[hansel_der]

> it'll be slightly less messy because you just configure firewall rules per IPv6 address instead of translating the limited port space of your one external IPv4 address into a number of internal Port/IPv4 combinations. So the chance to screw up is lessened.

as mentioned, with ipv6 you now have to care/worry about multiple classes of numbers, so i'd argue that because the number-space is increased, so is the chance to screw up.

i grew up with windows 3.x computers having a public ip and no firewall and as nice as incoming connections by default are for an enthusiast, they are a unecessary danger for the masses.

as you said, hole-punching works on ipv6 as well and has to be initiated from the inside, so it's no argument for .

[adrian_b]

I do not know what you mean by "multiple classes of numbers".

A firewall must block everything by default.

You add then exceptions for the protocols, hosts and ports that you want to allow.

Regardless whether you use IPv4 or IPV6, you have the same number of protocols, hosts and ports for which you must add rules.

The only disadvantage of IPv6 is that you should be more careful when you copy and paste the host addresses into rules, because the IPv6 addresses are longer and it might be more difficult to notice typing errors in them.

On the other hand, you no longer need to add NAT rules.

[hansel_der]

i was refering to the multiple classes of ipv6 addresses. most ppl don't care about a clever numbering sheme and probably wouldn't if they understood.

does the firewall discard extension headers from the internets? what about relevant icmp?

public/private interface? ah right, can't tell from a look at the address...

nat-rules are very simple by comparison.

don't get me wrong; i am very happy with adopting an incompatible, new internet protocol for all the app- and smart-shiit.