|
| ▲ | RiverCrochet 10 hours ago | parent | next [-] |
| - Did you disable UPnP on your router? If not, any device behind the router can simply ask the router to open a port, typically without authentication, bypassing this "firewall" completely. - TURN and STUN trivially bypass this side-effect, and a side effect of that is a third party has to often be involved, which can be collecting data later leaked or used against you. - The monstrosity of NAT is that it's the core thing that drives centralization - because of NAT any two Internet hosts generally have to involve a third party to communicate, a third party which again, can be collecting data later leaked or used against you. If you don't care about the security implications of the above, then you don't really care about the "firewall" either. |
| |
| ▲ | dist-epoch 7 hours ago | parent | next [-] | | That third party involved is my ISP which will see the packets anyway, even if NAT is not used. And the attacks you mentioned are initiated from the inside. Not what I stated, that NAT is a sort of a firewall for incoming connections. | |
| ▲ | cyberax 9 hours ago | parent | prev [-] | | I've yet to see UPnP work... | | |
| ▲ | RiverCrochet 5 hours ago | parent [-] | | I was surprised as well as it's something I turn off on devices I control and I haven't really assumed it was a thing. But recently at a friends house I decided to install upnpc on my Linux laptop and give this a try: | upnpc -a 192.x.x.x 8080 80 tcp And to my surprise it just worked. This friend just upgraded to fiber and had just received a new router. |
|
|
|
| ▲ | ianburrell 11 hours ago | parent | prev | next [-] |
| IPv6 routers use a stateful firewall just like NAT includes. Just without the problems of NAT. |
| |
| ▲ | simoncion 10 hours ago | parent [-] | | As a bonus, because most (nearly all?) SOHO IPv6 routers are Linux under the hood, they are also capable of IPv6 NAT. | | |
| ▲ | MaKey 9 hours ago | parent [-] | | I doubt that most consumer routers expose this functionality. IPv6 NAT is rarely needed and should be avoided. Interestingly enough I stumbled upon a use case today. No IPv6 connectivity at my office but at my dad's house. Since a WireGuard tunnel is layer 3 I can't use router advertisements and the prefix is dynamic, so private IPv6 addresses and NAT66 it is. It was an exercise out of curiosity though, route64.org works much better for IPv6 connectivity. |
|
|
|
| ▲ | shmerl 12 hours ago | parent | prev | next [-] |
| No, it does not. Always use a firewall if you need a firewall. NAT is not a replacement for it. |
|
| ▲ | megous 5 hours ago | parent | prev | next [-] |
| You just have outbound NAT enabled, so that your internal nodes can access the internet, no mapping to any internal nodes is set from the outside and no firewall. (just NAT alone) So all packets to your router's address will terminate at the router. Right? OK, let's say I send a packet to your router's external interface with destination IP set to internal address of one of nodes in your network. Will it reach your internal host? Will I get a response? ;-) I hope you now appreciate how NAT is not a firewall at all. |
|
| ▲ | 9rx 11 hours ago | parent | prev [-] |
| NAT has the side-effect of working as a shower curtain. It will mostly keep light drops of water out, but will not stand up to a fire. |
