Roses are red, violets are blue, everyone is using IPv6, why aren't you? - eviltoast
  • orangeboats@lemmy.world
    link
    fedilink
    arrow-up
    2
    ·
    5 months ago

    The word you are looking for is firewall not NAT.

    NAT does not provide security whatsoever. If the NAT mapped your (internal IP, internal port) to a certain (external IP, external port) and you do not have a firewall enabled, everyone can reach your device by simply connecting to that (external IP, external port).

    I haven’t seen routers that do not come with IPv6 firewalls enabled by default.

    • umbrella@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      5 months ago

      everyone can reach your device by simply connecting to that (external IP, external port)

      to be fair thats the setup most people run when they open ports.

    • Avatar_of_Self@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      edit-2
      5 months ago

      The word you are looking for is firewall not NAT.

      No the word I’m looking for is the NAT. It was not designed for security but coincidentally it is doing the heavy lifting for home network security because it is dropping packets from connections originating from outside the network, barring of course, forwarded ports and DMZ hosts because the router has no idea where to route them.

      Consumer router firewalls are generally trash, certainly aren’t layer 7 firewalls protecting from all the SMB, printer, AD, etc etc vulnerabilities and definitely are not doing the heavy lifting.

      By and large automated attacks are not thwarted by the firewall but by the one-way NAT.

      • orangeboats@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        5 months ago

        Consumer router firewalls are generally trash

        [Citation needed]

        They are literally piggybacking on the netfilter module of Linux. I don’t see how that’s trash

        • Avatar_of_Self@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          5 months ago

          They are not layer 7 firewalls for the network which are going to be where most the majority of attacks are concentrated. No citation needed unless you believe they are layer 7 firewalls or using something like Snort.

          Added some clarification in my first sentence so it makes a bit of sense.

            • Avatar_of_Self@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              5 months ago

              Because, as I said:

              layer 7 firewalls for the network which are going to be where most the majority of attacks are concentrated.

              The NAT doesn’t have to operate at layer 7 to be effective for this because

              coincidentally it is doing the heavy lifting for home network security because it is dropping packets from connections originating from outside the network, barring of course, forwarded ports and DMZ hosts because the router has no idea where to route them.

              The point is that the SPI firewalls are not protecting against the majority of the attacks we’ve seen for decades now from botnets and other arbitrary sources of attacks, except, perhaps targeted DDoSing which isn’t the big problems for most home networks. They must worry about having their OS’ and software exploited and owned in the background, which doesn’t get much of an assist from a router’s firewall.

              Obviously, this is however true for the NAT since the NAT are going to drop connections originating from outside the network attempting to communicate with that software to exploit it

              barring of course, forwarded ports and DMZ hosts because the router has no idea where to route them.

              • orangeboats@lemmy.world
                link
                fedilink
                arrow-up
                1
                ·
                edit-2
                5 months ago

                How is this “dropping packets” not applicable to firewalls, then? You are not just going to casually connect to my IPv6 device as we’re speaking. The default-deny firewall in my router does the heavy lifting… just like what NAT did.

                Honestly, it just sounds like you need to brush up on networking knowledge. Repeat after me: NAT is not security.

                • Avatar_of_Self@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  edit-2
                  5 months ago

                  Are you saying that everyone’s router’s firewall drops all packets from connections that originate from outside of their network?