From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-we0-f171.google.com (mail-we0-f171.google.com [74.125.82.171]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 70F2F21F0C4; Wed, 16 May 2012 10:52:19 -0700 (PDT) Received: by wejx9 with SMTP id x9so1327124wej.16 for ; Wed, 16 May 2012 10:52:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=SW50nUDsnGDeV4a4WUUYwXRomL9KoPkjyfCzEg9wl/8=; b=uvUB4vtVXfjFciyykpKsmyO4RWV8A01pUF9O2Dp79wMUpo2LMBn08LmAxoWOeSbZRp pHiMRDadLW3jNBe8wfyQtg3SqUKMo+F6amz5Z9eBxK9E/cq7araqDZzonp+P0k4KOD9D Bm9ldeNBbc7M1dhdpXq53azNZ8+6WTZlxu/l/1YylE1vLmVYZb+oYBpQzcgwb76cyy6F /OzCoMejr29rcvVrW+lYRziylaxQa/jlri8XKx8i9uQMPmjiGfGDZThN9hnmoNb0b61k kssJuSMnLEnPrzj7X+PxPGEprngx1xsELtBCoc1vn02H7tCDgJXyHrRAzT/KFDKYcNmj /iGA== MIME-Version: 1.0 Received: by 10.180.79.72 with SMTP id h8mr43059054wix.1.1337190737072; Wed, 16 May 2012 10:52:17 -0700 (PDT) Received: by 10.223.115.9 with HTTP; Wed, 16 May 2012 10:52:16 -0700 (PDT) In-Reply-To: References: <6F884B65-4388-4655-8B03-4B7936ABCDE0@gmx.de> <4FB3DF2D.3070109@gmail.com> Date: Wed, 16 May 2012 10:52:16 -0700 Message-ID: From: Dave Taht To: Outback Dingo Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: codel@lists.bufferbloat.net, Sebastian Moeller , cerowrt-devel@lists.bufferbloat.net, bloat Subject: Re: [Codel] [Cerowrt-devel] preliminary codel and fq_codel support for cerowrt X-BeenThere: codel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: CoDel AQM discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 May 2012 17:52:20 -0000 The problem with most home router firewalls today is that they have a stric= t "us" vs "them" concept in them, and are closely tied to what can be NATed, or not, which limits our internet to tcp and udp. Recently the concept of 'guest' has been added to many devices, which doesn't work particularly well. A problem with "us vs them" and extending this sort of thinking to ipv6, is that interesting new protocols such as sctp, hip, rdp, dccp, rsvp esp, gre, ah, skip, ospf, vrrp, isis, manet, shi= m6, wesp, and rohc... are all blocked by default in ipv6, too. It doesn't need to be this way. I have hated living in a world of purely tcp on port 80 and 443. Seeing udp begin to fail in multiple respects - such as dns,dhcp, voice, et= c really bothers me. So cerowall attempted (I've never finished it) to use pattern matching in iptables, and device renaming, to make it possible to have a nearly default free zone (DFZ) for guests, and use a bare minimum of rules, to pass through... and the core idea was also be able to pass ALL protocols everywhere, under ipv6. The current openwrt firewall solution scales O(n) where n =3D the number of interfaces the cerowall idea scales O(n) where n =3D the number of different zones. Firewalling is responsible for a minimum of 11% of the current runtime, with the current firewall rules, with 6 interfaces in play. CeroWall did a lot better, while opening up new vistas to play in. --=20 Dave T=E4ht SKYPE: davetaht US Tel: 1-239-829-5608 http://www.bufferbloat.net