00:00This is a new set of configuration. The recent CIS...This is a new set of configuration. The recent CISCO firmware and IOS upgrades have new configurations trunk lines.<br /><a href="http://www.ravon.net/content/ravon-equipment/polycom/polycom-ip-550" rel="nofollow">polycom ip 550</a>Peter Boddehttps://www.blogger.com/profile/15741628261943650271noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-38597019466792134842011-01-29T22:03:23.375+00:002011-01-29T22:03:23.375+00:00Hmm.
I've currently got an 827, which I hope...Hmm.<br /><br />I've currently got an 827, which I hope to replace with a 877 (non W) soon. But I'm not sure if this would actually be classed as a bug. I can see a way to argue it as such, and a way to argue it as not. i.e. the issue would seem to revolve around the question of if the firewall should act as configured, or if a pinhole should be automatically added.<br /><br />However I use manual config (not DHCP), since I can't see any way to delegate a /48 and then sensibly allocate it amongst the various internal subnets. But then, I have to admit to not investigating all of the command possibilites. I guess one come up with some means of indicating 'append this to the delegated prefix'. i.e. I've thought of prefix delegation as particularly useless except for the /64 scenario.<br /><br />I also run my ADSL router as a non firewall one, my firewall being at a subsequent router.<br /><br />I guess for the Firewall (cbac) case, one might have to add an pinhole to its associated input ACL specifically for a reply to the originating port (and possibly address).Derek Fawcushttps://www.blogger.com/profile/13693452809824703009noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-23936543259460566632011-01-29T21:39:43.723+00:002011-01-29T21:39:43.723+00:00In the same way as DHCP (IPv4) works, the request ...In the same way as DHCP (IPv4) works, the request is to a general address, and the reply from the specific machine that replies. So no, session tracking does not work. It makes it very hard to firewall, if not impossible.<br /><br />All the more reason for it to be at the PPP layer.RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-64850453834651036142011-01-29T21:37:44.695+00:002011-01-29T21:37:44.695+00:00The only reason i didn't hit that is because t...The only reason i didn't hit that is because the box I was running on is a simple router which runs nothing normally, hence no actual firewall.<br /><br />Of course if the reply could come from a different machine entirely you *can't* firewall it, and you're also somewhat open to external attack (although whether anyone could achieve anything more useful than a DoS that way is doubtful).Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-54421507995813144442011-01-29T21:30:19.754+00:002011-01-29T21:30:19.754+00:00It is the reply, from a different IP and possibly ...It is the reply, from a different IP and possibly even different port which does not get passed the firewall.RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-37467496959935575962011-01-29T21:28:45.876+00:002011-01-29T21:28:45.876+00:00Firewall? Which version? Which commands?
AFAICR...Firewall? Which version? Which commands?<br /><br />AFAICR acls do not affect router originated packets. Maybe it's rx packets being affected,Derek Fawcushttps://www.blogger.com/profile/13693452809824703009noreply@blogger.com