From owner-freebsd-current@FreeBSD.ORG  Mon Apr 15 10:44:31 2013
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id A5AD16AD;
 Mon, 15 Apr 2013 10:44:31 +0000 (UTC) (envelope-from lev@FreeBSD.org)
Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru
 [IPv6:2a01:4f8:131:60a2::2])
 by mx1.freebsd.org (Postfix) with ESMTP id 6AC7B2FC;
 Mon, 15 Apr 2013 10:44:31 +0000 (UTC)
Received: from lion.home.serebryakov.spb.ru (unknown
 [IPv6:2001:470:923f:1:d051:3b46:4a53:4fdc])
 (Authenticated sender: lev@serebryakov.spb.ru)
 by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPA id 0A63A4AC57;
 Mon, 15 Apr 2013 14:44:29 +0400 (MSK)
Date: Mon, 15 Apr 2013 14:44:28 +0400
From: Lev Serebryakov <lev@FreeBSD.org>
Organization: FreeBSD Project
X-Priority: 3 (Normal)
Message-ID: <621849003.20130415144428@serebryakov.spb.ru>
To: Kimmo Paasiala <kpaasial@gmail.com>
Subject: Re: ipfilter(4) needs maintainer
In-Reply-To: <CA+7WWSdbEx7Kbc0WOBNLc-vH19DdKK7L-xORO8SepKcMQR2xEg@mail.gmail.com>
References: <20130411201805.GD76816@FreeBSD.org>
 <20130414160648.GD96431@in-addr.com>
 <36562.1365960622.5652758659450863616@ffe10.ukr.net>
 <201304150025.07337.Mark.Martinec+freebsd@ijs.si>
 <951943801.20130415141536@serebryakov.spb.ru>
 <CA+7WWSeODqdP1_7MDs6=BiGF+DSR62w21uu4hS3PtTDBkmshsg@mail.gmail.com>
 <195468703.20130415143237@serebryakov.spb.ru>
 <CA+7WWSdbEx7Kbc0WOBNLc-vH19DdKK7L-xORO8SepKcMQR2xEg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: Mark Martinec <Mark.Martinec+freebsd@ijs.si>, freebsd-net@freebsd.org,
 current@freebsd.org
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
Reply-To: lev@FreeBSD.org
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2013 10:44:31 -0000

Hello, Kimmo.
You wrote 15 =D0=B0=D0=BF=D1=80=D0=B5=D0=BB=D1=8F 2013 =D0=B3., 14:36:27:

>>  And, yes, NAT64 will be useful for sure, but it is another story,
>> not IPv6<->IPv6 translation.
KP> You're forgetting set ups where outgoing traffic is controlled by
KP> filter rules, outgoing passive mode ftp needs help from the proxy to
KP> open holes for arbitrary ports. This is not limited to IPv4 and NAT.
   It could  be  done without IPv6 prefix mapping. Yes, firewall should
 have  ability  to expect some connections fro FTP commands (some flag
 on rule, for sure), but it is not prefix rewriting (there are some
 other protocols, which need similar treatment, like SIP)! I was
 shocked by idea of true NAT from IPv6 to IPv6. IPv6 has its own
 problems and complications, but one REALLY GOOD side of it, that we
 don't need NAT for it anymore! Some special tricks in firewall -- yes,
 maybe, for bad-designed, but widely-deployed application level
 protocols, but not address translations!

  I, personally, don't see any problems to enable all outbound
 connections for dedicated FTP server, though.

--=20
// Black Lion AKA Lev Serebryakov <lev@FreeBSD.org>