| > the NAT-by-default of IPv4 IPv4 is not NAT-by-default. The reality of the world we live in today is that most home networks have a NAT, because you need multiple devices behind a single IP. That said, I agree: it's quite unknowable how many services I've turned on on local machines with the expectation that a router firewall sat between me and potential clients. But that doesn't go away with IPv6 - the NAT does, the router doesn't, and the firewall shouldn't either. For example, the default UniFi firewall rules for IPv6 are: 1. Allow Established/Related Traffic (outbound return traffic), 2. Block Invalid Traffic, 3. Block All Other Traffic You must explicitly open a firewall rule for inbound IPv6 traffic. NAT is not the firewall. |
| |
| ▲ | johnmaguire 7 hours ago | parent [-] | | NAT is not a firewall: all it does is rewrite packets, it does not drop them. | | |
| ▲ | tyingq an hour ago | parent | next [-] | | You have to squint a little and see they mean that most consumer routers don't map inbound unsolicited packets to anything internal unless the user specifically configured it to. Which is basically a firewall. | |
| ▲ | jonathanlydall 7 hours ago | parent | prev [-] | | The article actually remarks on this kind of argument. While you are technically correct about NAT not being a firewall, it is in practice a widely used front-line defense which even if not “perfect”, it has indisputably
proven to be quite effective against a lot of malicious activity. Against highly determined malicious actors you will of course want a proper firewall, but for 99% of people, NAT is enough to keep from being bothered by run of the mill malicious actors. Kind of like physical home security, a lot of it is very easy to bypass, but it’s good enough for the common threats. | | |
| ▲ | johnmaguire 6 hours ago | parent [-] | | > Against highly determined malicious actors you will of course want a proper firewall, but for 99% of people, NAT is enough to keep from being bothered by run of the mill malicious actors. Maybe, maybe not, but regardless 99% of people are not protected by a NAT. They are protected by a "proper firewall," which happens to support NAT (and typically, is enabled for IPv4 networks.) That is to say, while most home routers support NATs, they also ship with a default-deny firewall turned on. Typically, enabling NAT mappings also configures the firewall for users. But they are not the same thing and we need to stop conflating them because it causes a lot of confusion when people think that IPv6 is "open by default" and that IPv4 is "protected by NAT." It's not. They are both protected by your router using the same default-deny firewall. | | |
| ▲ | cyberax 6 hours ago | parent [-] | | This is BS. "Default deny" or "default accept" makes no practical difference with NAT. You can leave the "default accept" rule with NAT and you'll be perfectly fine except in some weird edge cases. That's because it's exploitable only if you control the next hop from the NAT router, which is typically within the ISP infrastructure. So the attacker will need to either hack your ISP or mess with your NAT router's physical uplink. Both cases require a very dedicated attacker. | | |
| ▲ | johnmaguire 6 hours ago | parent [-] | | A default deny firewall is a good idea to protect services everywhere in your network, including those which run on the router itself (e.g. many routers run a local DNS server.) Without NAT, packets are not dropped, they simply do not have their destination rewritten to another device on the network. The traffic is still destined for the router and will be processed by it. This is why routers ship with a default-deny firewall rule. NAT is not a firewall. It is address translation. It will not drop packets. | | |
| ▲ | cyberax 3 hours ago | parent [-] | | Sure, a default deny is a good idea. However, it's not _critical_. If you forget to enforce it on your NAT router, you'll be fine. And if you are behind a CGNAT, it's even safer. In IPv6 it becomes absolutely essential. If you forget to include it, your network becomes wide open. And you don't have an easy way to detect this because you need an external service to probe your network. > NAT is not a firewall. It is address translation. It will not drop packets. Yes, it is a firewall because it enables the address space isolation. |
|
|
|
|
|
|
