New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
It's probably a generational thing but I think its a complete waste of time to make a stubborn a-hole understand that they are wrong/partially wrong even after 10s of people decide to make them understand that they are wrong/partially wrong, but they don't care about it and still try to keep a hold of their argument, knowing that it will soon die out.
IMO, OP just wants to ignite some people on kerosene, maybe its fun to him, who knows.
Perhaps, but my fun is probably greater.
Y'all still at it? Have a meme break.
It is still worthy of some extra BilohBucks, all these threads always end up the same way. I should make a collection of them at some point.
You do realize that what you just said, every word of it, I could say about you as well?
I am trying hard to "discuss" the topic, and I've meet every argument you have ever made. However, you simply disregard everything I say with references to "ad hominem" while in the same sentence calling everyone who disagrees with you a refugee from a mental asylum, calling the whole idea a brainfart and basically just all out behave like you are the only one that understands anything and you are smarter then everyone else in the world. And you think you are the one subjected to ad hominem?
You are a first grade asshole (that is a fact not even open for discussion) but I usually ignore this because I know that's just the way you are. But when you refuse to discuss something based on the premise that other people do exactly what you repeatedly do, then it takes away a lot of the respect I have for you.
I do not dislike, detest or hate you - and you know that. I have made this perfectly clear in a lot of threads as well as in pm. I usually agree with a a lot of things you say, and I am not ashamed to say that I have learned a lot by reading your posts. Even when I do not agree with them they often makes me think and re-evaluate my own opinion, which is something I think is extremely healthy and something some people really should be doing more often. hint
However in this particular subject you seem to be completely lost in some inexplicable hate against ipv6. Basically the only argument you still throw around is that there are too many addresses. But why an abundance of addresses is such an absolutely unacceptable problem is not something you've been able to explain. To use your analogy with giving 40 tons of food to a starving person, who in their sane mind would think that is a problem and rather let the person starve? Especially since the food is free, takes no room to store, never goes bad and can be used whenever you want. It would solve world hunger but you think it's bad because it's "too much". We are of course not talking about world hunger here, but we have a solution that would solve addressing every device for probably the rest of time, but you refuse because it's "too much". And no, the 128-bit addresses are not a problem for todays hardware, the effect is so miniscule it is not even noticeable. And I know that for a fact, I manage tier 1 ipv6 routers for a living and not even once in the history of ipv6 have I heard anyone besides you even bring that up as a theoretical problem. As a real problem it simply does not exist, as evident by the whole world already running ipv6 without a single report of it being a problem.
The only argument I am willing to give some sort of credibility to is that the addresses are harder to memorize. That is true, they are, there is no denying that. But I will never accept that we should refuse a solution just because the addresses are harder to memorize when 99.9999% of all users never memorize a single address anyway. And to be honest, if you actually have to memorize ip addresses to make your network work you are stuck in 1999 anyway and your opinion is irrelevant.
@rcy026
I believe you that what you just said reflects your perception of this, let's call it conversation.
But while I could clearly demonstrate that your perception, I'll word that very peacefully, is not fully correct, I'm simply not interested in this discussion anymore.
Let me put it like this: Both of us likely would profit from some "cooling down" before discussing this topic again and regarding many others they clearly showed that they are not capable of a sensible discussion of a matter that very clearly is emotionally loaded.
Finally, thank you for - unlike quite a few here - showing some human and intellectual decency and giving me a chance to keep my respect for you alive.
Yeah. From an outsider view, there's barely any practical info here.
While I make sure my cluster have IPv6 to keep up with the time, looking at the guide on LET with Proxmox and IPv6 it seems more hassle than it worth. I'll still definitely try it out soon.
Don't get me wrong, iptable is still weird but it does not require that much work. Can't it be that I install 1 package that recognize my IPv6 range(s) from /interfaces and route VMs and containers' assigned IPs automatically?
Correct me if I'm wrong but 2 IPv6 can tunnel to each other by passing everything so it's recommended by firewall guides that internally it should all be IPv4? Some guide on how to masquerade v4 internally to v6 externally would be nice.
In case one assigns containers and/or VMs with their own IPv6s, is there an effective way to sync all the firewalls or make sure the host firewall process everything, somehow? I mean VPS/Dedi is assigned a range, someone with bad intentions will definitely hitting the entire range, so sync ban list should be better right?
If you are referring to my guide, then that is written for the braindead OVH setup where they allocate you a /64 but let you use only an /128 at a time, That is one of the workarounds for that limitation, normally any container with an IPv6 should be bridged to vmbr0 and be able to get out on the internet.
There is NAT64 and 1:1 NAT for v6, however you don't need that for a simple firewalling purpose. NAT is NOT a firewall, that is a workaround the IPv4 depletion and has some limitations regarding the connectivity which are blocking many kinds of connections, but that does not mean it is a firewall, like disconnecting from the internet is not a firewall either.
I would argue NAT is better than a firewall at being a firewall - it is impossible to fuck up for a networking noob due to being opt-out protection rather than opt-in. Sure firewalls can be opt-out as well, but if they break or are misconfigured they don’t blow up loudly and cut all connectivity
(Fwiw I’m pro v6 and would not use NAT with it, just observing that it does not give me the warm fuzzy feeling of safety that v4 NAT does)
>
It depends on what kind of firewall we are talking about here.
A "real" ng firewall does things like protocol inspection, enforce ssl, authenticates users, proxies traffic trough av and malware detection, runs IDS/IPS etc etc. There is no way a simple NAT can compete with that.
For a home user that is not even aware that his $25 plastic box runs something called NAT, then yeah, you could argue that NAT is just as good as a firewall. But the limitation is in the user, not the product.
NAT is a firewall in the same way that building a brick wall across your drive stop someone stealing your car.
Oh. My bad, I completely missed the purpose of your guide. I'll test bridged v6.
The point is, from a layman point of view, for the purpose of safeguarding my containers, NAT works great! Every exposed traffic is deliberately added and I can only blame myself.
If both sides could duke it out about firewall Best Practice™ and pro/con of both would be wonderful!
Edit: My main concern with IPv6 everything would be security so can you guys point me to some resources?
So, the solution for idiots not to poison themselves by injecting bleach is to stop using bleach outside professional cleaners and revert to soap because it is less poisonous.
You are actually describing a firewall. A firewall should always run as default to deny, unless traffic is deliberately added to an allow list it should be denied.
Just run your firewall to allow outgoing traffic and deny all incoming traffic and you have the same "protection" as with NAT. Then add some protocol inspection and start filter outgoing traffic as well and you have much better protection.
And as someone already pointed out, exposing ports you are not running anything on is not a risk in itself. What you need to worry about is the traffic coming in on ports where you actually have services listening, and that's where things like protocol inspection, IDS and IPS helps.