On Fri, Apr 18, 2014 at 10:49 PM, Jim Clausing <jim.clausing@acm.org> wrote:
And maybe I'm just dense, but ho one has been able to tell me how I accomplish this in IPv6 without NAT, I have the requirement in certain circumstances to transparently redirect all outbound DNS (well, on TCP or UDP port 53) and/or SMTP (TCP ports 25 and 587) to my own servers. No, simply blocking it at the firewall and making the user "fix" the problem is not an option (especially when the problem is created by malware). It is a simple rule in IPTABLES for IPv4, but how do I accomplish it in IPv6? Not flaming or anything, but I really want to know how I'm supposed to accomplish that in the ideal IPv6 world with no NAT?
Nothing stops you from using NAT :) This discussion got a bit off track. I'm not saying NAT should be banned completely, I'm saying that with IPv6 we can actually simplify things a lot get rid of all hacks we had to do in the network do get services up and running (e.g. using a firewall's public ip address to hide several distinct services behind it on different hosts, like web, dns, smtp etc). I believe in simplicity, and now IPv6 for me makes things simple: I can have all the IP addresses I want and do not need to use hacks to get things working because no one would give 2048 IPv4 addresses just to do stuff with them and run lots of servers with "public" IP addresses.